258944 – DST_Root_CA_X3.pem expired, should be moved to /usr/src/secure/caroot/untrusted

Bug 258944 - DST_Root_CA_X3.pem expired, should be moved to /usr/src/secure/caroot/untrusted

Summary: DST_Root_CA_X3.pem expired, should be moved to /usr/src/secure/caroot/untrusted

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	misc (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Security Team

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-10-05 11:33 UTC by Larry Rosenman
Modified:	2021-11-24 19:01 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Larry Rosenman freebsd_committer

2021-10-05 11:33:40 UTC

The DST_Root_CA_X3.pem certificate expired on 01-Oct-2021, and Let's Encrypt certificates  use it. 

The ISRG root is used by newer LE certs. 

I had to move this cert manually to use some sites

Comment 1 Larry Rosenman freebsd_committer

2021-11-24 18:25:35 UTC

I just got burned by this again on a stable/13 box.  Can I get <someone> to look at it?

the fix is easy:
git mv secure/caroot/trusted/DST_Root_CA_X3.pem secure/caroot/blacklisted/DST_Root_CA_X3.pem

Comment 2 Kyle Evans freebsd_committer

2021-11-24 18:42:39 UTC

(In reply to Larry Rosenman from comment #1)

We follow Mozilla's lead here, and it hasn't yet been removed the NSS bundle. What practical problem is it causing for you?

Comment 3 Larry Rosenman freebsd_committer

2021-11-24 18:46:27 UTC

[I] ➜ fetch https://www.apache.org/dyn/closer.lua/tika/2.1.0/tika-app-2.1.0.jar
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
fetch: https://www.apache.org/dyn/closer.lua/tika/2.1.0/tika-app-2.1.0.jar: Authentication error

ler in ~ at thebighonker
[I] ➜

Places with LE certs are untrusted.

Comment 4 Kyle Evans freebsd_committer

2021-11-24 19:01:38 UTC

(In reply to Larry Rosenman from comment #3)

Odd, there's something more to debug here, I guess:

```
kevans@shiva:~$ ktrace -di fetch "https://www.apache.org/dyn/closer.lua/tika/2.1.0/tika-app-2.1.0.jar"
fetch: https://www.apache.org/dyn/closer.lua/tika/2.1.0/tika-app-2.1.0.jar: size of remote file is not known
tika-app-2.1.0.jar                                      27 kB 1471 kBps    01s

kevans@shiva:~$ kdump | grep -A1 '/etc/ssl'
  2874 fetch    NAMI  "/etc/ssl/openssl.cnf"
  2874 fetch    RET   open 4
--
  2874 fetch    NAMI  "/usr/local/etc/ssl/cert.pem"
  2874 fetch    RET   access -1 errno 2 No such file or directory
--
  2874 fetch    NAMI  "/etc/ssl/cert.pem"
  2874 fetch    RET   access -1 errno 2 No such file or directory
--
  2874 fetch    NAMI  "/etc/ssl/cert.pem"
  2874 fetch    RET   open -1 errno 2 No such file or directory
--
  2874 fetch    NAMI  "/etc/ssl/certs/8d33f237.0"
  2874 fetch    RET   fstatat -1 errno 2 No such file or directory
--
  2874 fetch    NAMI  "/etc/ssl/certs/4042bcee.0"
  2874 fetch    STRU  struct stat {dev=4336182346477775264, ino=1218925, mode=0100444, nlink=1, uid=0, gid=0, rdev=18446744073709551615, atime=0, mtime=1630852310, ctime=1631586266.567435000, birthtime=1630852310, size=7461, blksize=7680, blocks=17, flags=0x800 }
--
  2874 fetch    NAMI  "/etc/ssl/certs/4042bcee.0"
  2874 fetch    RET   open 4
--
  2874 fetch    NAMI  "/etc/ssl/certs/4042bcee.1"
  2874 fetch    RET   fstatat -1 errno 2 No such file or directory

kevans@shiva:~$ ls -l /etc/ssl/certs | grep -i DST
lrwxr-xr-x  1 root  wheel  51 Oct 26 18:57 2e5ac55d.0 -> ../../../usr/share/certs/trusted/DST_Root_CA_X3.pem

kevans@shiva:~$ ls -l /etc/ssl/certs/4042bcee.0
lrwxr-xr-x  1 root  wheel  49 Oct 26 18:57 /etc/ssl/certs/4042bcee.0 -> ../../../usr/share/certs/trusted/ISRG_Root_X1.pem

```