Your message dated Mon, 23 Feb 2026 17:18:59 +0000
with message-id <[email protected]>
and subject line Bug#1121936: fixed in ca-certificates 20260223
has caused the Debian Bug report #1121936,
regarding Baltimore CyberTrust Root expired in May 2025; might be a source of
confusion
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121936: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121936
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ca-certificates
Version: 20250419
Severity: normal
Control: affects -1 dirmngr
Ahoy,
I was digging into an unrelated issue in GnuPG and noticed this has been
showing up in logs:
dirmngr[312195]: enabled debug flags: x509 crypto memory cache memstat hashing
ipc dns network lookup extprog keeptmp
dirmngr[312195.0]: error loading certificate
'/etc/ssl/certs/ca-certificates.crt': Certificate expired
dirmngr[312195.0]: permanently loaded certificates: 149
dirmngr[312195.0]: runtime cached certificates: 0
dirmngr[312195.0]: trusted certificates: 149 (149,0,0,0)
At first the "error loading certificate '/etc/ssl/certs/ca-certificates.crt'"
gave me alarm: that file is a collection of certificates and if a single one
being expired would cause an error to load the file at all, that'd be very bad.
To investigate one can run a pipeline like this:
$ find /usr/share/ca-certificates/mozilla/ -name '*.crt' -a -type f -exec env
'OPENSSL_CONF=""' openssl verify -trusted '{}' '{}' ';' > /dev/null
C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
error 10 at 0 depth lookup: certificate has expired
error /usr/share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt:
verification failed
That seems to be the only certificate affected.
$ openssl x509 -nocert -in Baltimore_CyberTrust_Root.crt -enddate
notAfter=May 12 23:59:00 2025 GMT
There are 150 Mozilla certificates in total as indicated by e.g. 'echo
/usr/share/ca-certificates/mozilla/*.crt | wc -w', so in saying it loaded 149
certificates, it looks like GnuPG did indeed skip over just that one and load
the rest fine. Therefore its message is kind of a false alarm.
I guess I'm not sure what I'd like to see done about this, but wanted to bring
this to your attention. Do programs usually handle expiration of a certificate
in the bundle as gracefully as GnuPG does? Is removing the expired root
certificate sensible? If there's nothing to be done on the ca-certificates side
of things, it'd be helpful to leave this bug as a "won't fix" to save someone
the confusion. Thanks
-- System Information:
Debian Release: 13.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.57+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages ca-certificates depends on:
ii debconf [debconf-2.0] 1.5.91
ii openssl 3.5.4-1~deb13u1
ca-certificates recommends no packages.
ca-certificates suggests no packages.
-- debconf information excluded
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Source: ca-certificates
Source-Version: 20260223
Done: Julien Cristau <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ca-certificates, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien Cristau <[email protected]> (supplier of updated ca-certificates
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 23 Feb 2026 17:46:55 +0100
Source: ca-certificates
Architecture: source
Version: 20260223
Distribution: unstable
Urgency: medium
Maintainer: Julien Cristau <[email protected]>
Changed-By: Julien Cristau <[email protected]>
Closes: 1121936 1127100
Changes:
ca-certificates (20260223) unstable; urgency=medium
.
* Update Mozilla certificate authority bundle to version 2.82
The following certificate authorities were added (+):
+ TrustAsia TLS ECC Root CA
+ TrustAsia TLS RSA Root CA
+ SwissSign RSA TLS Root CA 2022 - 1
+ OISTE Server Root ECC G1
+ OISTE Server Root RSA G1
The following certificate authorities were removed (-):
- GlobalSign Root CA
- Entrust.net Premium 2048 Secure Server CA
- Baltimore CyberTrust Root (closes: #1121936)
- Comodo AAA Services root
- XRamp Global CA Root
- Go Daddy Class 2 CA
- Starfield Class 2 CA
- CommScope Public Trust ECC Root-01
- CommScope Public Trust ECC Root-02
- CommScope Public Trust RSA Root-01
- CommScope Public Trust RSA Root-02
* Use dh_usrlocal to create /usr/local/share/ca-certificates
(closes: #1127100)
Checksums-Sha1:
698e46d1fb9a805c3eee258c42faa9aa031c85fa 1766 ca-certificates_20260223.dsc
0a97c2246c1407a5d579529fb12cc1eea263f5f4 282672 ca-certificates_20260223.tar.xz
Checksums-Sha256:
1513677cb1cf906a4b688279f86cdfda2a5373894c25521ed61eb6b2812ddf93 1766
ca-certificates_20260223.dsc
2fa2b00d4360f0d14ec51640ae8aea9e563956b95ea786e3c3c01c4eead42b56 282672
ca-certificates_20260223.tar.xz
Files:
3c6f183849f4169205e44b384c42cd6d 1766 misc optional
ca-certificates_20260223.dsc
03867432676e265fb5ded407b2ab31a9 282672 misc optional
ca-certificates_20260223.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEVXgdqzTmGgnvuIvhnbAjVVb4z60FAmmciZYUHGpjcmlzdGF1
QGRlYmlhbi5vcmcACgkQnbAjVVb4z60CHA//UWB+NHDIc5jt1+Jx17wrS80fbdGd
wM6WqeqfZZxvszoe5uKBKtoUyN1n7kjNGhv+O1HmF7xlYAitXXKdrEn+n5d1psLA
+EvK5Lvl5H/rqzka2wu7Qc5htcvF2WbCq4OCdAT9RdNENxdRVvVQ9wgYYpJTH0ht
z/JLSAjgw7kHohq+KLrHFcO/e4Bc+yko2sky/B/ES9D4TbO7VfYRRAQOxGrKM2Qe
1HzsEUJWHevlbjtJXV72iMbixACdtCVANrj1Bl1mwz04DcdZg3xTbdUKcHzWXixZ
Cp9TLQ4X7ZVXXq+GoQyqTsof9EB3rf52e/g3qNsiULWY12GrgoePSOFUaN/Rpt9L
2tpXDzNoO5ZCpGVX0gSEYAdTX3djbqrzYdyNmhus87WbbuA5cwSWRh7FohXgwZVc
bKSqZmsXYqoVsxjAQRSx3XuTZ74MMsluk94qmGubXTZCnM/48ldfE7EVrGlNhgW9
3uCW3XpRtyLUG8ChCfgKWv21Tm6UowIj/w+QgYj1S/6cqWpgo9uJNWYVQIhNagbk
Akf3MbzYQM7h1CeP1jOyY2EC17aczzJfDGnhc8bfMH2mHD7lbN3zQk0vBfx7FjAX
5PxBuOXNgJcLFgg1xwRbMMnPfkISEMjFd3BC9EucpQLqemfJo7DYaEL8zR293sbP
kVtxenL4/U/2T9o=
=EyA1
-----END PGP SIGNATURE-----
pgp47RlUve3p5.pgp
Description: PGP signature
--- End Message ---
