Hi, i wrote: > > The proposal of mett finally got wget to download lists.debian.org with > > certificate check enabled. > > [...] > > Now i am puzzled why this operation is not necessary on Debian 10 from > > where the file /etc/ca-certificates.conf was copied. > > The entry is in /etc/ca-certificates.conf, > > DST_Root_CA_X3.crt exists in /usr/share/ca-certificates, > > the link DST_Root_CA_X3.pem exists in /etc/ssl/certs. > > Nevertheless wget works on my Debian 10 with https://lists.debian.org.
met wrote: > Maybe the default CA for Let's Encrypt > are different on Debian 8 and Debian 9/10. Meanwhile the users of the GNU savannah server got informed that such problems are related to a bug in SSL software. One of the links given is: https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ Your proposal is there mentioned as "Workaround 1 (on clients with OpenSSL 1.0.2)" So my three certificate problems each have a different solution: - Debian 8 iceweasel (firefox) did not know the new certificate ISRG_Root_X1 before i copied it from Debian (as of juli 2020). I had to "import" this certificate by the browser's GUI. Iceweasel does not suffer from the bug that lets the outdated DST_Root_CA_X3 spoil the certification handshake. - Debian 10 wget as of juli 2020 had the ISRG_Root_X1 certificate but also the bug, which came out of its egg on september 30, 2021, 14:01:15 GMT. dist-upgrade to october 2021 obviously fixed the bug. Now the old DST_Root_CA_X3 still exists but does not spoil wget any more. - Debian 8 wget has the bug and lacked the ISRG_Root_X1 certificate. So it needed that certificate file from Debian 10 in /etc/ssl/certs. Because of the bug it needed DST_Root_CA_X3 to be hidden. mett wrote: > > > -then, restart your servers. i wrote: > > Do SSL clients depend on a local service ? mett wrote: > SSL clients do not depend on a local service. > I said restart your servers > (thinking apache and php-fpm). > Sorry for that. Among all my confusions and all the red herrings in the web, this was the least problem. I have to thank you for giving the decisive hint several days before i found a plausible explantion. ------------------------------------------------------------------------ I meanwhile learned that openssl s_client -CApath /etc/ssl/certs -showcerts \ -connect lists.debian.org:443 < /dev/null tells the certificates which are involved. Now it says in the beginning of its output depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify error:num=20:unable to get local issuer certificate instead of previously when wget did not work: depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3 verify error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT Googling "DST_Root_CA_X3" then gives good hints. (Googling "unable to get local issuer certificate" gives new riddles.) Have a nice day :) Thomas