The DST_Root_CA_X3.pem certificate expired on 01-Oct-2021, and Let's Encrypt certificates use it. The ISRG root is used by newer LE certs. I had to move this cert manually to use some sites
I just got burned by this again on a stable/13 box. Can I get <someone> to look at it? the fix is easy: git mv secure/caroot/trusted/DST_Root_CA_X3.pem secure/caroot/blacklisted/DST_Root_CA_X3.pem
(In reply to Larry Rosenman from comment #1) We follow Mozilla's lead here, and it hasn't yet been removed the NSS bundle. What practical problem is it causing for you?
[I] ➜ fetch https://www.apache.org/dyn/closer.lua/tika/2.1.0/tika-app-2.1.0.jar Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916: fetch: https://www.apache.org/dyn/closer.lua/tika/2.1.0/tika-app-2.1.0.jar: Authentication error ler in ~ at thebighonker [I] ➜ Places with LE certs are untrusted.
(In reply to Larry Rosenman from comment #3) Odd, there's something more to debug here, I guess: ``` kevans@shiva:~$ ktrace -di fetch "https://www.apache.org/dyn/closer.lua/tika/2.1.0/tika-app-2.1.0.jar" fetch: https://www.apache.org/dyn/closer.lua/tika/2.1.0/tika-app-2.1.0.jar: size of remote file is not known tika-app-2.1.0.jar 27 kB 1471 kBps 01s kevans@shiva:~$ kdump | grep -A1 '/etc/ssl' 2874 fetch NAMI "/etc/ssl/openssl.cnf" 2874 fetch RET open 4 -- 2874 fetch NAMI "/usr/local/etc/ssl/cert.pem" 2874 fetch RET access -1 errno 2 No such file or directory -- 2874 fetch NAMI "/etc/ssl/cert.pem" 2874 fetch RET access -1 errno 2 No such file or directory -- 2874 fetch NAMI "/etc/ssl/cert.pem" 2874 fetch RET open -1 errno 2 No such file or directory -- 2874 fetch NAMI "/etc/ssl/certs/8d33f237.0" 2874 fetch RET fstatat -1 errno 2 No such file or directory -- 2874 fetch NAMI "/etc/ssl/certs/4042bcee.0" 2874 fetch STRU struct stat {dev=4336182346477775264, ino=1218925, mode=0100444, nlink=1, uid=0, gid=0, rdev=18446744073709551615, atime=0, mtime=1630852310, ctime=1631586266.567435000, birthtime=1630852310, size=7461, blksize=7680, blocks=17, flags=0x800 } -- 2874 fetch NAMI "/etc/ssl/certs/4042bcee.0" 2874 fetch RET open 4 -- 2874 fetch NAMI "/etc/ssl/certs/4042bcee.1" 2874 fetch RET fstatat -1 errno 2 No such file or directory kevans@shiva:~$ ls -l /etc/ssl/certs | grep -i DST lrwxr-xr-x 1 root wheel 51 Oct 26 18:57 2e5ac55d.0 -> ../../../usr/share/certs/trusted/DST_Root_CA_X3.pem kevans@shiva:~$ ls -l /etc/ssl/certs/4042bcee.0 lrwxr-xr-x 1 root wheel 49 Oct 26 18:57 /etc/ssl/certs/4042bcee.0 -> ../../../usr/share/certs/trusted/ISRG_Root_X1.pem ```