[Touch-packages] [Bug 1944481] Re: Distrust "DST Root CA X3"
** Changed in: ca-certificates (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1944481 Title: Distrust "DST Root CA X3" Status in ca-certificates package in Ubuntu: Fix Released Status in ca-certificates source package in Trusty: Fix Released Status in ca-certificates source package in Xenial: Fix Released Status in ca-certificates source package in Bionic: Fix Released Status in ca-certificates source package in Focal: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates source package in Impish: Fix Released Status in ca-certificates package in Debian: Fix Released Bug description: [Impact] * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1" * ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA * "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry * This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers. * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry. * One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified. * This is similar to how this was handled for AddTrust before "* mozilla/blacklist.txt: blacklist expired AddTrust External Root CA." [Test Plan] * Install old/current ca-certificates faketime wget curl libcurl3-gnutls # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3': Issued certificate has expired. To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'. # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: certificate has expired * Install new ca-certificates package # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 612 [text/html] Saving to: 'index.html.3' 100%[>] 612 --.-K/s in 0s 2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612] LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 612 100 6120 0 5794 0 --:--:-- --:--:-- --:--:-- 5828 Download is successful. [Where problems could occur] * Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs. [Other Info] * Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1944481] Re: Distrust "DST Root CA X3"
** No longer affects: ca-certificates (Fluxbuntu) ** Also affects: ca-certificates (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995432 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1944481 Title: Distrust "DST Root CA X3" Status in ca-certificates package in Ubuntu: Fix Released Status in ca-certificates source package in Trusty: Fix Released Status in ca-certificates source package in Xenial: Fix Released Status in ca-certificates source package in Bionic: Fix Released Status in ca-certificates source package in Focal: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates source package in Impish: Fix Released Status in ca-certificates package in Debian: Unknown Bug description: [Impact] * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1" * ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA * "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry * This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers. * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry. * One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified. * This is similar to how this was handled for AddTrust before "* mozilla/blacklist.txt: blacklist expired AddTrust External Root CA." [Test Plan] * Install old/current ca-certificates faketime wget curl libcurl3-gnutls # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3': Issued certificate has expired. To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'. # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: certificate has expired * Install new ca-certificates package # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 612 [text/html] Saving to: 'index.html.3' 100%[>] 612 --.-K/s in 0s 2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612] LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 612 100 6120 0 5794 0 --:--:-- --:--:-- --:--:-- 5828 Download is successful. [Where problems could occur] * Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs. [Other Info] * Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe :
[Touch-packages] [Bug 1944481] Re: Distrust "DST Root CA X3"
** Bug watch added: Debian Bug tracker #995432 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995432 ** Also affects: ca-certificates (Fluxbuntu) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995432 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1944481 Title: Distrust "DST Root CA X3" Status in ca-certificates package in Ubuntu: Fix Released Status in ca-certificates source package in Trusty: Fix Released Status in ca-certificates source package in Xenial: Fix Released Status in ca-certificates source package in Bionic: Fix Released Status in ca-certificates source package in Focal: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates source package in Impish: Fix Released Status in ca-certificates package in Fluxbuntu: Unknown Bug description: [Impact] * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1" * ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA * "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry * This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers. * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry. * One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified. * This is similar to how this was handled for AddTrust before "* mozilla/blacklist.txt: blacklist expired AddTrust External Root CA." [Test Plan] * Install old/current ca-certificates faketime wget curl libcurl3-gnutls # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3': Issued certificate has expired. To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'. # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: certificate has expired * Install new ca-certificates package # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 612 [text/html] Saving to: 'index.html.3' 100%[>] 612 --.-K/s in 0s 2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612] LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 612 100 6120 0 5794 0 --:--:-- --:--:-- --:--:-- 5828 Download is successful. [Where problems could occur] * Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs. [Other Info] * Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to :
[Touch-packages] [Bug 1944481] Re: Distrust "DST Root CA X3"
