On 12/4/25 22:41, John Scott wrote:
I was digging into an unrelated issue in GnuPG and noticed this has been
showing up in logs:
dirmngr[312195]: enabled debug flags: x509 crypto memory cache memstat hashing
ipc dns network lookup extprog keeptmp
dirmngr[312195.0]: error loading certificate
'/etc/ssl/certs/ca-certificates.crt': Certificate expired
dirmngr[312195.0]: permanently loaded certificates: 149
dirmngr[312195.0]: runtime cached certificates: 0
dirmngr[312195.0]: trusted certificates: 149 (149,0,0,0)
At first the "error loading certificate '/etc/ssl/certs/ca-certificates.crt'"
gave me alarm: that file is a collection of certificates and if a single one being
expired would cause an error to load the file at all, that'd be very bad. To investigate
one can run a pipeline like this:
$ find /usr/share/ca-certificates/mozilla/ -name '*.crt' -a -type f -exec env
'OPENSSL_CONF=""' openssl verify -trusted '{}' '{}' ';' > /dev/null
C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
error 10 at 0 depth lookup: certificate has expired
error /usr/share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt:
verification failed
That seems to be the only certificate affected.
$ openssl x509 -nocert -in Baltimore_CyberTrust_Root.crt -enddate
notAfter=May 12 23:59:00 2025 GMT
There are 150 Mozilla certificates in total as indicated by e.g. 'echo
/usr/share/ca-certificates/mozilla/*.crt | wc -w', so in saying it loaded 149
certificates, it looks like GnuPG did indeed skip over just that one and load
the rest fine. Therefore its message is kind of a false alarm.
I guess I'm not sure what I'd like to see done about this, but wanted to bring this to
your attention. Do programs usually handle expiration of a certificate in the bundle as
gracefully as GnuPG does? Is removing the expired root certificate sensible? If there's
nothing to be done on the ca-certificates side of things, it'd be helpful to leave this
bug as a "won't fix" to save someone the confusion. Thanks
This is pretty much a cosmetic issue as far as I know. It's debatable
whether client libraries should even care about expiration dates on
trust anchors. In any case this root has been removed from the Mozilla
trust store so the latest ca-certificates package removes it.
Cheers,
Julien
