On Thu, 2009-12-31 at 14:09 +0100, Andreas Metzler wrote: > On 2009-12-31 Sam Morris <s...@robots.org.uk> wrote: > > On Thu, 2009-12-31 at 09:22 +0100, Andreas Metzler wrote: > [...] > >> color me stupid, but I cannot find any reference to the certificate in > >> the file /etc/ssl/certs/Go_Daddy_Class_2_CA.pem (C=US,O=The Go Daddy > >> Group\, Inc.,OU=Go Daddy Class 2 Certification Authority valid > >> 2004-2034) in the debugging output. I think you need to use > >> /etc/ssl/certs/ValiCert_Class_2_VA.pem instead. > > > *blinks* hm, indeed! However I get the same 'Peer's certificate issuer > > is not a CA' message with that certificate as well. > > > I would be grateful if you could try to confirm this yourself -- the > > server is XXXXXXXXXXXXXXXXXXXXXXX. Sorry to be a bother, but I'm rather > > stumped as to why this has ceased to work recently. > [...] > > Hello, > Taking this back to the BTS, to keep the other maintainers in the > boat. > > The toplevel certificate > > ------------------------ > Subject: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCertClass 2 > Policy Validation > Authority,CN=http://www.valicert.com/,email=i...@valicert.com > SHA-1 fingerprint: 317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca6 > ------------------------ > > is a V1 CA. GnuTLS does not accept V1 CAs by default. (The version of > GnuTLS in lenny is patched to behave differently.)
Ah, thanks very much for this information! That explains it. > Possible workarounds: > * --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT > * Make one of the two intermediary certificates or the server > certificate itself trusted. > > Was this certificate really issued April 2009? Is Godaddy still using > their V1 CA? Yes, the certificate is from April 2009. Godaddy may have changed their procedures since then though. Thanks again for your analysis. > > cu andreas > -- Sam Morris <s...@robots.org.uk> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org