This bug was fixed in the package ca-certificates - 20210119ubuntu1 --- ca-certificates (20210119ubuntu1) impish; urgency=medium [ Dimitri John Ledkov ] * mozilla/blacklist.txt: blacklist expired "DST Root CA X3". (LP: #1944481) -- Marc Deslauriers Wed, 22 Sep 2021 07:46:54 -0400 ** Changed in: ca-certificates (Ubuntu Impish) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1944481 Title: Distrust "DST Root CA X3" Status in ca-certificates package in Ubuntu: Fix Released Status in ca-certificates source package in Trusty: Fix Released Status in ca-certificates source package in Xenial: Fix Released Status in ca-certificates source package in Bionic: Fix Released Status in ca-certificates source package in Focal: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates source package in Impish: Fix Released Bug description: [Impact] * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1" * ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA * "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry * This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers. * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry. * One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified. * This is similar to how this was handled for AddTrust before "* mozilla/blacklist.txt: blacklist expired AddTrust External Root CA." [Test Plan] * Install old/current ca-certificates faketime wget curl libcurl3-gnutls # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3': Issued certificate has expired. To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'. # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: certificate has expired * Install new ca-certificates package # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 612 [text/html] Saving to: 'index.html.3' 100%[>] 612 --.-K/s in 0s 2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612] LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 612 100 6120 0 5794 0 --:--:-- --:--:-- --:--:-- 5828 Download is successful. [Where problems could occur] * Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs. [Other Info] * Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+subscriptions --
[Touch-packages] [Bug 1944481] Re: Distrust "DST Root CA X3"
You can find older packages on the "full publishing history" from launchpad: https://launchpad.net/ubuntu/+source/ca-certificates/+publishinghistory You can either download it manually or use the pull-lp-debs(1) command from the ubuntu-dev-tools package. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1944481 Title: Distrust "DST Root CA X3" Status in ca-certificates package in Ubuntu: Fix Committed Status in ca-certificates source package in Trusty: Fix Released Status in ca-certificates source package in Xenial: Fix Released Status in ca-certificates source package in Bionic: Fix Released Status in ca-certificates source package in Focal: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates source package in Impish: Fix Committed Bug description: [Impact] * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1" * ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA * "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry * This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers. * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry. * One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified. * This is similar to how this was handled for AddTrust before "* mozilla/blacklist.txt: blacklist expired AddTrust External Root CA." [Test Plan] * Install old/current ca-certificates faketime wget curl libcurl3-gnutls # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3': Issued certificate has expired. To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'. # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: certificate has expired * Install new ca-certificates package # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 612 [text/html] Saving to: 'index.html.3' 100%[>] 612 --.-K/s in 0s 2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612] LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 612 100 6120 0 5794 0 --:--:-- --:--:-- --:--:-- 5828 Download is successful. [Where problems could occur] * Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs. [Other Info] * Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe :
[Touch-packages] [Bug 1944481] Re: Distrust "DST Root CA X3"
Yes, I'm running into the issue above, where a windows server is not correctly serving the new certificate chain (which means it's going to fail for everyone else on Sept 30th.) Windows server might need an update or might need to be rebooted. https://community.certifytheweb.com/t/upcoming-expiry-of-dst-root- ca-x3-and-r3-intermediate-for-lets-encrypt/1480 In the meantime, from the ubuntu point of view, how do I roll this update back? The cert is still valid for another week. `sudo apt install ca-certificates=20210119~20.04.1` says `E: Version '20210119~20.04.1' for 'ca-certificates' was not found`. