Package: ca-certificates Version: 20250419 Severity: normal Control: affects -1 dirmngr
Ahoy,
I was digging into an unrelated issue in GnuPG and noticed this has been
showing up in logs:
dirmngr[312195]: enabled debug flags: x509 crypto memory cache memstat hashing
ipc dns network lookup extprog keeptmp
dirmngr[312195.0]: error loading certificate
'/etc/ssl/certs/ca-certificates.crt': Certificate expired
dirmngr[312195.0]: permanently loaded certificates: 149
dirmngr[312195.0]: runtime cached certificates: 0
dirmngr[312195.0]: trusted certificates: 149 (149,0,0,0)
At first the "error loading certificate '/etc/ssl/certs/ca-certificates.crt'"
gave me alarm: that file is a collection of certificates and if a single one
being expired would cause an error to load the file at all, that'd be very bad.
To investigate one can run a pipeline like this:
$ find /usr/share/ca-certificates/mozilla/ -name '*.crt' -a -type f -exec env
'OPENSSL_CONF=""' openssl verify -trusted '{}' '{}' ';' > /dev/null
C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
error 10 at 0 depth lookup: certificate has expired
error /usr/share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt:
verification failed
That seems to be the only certificate affected.
$ openssl x509 -nocert -in Baltimore_CyberTrust_Root.crt -enddate
notAfter=May 12 23:59:00 2025 GMT
There are 150 Mozilla certificates in total as indicated by e.g. 'echo
/usr/share/ca-certificates/mozilla/*.crt | wc -w', so in saying it loaded 149
certificates, it looks like GnuPG did indeed skip over just that one and load
the rest fine. Therefore its message is kind of a false alarm.
I guess I'm not sure what I'd like to see done about this, but wanted to bring
this to your attention. Do programs usually handle expiration of a certificate
in the bundle as gracefully as GnuPG does? Is removing the expired root
certificate sensible? If there's nothing to be done on the ca-certificates side
of things, it'd be helpful to leave this bug as a "won't fix" to save someone
the confusion. Thanks
-- System Information:
Debian Release: 13.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.57+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ca-certificates depends on:
ii debconf [debconf-2.0] 1.5.91
ii openssl 3.5.4-1~deb13u1
ca-certificates recommends no packages.
ca-certificates suggests no packages.
-- debconf information excluded
signature.asc
Description: This is a digitally signed message part
