> A certificate about to expire was removed from ca-certificates.
USN-5089-2: ca-certificates update
https://ubuntu.com/security/notices/USN-5089-2
ほむほむ
ubuntu.comUSN-5089-2: ca-certificates update | Ubuntu security notices | UbuntuUbuntu is an open source software operating system that runs from the desktop, to the cloud, to all your internet connected things.
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481
> "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry
> This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers.
イレギュラーなことをするとぽこぽこ影響が出ちゃうんだねえ
bugs.launchpad.netBug #1944481 “Distrust “DST Root CA X3"" : Bugs : ca-certificates package : Ubuntu[Impact]
* ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
* ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA
* "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry
* This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers.
* We have provided fixes for openssl in xenial and gnutls in...
ルート証明書にクロスサインすると古いAndroidでLet's Encryptのサーバ証明書の検証に成功することがわかったんよね
https://letsencrypt.org/2020/11/06/own-two-feet.html
letsencrypt.orgStanding on Our Own Two Feet [Updated] - Let's EncryptUpdate, December 21 2020
Thanks to community feedback and our wonderful partners at IdenTrust, we will be able to continue to offer service without interruption to people using older Android devices. We flagged the content of this blog post that is no longer accurate. Please visit this post on our community forum for the latest information about chain changes.
When a new Certificate Authority (CA) comes on the scene, it faces a conundrum: In order to be useful to people, it needs its root certificate to be trusted by a wide variety of operating systems (OSes) and browsers.