On 2020-12-08 Jonathan Ballet <j...@multani.info> wrote: > Package: libgnutls30 > Version: 3.7.0-3 > Severity: critical > Justification: breaks unrelated software
> Dear Maintainer, > I updated gnutls to 3.7.0-3 this morning, then apt was unable to connect to > the Debian mirror https://debian.ethz.ch/debian/: > $ sudo apt update > Ign:1 https://debian.ethz.ch/debian sid InRelease > Err:2 https://debian.ethz.ch/debian sid Release > Certificate verification failed: The certificate is NOT trusted. The > certificate issuer is unknown. Could not handshake: Error in the certificate > verification. [IP: 129.132.53.171 443] > Reading package lists... Done [...] Hello Jonathan, afaict the server is misconfigured: --------------------- (sid)ametzler@argenau:$ gnutls-cli debian.ethz.ch < /dev/null 2>&1 | grep -A1 '^- Certificate' - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `CN=plattenberg.ethz.ch', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x03303e4ec324a9667915ae5fb3383255b202, RSA key 4096 bits, signed using RSA-SHA256, activated `2020-11-17 13:03:43 UTC', expires `2021-02-15 13:03:43 UTC', pin-sha256="7qwNrAIqODvrEwByZ0mAMpm2PROcvYK/BNpYTBzSzfA=" -- - Certificate[1] info: - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=" - Certificate[2] info: - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=" --------------------- The certificate chain sent by the server consists of 3 certificates but not each following certificate directly certifies the one preceding it. - Certificate[1] and Certificate[2] are identical. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'