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1944481 Title: Distrust "DST Root CA X3" Status in ca-certificates package in Ubuntu: Fix Committed Status in ca-certificates source package in Trusty: Fix Released Status in ca-certificates source package in Xenial: Fix Released Status in ca-certificates source package in Bionic: Fix Released Status in ca-certificates source package in Focal: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates source package in Impish: Fix Committed Bug description: [Impact] * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1" * ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA * "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry * This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers. * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry. * One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified. * This is similar to how this was handled for AddTrust before "* mozilla/blacklist.txt: blacklist expired AddTrust External Root CA." [Test Plan] * Install old/current ca-certificates faketime wget curl libcurl3-gnutls # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3': Issued certificate has expired. To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'. # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: certificate has expired * Install new ca-certificates package # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 612 [text/html] Saving to: 'index.html.3' 100%[>] 612 --.-K/s in 0s 2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612] LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 612 100 6120 0 5794 0 --:--:-- --:--:-- --:--:-- 5828 Download is successful. [Where problems could occur] * Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs. [Other Info] * Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989
[Touch-packages] [Bug 1944481] Re: Distrust "DST Root CA X3"
@jsing You may well be correct that the server was incorrectly configured, unfortunately it was a Windows server managed by a third party and I don't know precisely how it was set up. Given that the cert in question was issued on 9th September 2021 I suspect it was a misconfiguration of their intermediate cert they were sending. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1944481 Title: Distrust "DST Root CA X3" Status in ca-certificates package in Ubuntu: Fix Committed Status in ca-certificates source package in Trusty: Fix Released Status in ca-certificates source package in Xenial: Fix Released Status in ca-certificates source package in Bionic: Fix Released Status in ca-certificates source package in Focal: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates source package in Impish: Fix Committed Bug description: [Impact] * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1" * ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA * "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry * This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers. * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry. * One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified. * This is similar to how this was handled for AddTrust before "* mozilla/blacklist.txt: blacklist expired AddTrust External Root CA." [Test Plan] * Install old/current ca-certificates faketime wget curl libcurl3-gnutls # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3': Issued certificate has expired. To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'. # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: certificate has expired * Install new ca-certificates package # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 612 [text/html] Saving to: 'index.html.3' 100%[>] 612 --.-K/s in 0s 2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612] LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 612 100 6120 0 5794 0 --:--:-- --:--:-- --:--:-- 5828 Download is successful. [Where problems could occur] * Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs. [Other Info] * Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to :
[Touch-packages] [Bug 1944481] Re: Distrust "DST Root CA X3"
@mattjones86 that does not seem expected - Let's Encrypt have been issuing certificate from their R3 intermediate since December 2021 (https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018) and have been supplying two intermediates (an Let's Encrypt R3 to ISRG Root X1 and a Let's Encrypt R3 to DST Root CA X3) in the default chain since 4th May 2021 (https://community.letsencrypt.org/t/production- chain-changes/150739). Given that certificates issued by Let's Encrypt have a maximum validity period of 90 days, all certificates that are still valid after the 4th of August would have been issued in this manner. The only thing I could think of that would explain the behaviour mentioned, is if your ACME client was failing to update the certificate chain/bundle (or your server was configured to serve and old/stale bundle). Most browsers (including Chrome) will also automatically fetch issuer intermediate certificates if they're not supplied by the server. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1944481 Title: Distrust "DST Root CA X3" Status in ca-certificates package in Ubuntu: Fix Committed Status in ca-certificates source package in Trusty: Fix Released Status in ca-certificates source package in Xenial: Fix Released Status in ca-certificates source package in Bionic: Fix Released Status in ca-certificates source package in Focal: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates source package in Impish: Fix Committed Bug description: [Impact] * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1" * ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA * "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry * This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers. * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry. * One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified. * This is similar to how this was handled for AddTrust before "* mozilla/blacklist.txt: blacklist expired AddTrust External Root CA." [Test Plan] * Install old/current ca-certificates faketime wget curl libcurl3-gnutls # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3': Issued certificate has expired. To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'. # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: certificate has expired * Install new ca-certificates package # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 612 [text/html] Saving to: 'index.html.3' 100%[>] 612 --.-K/s in 0s 2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612] LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 612 100 6120 0 5794 0 --:--:-- --:--:-- --:--:-- 5828 Download is successful. [Where problems could occur] * Connectivity to "DST Root CA X3" websites only, even under faketime set to dates
