Bug#1055152: marked as done (ca-certificates: Certificates from Sectigo Limited are not trusted)

Sat, 03 Feb 2024 03:54:14 -0800 

Your message dated Sat, 3 Feb 2024 12:50:56 +0100
with message-id <Zb4ooH_Ph0pkCCa7@carotte>
and subject line Re: Bug#1055152: ca-certificates: Certificates from Sectigo 
Limited are not trusted
has caused the Debian Bug report #1055152,
regarding ca-certificates: Certificates from Sectigo Limited are not trusted
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1055152: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055152
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: ca-certificates
Version: 20230311
Severity: normal
User: [email protected]
Usertags: origin-kali

Dear Maintainer,

  # wget https://mirror1.sox.rs/
  --2023-11-01 10:39:21--  https://mirror1.sox.rs/
  Resolving mirror1.sox.rs (mirror1.sox.rs)... 88.218.137.65, 2a09:ab81::65
  Connecting to mirror1.sox.rs (mirror1.sox.rs)|88.218.137.65|:443... connected.
  ERROR: The certificate of 'mirror1.sox.rs' is not trusted.
  ERROR: The certificate of 'mirror1.sox.rs' doesn't have a known issuer.

However, opening the page in Firefox, no problem, apparently Mozilla is
happy with this certificate, please check: https://mirror1.sox.rs/

At this point I must admit I know very little about the package
ca-certificates, but from a quick glance, according to README.Debian, it
looks like ca-certificates should be in line with Mozilla's trusted
certificates?

Looking online, https://wiki.mozilla.org/CA/Included_Certificates took
me to
https://ccadb.my.salesforce-sites.com/mozilla/IncludedCACertificateReport
which list Sectigo. However the Certificate Issuer Organization changed
from Comodo to Sectigo, Valid From 2021.03.22.

So maybe it's just that ca-certificates needs an update?

Thanks!

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ca-certificates depends on:
ii  debconf [debconf-2.0]  1.5.82
ii  openssl                3.0.12-1

ca-certificates recommends no packages.

ca-certificates suggests no packages.

