since yesterday, the "DST Root CA X3" (44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b) cert expired, and although that's in theory not a big deal and normal, it seems to cause problems for different applications. E.g. unbound fails to verify certs of DoT servers that use LE certificates. Removing that cert from the bundle fixes the issue. I think in unbound's case, it is misled in following the wrong chain, so removing this cert results in a working verification using the certs it actually is supposed to look at... dunno, sorry for not having analyzed this further.
This is not the ca_root_nss pkgs fault from what I understand, but rather bugs in different applications, so sorry for opening this PR about ca_root_nss - however, it's safe to remove the outdated cert, and it'll fix implicitly other stacks. Other vendors seem to have followed the same approach, e.g. Apple.
note: there was a release for v3.71, also, yesterday, maybe upstream removed this themselves
Is any way to manually remove it?
yes, I personally just deleted the cert 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b from /etc/ssl/cert.pem, manually, and my unbound works again
just for reference, as this is a much clearer description of the problem:
Can this be done with some urgency? The cgit.freebsd.org repo uses a Let's Encrypt certificate, and fetching from it doesn't work with the DST root trusted.