[Touch-packages] [Bug 1944481] Re: Distrust "DST Root CA X3"
I ran into an SSL verification issue today, caused by this change. It seems that some older LetsEncrypt clients have still recently been issuing valid certificates signed by the DST Root CA X3 root. These certificates would have otherwise continued to work normally until the root expired (September 30th 2021), but have been distrusted early due to this change. (Indeed the certificate in question in my case was still trusted by the latest Chrome etc.) The best fix is to make sure the ACME client is up-to-date and re-issue the certificates under the new root cert. Posting for awareness - surprised I'm the first! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1944481 Title: Distrust "DST Root CA X3" Status in ca-certificates package in Ubuntu: Fix Committed Status in ca-certificates source package in Trusty: Fix Released Status in ca-certificates source package in Xenial: Fix Released Status in ca-certificates source package in Bionic: Fix Released Status in ca-certificates source package in Focal: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates source package in Impish: Fix Committed Bug description: [Impact] * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1" * ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA * "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry * This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers. * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry. * One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified. * This is similar to how this was handled for AddTrust before "* mozilla/blacklist.txt: blacklist expired AddTrust External Root CA." [Test Plan] * Install old/current ca-certificates faketime wget curl libcurl3-gnutls # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3': Issued certificate has expired. To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'. # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: certificate has expired * Install new ca-certificates package # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 612 [text/html] Saving to: 'index.html.3' 100%[>] 612 --.-K/s in 0s 2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612] LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 612 100 6120 0 5794 0 --:--:-- --:--:-- --:--:-- 5828 Download is successful. [Where problems could occur] * Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs. [Other Info] * Related openssl and gnutls28 bugs are
[Touch-packages] [Bug 1944481] Re: Distrust "DST Root CA X3"
** Information type changed from Private Security to Public ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1944481 Title: Distrust "DST Root CA X3" Status in ca-certificates package in Ubuntu: Fix Committed Status in ca-certificates source package in Trusty: Fix Released Status in ca-certificates source package in Xenial: Fix Released Status in ca-certificates source package in Bionic: Fix Released Status in ca-certificates source package in Focal: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates source package in Impish: Fix Committed Bug description: [Impact] * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1" * ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA * "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry * This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers. * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry. * One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified. * This is similar to how this was handled for AddTrust before "* mozilla/blacklist.txt: blacklist expired AddTrust External Root CA." [Test Plan] * Install old/current ca-certificates faketime wget curl libcurl3-gnutls # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3': Issued certificate has expired. To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'. # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: certificate has expired * Install new ca-certificates package # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 612 [text/html] Saving to: 'index.html.3' 100%[>] 612 --.-K/s in 0s 2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612] LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 612 100 6120 0 5794 0 --:--:-- --:--:-- --:--:-- 5828 Download is successful. [Where problems could occur] * Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs. [Other Info] * Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1944481] Re: Distrust "DST Root CA X3"
** Changed in: ca-certificates (Ubuntu Impish) Status: New => Fix Committed ** Changed in: ca-certificates (Ubuntu Trusty) Status: New => Fix Released ** Changed in: ca-certificates (Ubuntu Xenial) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1944481 Title: Distrust "DST Root CA X3" Status in ca-certificates package in Ubuntu: Fix Committed Status in ca-certificates source package in Trusty: Fix Released Status in ca-certificates source package in Xenial: Fix Released Status in ca-certificates source package in Bionic: Fix Released Status in ca-certificates source package in Focal: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates source package in Impish: Fix Committed Bug description: [Impact] * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1" * ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA * "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry * This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers. * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry. * One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified. * This is similar to how this was handled for AddTrust before "* mozilla/blacklist.txt: blacklist expired AddTrust External Root CA." [Test Plan] * Install old/current ca-certificates faketime wget curl libcurl3-gnutls # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3': Issued certificate has expired. To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'. # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: certificate has expired * Install new ca-certificates package # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 612 [text/html] Saving to: 'index.html.3' 100%[>] 612 --.-K/s in 0s 2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612] LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 612 100 6120 0 5794 0 --:--:-- --:--:-- --:--:-- 5828 Download is successful. [Where problems could occur] * Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs. [Other Info] * Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe :
[Touch-packages] [Bug 1944481] Re: Distrust "DST Root CA X3"