-- debconf information:
  ca-certificates/trust_new_crts: yes
  ca-certificates/title:
  ca-certificates/enable_crts: mozilla/ACCVRAIZ1.crt, 
mozilla/AC_RAIZ_FNMT-RCM.crt, mozilla/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.crt, 
mozilla/Actalis_Authentication_Root_CA.crt, mozilla/AffirmTrust_Commercial.crt, 
mozilla/AffirmTrust_Networking.crt, mozilla/AffirmTrust_Premium.crt, 
mozilla/AffirmTrust_Premium_ECC.crt, mozilla/Amazon_Root_CA_1.crt, 
mozilla/Amazon_Root_CA_2.crt, mozilla/Amazon_Root_CA_3.crt, 
mozilla/Amazon_Root_CA_4.crt, mozilla/ANF_Secure_Server_Root_CA.crt, 
mozilla/Atos_TrustedRoot_2011.crt, 
mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068_2.crt, 
mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt, 
mozilla/Baltimore_CyberTrust_Root.crt, mozilla/Buypass_Class_2_Root_CA.crt, 
mozilla/Buypass_Class_3_Root_CA.crt, mozilla/CA_Disig_Root_R2.crt, 
mozilla/Certainly_Root_E1.crt, mozilla/Certainly_Root_R1.crt, 
mozilla/Certigna.crt, mozilla/Certigna_Root_CA.crt, 
mozilla/certSIGN_ROOT_CA.crt, mozilla/certSIGN_Root_CA_G2.crt, 
mozilla/Certum_EC-384_CA.crt, mozilla/Certum_Trusted_Network_CA_2.crt, 
mozilla/Certum_Trusted_Network_CA.crt, mozilla/Certum_Trusted_Root_CA.crt, 
mozilla/CFCA_EV_ROOT.crt, mozilla/Comodo_AAA_Services_root.crt, 
mozilla/COMODO_Certification_Authority.crt, 
mozilla/COMODO_ECC_Certification_Authority.crt, 
mozilla/COMODO_RSA_Certification_Authority.crt, 
mozilla/DigiCert_Assured_ID_Root_CA.crt, 
mozilla/DigiCert_Assured_ID_Root_G2.crt, 
mozilla/DigiCert_Assured_ID_Root_G3.crt, mozilla/DigiCert_Global_Root_CA.crt, 
mozilla/DigiCert_Global_Root_G2.crt, mozilla/DigiCert_Global_Root_G3.crt, 
mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, 
mozilla/DigiCert_TLS_ECC_P384_Root_G5.crt, 
mozilla/DigiCert_TLS_RSA4096_Root_G5.crt, mozilla/DigiCert_Trusted_Root_G4.crt, 
mozilla/D-TRUST_BR_Root_CA_1_2020.crt, mozilla/D-TRUST_EV_Root_CA_1_2020.crt, 
mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt, 
mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt, 
mozilla/emSign_ECC_Root_CA_-_C3.crt, mozilla/emSign_ECC_Root_CA_-_G3.crt, 
mozilla/emSign_Root_CA_-_C1.crt, mozilla/emSign_Root_CA_-_G1.crt, 
mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt, 
mozilla/Entrust_Root_Certification_Authority.crt, 
mozilla/Entrust_Root_Certification_Authority_-_EC1.crt, 
mozilla/Entrust_Root_Certification_Authority_-_G2.crt, 
mozilla/Entrust_Root_Certification_Authority_-_G4.crt, 
mozilla/ePKI_Root_Certification_Authority.crt, 
mozilla/e-Szigno_Root_CA_2017.crt, mozilla/E-Tugra_Certification_Authority.crt, 
mozilla/E-Tugra_Global_Root_CA_ECC_v3.crt, 
mozilla/E-Tugra_Global_Root_CA_RSA_v3.crt, mozilla/GDCA_TrustAUTH_R5_ROOT.crt, 
mozilla/GlobalSign_ECC_Root_CA_-_R4.crt, 
mozilla/GlobalSign_ECC_Root_CA_-_R5.crt, mozilla/GlobalSign_Root_CA.crt, 
mozilla/GlobalSign_Root_CA_-_R3.crt, mozilla/GlobalSign_Root_CA_-_R6.crt, 
mozilla/GlobalSign_Root_E46.crt, mozilla/GlobalSign_Root_R46.crt, 
mozilla/GLOBALTRUST_2020.crt, mozilla/Go_Daddy_Class_2_CA.crt, 
mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt, mozilla/GTS_Root_R1.crt, 
mozilla/GTS_Root_R2.crt, mozilla/GTS_Root_R3.crt, mozilla/GTS_Root_R4.crt, 
mozilla/HARICA_TLS_ECC_Root_CA_2021.crt, 
mozilla/HARICA_TLS_RSA_Root_CA_2021.crt, 
mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt, 
mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt, 
mozilla/HiPKI_Root_CA_-_G1.crt, mozilla/Hongkong_Post_Root_CA_1.crt, 
mozilla/Hongkong_Post_Root_CA_3.crt, 
mozilla/IdenTrust_Commercial_Root_CA_1.crt, 
mozilla/IdenTrust_Public_Sector_Root_CA_1.crt, mozilla/ISRG_Root_X1.crt, 
mozilla/ISRG_Root_X2.crt, mozilla/Izenpe.com.crt, 
mozilla/Microsec_e-Szigno_Root_CA_2009.crt, 
mozilla/Microsoft_ECC_Root_Certificate_Authority_2017.crt, 
mozilla/Microsoft_RSA_Root_Certificate_Authority_2017.crt, 
mozilla/NAVER_Global_Root_Certification_Authority.crt, 
mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt, 
mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt, 
mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt, mozilla/QuoVadis_Root_CA_1_G3.crt, 
mozilla/QuoVadis_Root_CA_2.crt, mozilla/QuoVadis_Root_CA_2_G3.crt, 
mozilla/QuoVadis_Root_CA_3.crt, mozilla/QuoVadis_Root_CA_3_G3.crt, 
mozilla/Secure_Global_CA.crt, mozilla/SecureSign_RootCA11.crt, 
mozilla/SecureTrust_CA.crt, mozilla/Security_Communication_ECC_RootCA1.crt, 
mozilla/Security_Communication_RootCA2.crt, 
mozilla/Security_Communication_RootCA3.crt, 
mozilla/Security_Communication_Root_CA.crt, 
mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt, 
mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt, 
mozilla/SSL.com_Root_Certification_Authority_ECC.crt, 
mozilla/SSL.com_Root_Certification_Authority_RSA.crt, 
mozilla/Starfield_Class_2_CA.crt, 
mozilla/Starfield_Root_Certificate_Authority_-_G2.crt, 
mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt, 
mozilla/SwissSign_Gold_CA_-_G2.crt, mozilla/SwissSign_Silver_CA_-_G2.crt, 
mozilla/SZAFIR_ROOT_CA2.crt, mozilla/Telia_Root_CA_v2.crt, 
mozilla/TeliaSonera_Root_CA_v1.crt, mozilla/TrustCor_ECA-1.crt, 
mozilla/TrustCor_RootCert_CA-1.crt, mozilla/TrustCor_RootCert_CA-2.crt, 
mozilla/Trustwave_Global_Certification_Authority.crt, 
mozilla/Trustwave_Global_ECC_P256_Certification_Authority.crt, 
mozilla/Trustwave_Global_ECC_P384_Certification_Authority.crt, 
mozilla/T-TeleSec_GlobalRoot_Class_2.crt, 
mozilla/T-TeleSec_GlobalRoot_Class_3.crt, 
mozilla/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt, 
mozilla/TunTrust_Root_CA.crt, mozilla/TWCA_Global_Root_CA.crt, 
mozilla/TWCA_Root_Certification_Authority.crt, 
mozilla/UCA_Extended_Validation_Root.crt, mozilla/UCA_Global_G2_Root.crt, 
mozilla/USERTrust_ECC_Certification_Authority.crt, 
mozilla/USERTrust_RSA_Certification_Authority.crt, 
mozilla/vTrus_ECC_Root_CA.crt, mozilla/vTrus_Root_CA.crt, 
mozilla/XRamp_Global_CA_Root.crt
  ca-certificates/new_crts:

