i wrote:
> > The proposal of mett finally got wget to download lists.debian.org with
> > certificate check enabled.
> > [...]
> > Now i am puzzled why this operation is not necessary on Debian 10 from
> > where the file /etc/ca-certificates.conf was copied.
> > The entry is in /etc/ca-certificates.conf,
> > DST_Root_CA_X3.crt exists in /usr/share/ca-certificates,
> > the link DST_Root_CA_X3.pem exists in /etc/ssl/certs.
> > Nevertheless wget works on my Debian 10 with https://lists.debian.org.

met wrote:
> Maybe the default CA for Let's Encrypt
> are different on Debian 8 and Debian 9/10.

Meanwhile the users of the GNU savannah server got informed that such
problems are related to a bug in SSL software. One of the links given is:


Your proposal is there mentioned as
  "Workaround 1 (on clients with OpenSSL 1.0.2)"

So my three certificate problems each have a different solution:

- Debian 8 iceweasel (firefox) did not know the new certificate ISRG_Root_X1
  before i copied it from Debian (as of juli 2020). I had to "import"
  this certificate by the browser's GUI.
  Iceweasel does not suffer from the bug that lets the outdated
  DST_Root_CA_X3 spoil the certification handshake.

- Debian 10 wget as of juli 2020 had the ISRG_Root_X1 certificate but also
  the bug, which came out of its egg on september 30, 2021, 14:01:15 GMT.
  dist-upgrade to october 2021 obviously fixed the bug.
  Now the old DST_Root_CA_X3 still exists but does not spoil wget any more.

- Debian 8 wget has the bug and lacked the ISRG_Root_X1 certificate.
  So it needed that certificate file from Debian 10 in /etc/ssl/certs.
  Because of the bug it needed DST_Root_CA_X3 to be hidden.

mett wrote:
> > > -then, restart your servers.

i wrote:
> > Do SSL clients depend on a local service ?

mett wrote:
> SSL clients do not depend on a local service.
> I said restart your servers
> (thinking apache and php-fpm).
> Sorry for that.

Among all my confusions and all the red herrings in the web, this was the
least problem. I have to thank you for giving the decisive hint several
days before i found a plausible explantion.


I meanwhile learned that

  openssl s_client -CApath /etc/ssl/certs -showcerts \
                   -connect lists.debian.org:443 < /dev/null

tells the certificates which are involved.

Now it says in the beginning of its output

  depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
  verify error:num=20:unable to get local issuer certificate

instead of previously when wget did not work:

  depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
  verify error:num=10:certificate has expired
  notAfter=Sep 30 14:01:15 2021 GMT

Googling "DST_Root_CA_X3" then gives good hints.
(Googling "unable to get local issuer certificate" gives new riddles.)

Have a nice day :)


Reply via email to