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1944481 Title: Distrust "DST Root CA X3" Status in ca-certificates package in Ubuntu: New Status in ca-certificates source package in Trusty: New Status in ca-certificates source package in Xenial: New Status in ca-certificates source package in Bionic: Fix Released Status in ca-certificates source package in Focal: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates source package in Impish: New Bug description: [Impact] * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1" * ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA * "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry * This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers. * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry. * One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified. * This is similar to how this was handled for AddTrust before "* mozilla/blacklist.txt: blacklist expired AddTrust External Root CA." [Test Plan] * Install old/current ca-certificates faketime wget curl libcurl3-gnutls # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3': Issued certificate has expired. To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'. # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: certificate has expired * Install new ca-certificates package # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 612 [text/html] Saving to: 'index.html.3' 100%[>] 612 --.-K/s in 0s 2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612] LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 612 100 6120 0 5794 0 --:--:-- --:--:-- --:--:-- 5828 Download is successful. [Where problems could occur] * Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs. [Other Info] * Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1944481] Re: Distrust "DST Root CA X3"
This bug was fixed in the package ca-certificates - 20210119ubuntu0.21.04.1 --- ca-certificates (20210119ubuntu0.21.04.1) hirsute-security; urgency=medium [ Dimitri John Ledkov ] * mozilla/blacklist.txt: blacklist expired "DST Root CA X3". (LP: #1944481) -- Marc Deslauriers Wed, 22 Sep 2021 07:46:54 -0400 ** Changed in: ca-certificates (Ubuntu Hirsute) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1944481 Title: Distrust "DST Root CA X3" Status in ca-certificates package in Ubuntu: New Status in ca-certificates source package in Trusty: New Status in ca-certificates source package in Xenial: New Status in ca-certificates source package in Bionic: Fix Released Status in ca-certificates source package in Focal: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates source package in Impish: New Bug description: [Impact] * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1" * ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA * "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry * This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers. * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry. * One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified. * This is similar to how this was handled for AddTrust before "* mozilla/blacklist.txt: blacklist expired AddTrust External Root CA." [Test Plan] * Install old/current ca-certificates faketime wget curl libcurl3-gnutls # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3': Issued certificate has expired. To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'. # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: certificate has expired * Install new ca-certificates package # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 612 [text/html] Saving to: 'index.html.3' 100%[>] 612 --.-K/s in 0s 2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612] LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 612 100 6120 0 5794 0 --:--:-- --:--:-- --:--:-- 5828 Download is successful. [Where problems could occur] * Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs. [Other Info] * Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+subscriptions -- Mailing list:
[Touch-packages] [Bug 1944481] Re: Distrust "DST Root CA X3"
This bug was fixed in the package ca-certificates - 20210119~18.04.2 --- ca-certificates (20210119~18.04.2) bionic-security; urgency=medium [ Dimitri John Ledkov ] * mozilla/blacklist.txt: blacklist expired "DST Root CA X3". (LP: #1944481) -- Marc Deslauriers Wed, 22 Sep 2021 07:46:54 -0400 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1944481 Title: Distrust "DST Root CA X3" Status in ca-certificates package in Ubuntu: New Status in ca-certificates source package in Trusty: New Status in ca-certificates source package in Xenial: New Status in ca-certificates source package in Bionic: Fix Released Status in ca-certificates source package in Focal: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates source package in Impish: New Bug description: [Impact] * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1" * ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA * "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry * This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers. * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry. * One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified. * This is similar to how this was handled for AddTrust before "* mozilla/blacklist.txt: blacklist expired AddTrust External Root CA." [Test Plan] * Install old/current ca-certificates faketime wget curl libcurl3-gnutls # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3': Issued certificate has expired. To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'. # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: certificate has expired * Install new ca-certificates package # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 612 [text/html] Saving to: 'index.html.3' 100%[>] 612 --.