--- End Message ---
--- Begin Message --- 
On Wed, Nov  1, 2023 at 17:46:06 +0700, Arnaud Rebillout wrote:

> Dear Maintainer,
> 
>   # wget https://mirror1.sox.rs/
>   --2023-11-01 10:39:21--  https://mirror1.sox.rs/
>   Resolving mirror1.sox.rs (mirror1.sox.rs)... 88.218.137.65, 2a09:ab81::65
>   Connecting to mirror1.sox.rs (mirror1.sox.rs)|88.218.137.65|:443... 
> connected.
>   ERROR: The certificate of 'mirror1.sox.rs' is not trusted.
>   ERROR: The certificate of 'mirror1.sox.rs' doesn't have a known issuer.
> 
> However, opening the page in Firefox, no problem, apparently Mozilla is
> happy with this certificate, please check: https://mirror1.sox.rs/
> 
> At this point I must admit I know very little about the package
> ca-certificates, but from a quick glance, according to README.Debian, it
> looks like ca-certificates should be in line with Mozilla's trusted
> certificates?
> 
> Looking online, https://wiki.mozilla.org/CA/Included_Certificates took
> me to
> https://ccadb.my.salesforce-sites.com/mozilla/IncludedCACertificateReport
> which list Sectigo. However the Certificate Issuer Organization changed
> from Comodo to Sectigo, Valid From 2021.03.22.
> 
> So maybe it's just that ca-certificates needs an update?

This server is misconfigured, and doesn't provide the intermediate CA in
the TLS handshake.

Cheers,
Julien

--- End Message ---

Reply via email to