>>> Installing everything completed on Wed Mar 31 11:45:55 CEST 2021 -------------------------------------------------------------- Scanning /usr/share/certs/blacklisted for certificates... Scanning /usr/share/certs/trusted for certificates... Skipping blacklisted certificate /usr/share/certs/trusted/AddTrust_External_Root.pem (/etc/ssl/blacklisted/157753a5.0) Skipping blacklisted certificate /usr/share/certs/trusted/AddTrust_Low-Value_Services_Root.pem (/etc/ssl/blacklisted/861a399d.0) Skipping blacklisted certificate /usr/share/certs/trusted/EE_Certification_Centre_Root_CA.pem (/etc/ssl/blacklisted/128805a3.0) Skipping blacklisted certificate /usr/share/certs/trusted/GeoTrust_Global_CA.pem (/etc/ssl/blacklisted/2c543cd1.0) Skipping blacklisted certificate /usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority.pem (/etc/ssl/blacklisted/480720ec.0) Skipping blacklisted certificate /usr/share/certs/trusted/GeoTrust_Primary_Certification_Authority_-_G3.pem (/etc/ssl/blacklisted/e2799e36.0) Skipping blacklisted certificate /usr/share/certs/trusted/GeoTrust_Universal_CA.pem (/etc/ssl/blacklisted/ad088e1d.0) Skipping blacklisted certificate /usr/share/certs/trusted/GeoTrust_Universal_CA_2.pem (/etc/ssl/blacklisted/8867006a.0) Skipping blacklisted certificate /usr/share/certs/trusted/LuxTrust_Global_Root_2.pem (/etc/ssl/blacklisted/def36a68.0) Skipping blacklisted certificate /usr/share/certs/trusted/Staat_der_Nederlanden_Root_CA_-_G2.pem (/etc/ssl/blacklisted/5c44d531.0) Skipping blacklisted certificate /usr/share/certs/trusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem (/etc/ssl/blacklisted/62744ee1.0) Skipping blacklisted certificate /usr/share/certs/trusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem (/etc/ssl/blacklisted/4d4ba017.0) Skipping blacklisted certificate /usr/share/certs/trusted/Taiwan_GRCA.pem (/etc/ssl/blacklisted/6410666e.0) Skipping blacklisted certificate /usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem (/etc/ssl/blacklisted/7d0b38bd.0) Skipping blacklisted certificate /usr/share/certs/trusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem (/etc/ssl/blacklisted/b204d74a.0) Skipping blacklisted certificate /usr/share/certs/trusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem (/etc/ssl/blacklisted/c0ff1f52.0) Skipping blacklisted certificate /usr/share/certs/trusted/thawte_Primary_Root_CA.pem (/etc/ssl/blacklisted/2e4eed3c.0) Skipping blacklisted certificate /usr/share/certs/trusted/thawte_Primary_Root_CA_-_G2.pem (/etc/ssl/blacklisted/c089bbbd.0) Skipping blacklisted certificate /usr/share/certs/trusted/thawte_Primary_Root_CA_-_G3.pem (/etc/ssl/blacklisted/ba89ed3b.0) Scanning /usr/local/share/certs for certificates... root@joneumbox:/usr/src # uname -a FreeBSD joneumbox.org 14.0-CURRENT FreeBSD 14.0-CURRENT #0 main-51cc31088: Tue Mar 30 16:52:21 CEST 2021 root@joneumbox.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC-NODEBUG amd64 cmt give this news about this error on the ML: https://lists.freebsd.org/pipermail/freebsd-current/2021-March/079317.html Various reasons: - Symantec (which owned Thawte and VeriSign back in the time) made the news in a bad way: https://www.theregister.com/2017/09/12/chrome_66_to_reject_symantec_certs/ - some certificates are simply expired - some certificates use SHA-1 ("sha1WithRSAEncryption") which is beyond deprecated - and basically "whatever Mozilla did", as the certificates are imported from NSS. How can we proceed here to solve the problem? Can the certificates simply be deleted from /usr/share/certs/trusted/*?
> How can we proceed here to solve the problem? Can the certificates simply be deleted from /usr/share/certs/trusted/*? What's the actual problem you're encountering? They cannot simple be deleted, no.
(In reply to Kyle Evans from comment #1) Yes, and how to deal with the problem when I can not delete these blacklist certificates? I think other people may have the same problem.
(In reply to Jochen Neumeister from comment #2) I'm still not sure what problem we're even trying to address here. Blacklisting is part of the natural process, they'll age out of there eventually.
MARKED AS SPAM