-K/s in 0s 2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612] LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 612 100 6120 0 5794 0 --:--:-- --:--:-- --:--:-- 5828 Download is successful. [Where problems could occur] * Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs. [Other Info] * Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe :
[Touch-packages] [Bug 1944481] Re: Distrust "DST Root CA X3"
This bug was fixed in the package ca-certificates - 20210119~20.04.2 --- ca-certificates (20210119~20.04.2) focal-security; urgency=medium [ Dimitri John Ledkov ] * mozilla/blacklist.txt: blacklist expired "DST Root CA X3". (LP: #1944481) -- Marc Deslauriers Wed, 22 Sep 2021 07:46:54 -0400 ** Changed in: ca-certificates (Ubuntu Focal) Status: New => Fix Released ** Changed in: ca-certificates (Ubuntu Bionic) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1944481 Title: Distrust "DST Root CA X3" Status in ca-certificates package in Ubuntu: New Status in ca-certificates source package in Trusty: New Status in ca-certificates source package in Xenial: New Status in ca-certificates source package in Bionic: Fix Released Status in ca-certificates source package in Focal: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates source package in Impish: New Bug description: [Impact] * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1" * ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA * "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry * This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers. * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry. * One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified. * This is similar to how this was handled for AddTrust before "* mozilla/blacklist.txt: blacklist expired AddTrust External Root CA." [Test Plan] * Install old/current ca-certificates faketime wget curl libcurl3-gnutls # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3': Issued certificate has expired. To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'. # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: certificate has expired * Install new ca-certificates package # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 612 [text/html] Saving to: 'index.html.3' 100%[>] 612 --.-K/s in 0s 2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612] LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 612 100 6120 0 5794 0 --:--:-- --:--:-- --:--:-- 5828 Download is successful. [Where problems could occur] * Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs. [Other Info] * Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 To manage notifications about this bug go to:
[Touch-packages] [Bug 1944481] Re: Distrust "DST Root CA X3"
** Information type changed from Private Security to Public Security ** Also affects: ca-certificates (Ubuntu Impish) Importance: Undecided Status: New ** Also affects: ca-certificates (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: ca-certificates (Ubuntu Hirsute) Importance: Undecided Status: New ** Also affects: ca-certificates (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: ca-certificates (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: ca-certificates (Ubuntu Bionic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: ca-certificates (Ubuntu Focal) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: ca-certificates (Ubuntu Hirsute) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: ca-certificates (Ubuntu Impish) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ca-certificates in Ubuntu. https://bugs.launchpad.net/bugs/1944481 Title: Distrust "DST Root CA X3" Status in ca-certificates package in Ubuntu: New Status in ca-certificates source package in Trusty: New Status in ca-certificates source package in Xenial: New Status in ca-certificates source package in Bionic: New Status in ca-certificates source package in Focal: New Status in ca-certificates source package in Hirsute: New Status in ca-certificates source package in Impish: New Bug description: [Impact] * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1" * ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA * "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry * This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers. * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry. * One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified. * This is similar to how this was handled for AddTrust before "* mozilla/blacklist.txt: blacklist expired AddTrust External Root CA." [Test Plan] * Install old/current ca-certificates faketime wget curl libcurl3-gnutls # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3': Issued certificate has expired. To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'. # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: certificate has expired * Install new ca-certificates package # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 612 [text/html] Saving to: 'index.html.3' 100%[>] 612 --.-K/s in 0s 2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612] LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 612 100 6120 0 5794 0 --:--:-- --:--:-- --:--:-- 5828 Download is successful. [Where problems could occur] * Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate
