Axel Beckert wrote:
> So why was the CA then removed already if debconf.org still uses this
> CA? https://www.debconf.org/ is now reported as broken.
Hi,
If you examine the certificate served by www.debconf.org:443, it has a
common name of wiki.debconf.org, with SANs for wiki.debconf.org and
www.wiki.debconf.org. It will report as broken regardless of which CAs
are in the ca-certificates package, because the server does not appear
to be configured to correctly serve its www.debconf.org virtual host via
HTTPS.
Also note that the certificate is issued by "Gandi Standard SSL CA 2",
not SPI, Inc.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
71:12:ca:53:8d:33:d4:41:c7:c6:63:f5:04:ed:22:84
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2
Validity
Not Before: Jan 1 00:00:00 2016 GMT
Not After : Jan 1 23:59:59 2017 GMT
Subject: OU=Domain Control Validated, OU=Gandi Standard SSL,
CN=wiki.debconf.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c0:84:16:fc:c8:8b:78:aa:b9:ac:db:b4:23:fc:
2a:db:d9:6b:76:1d:de:92:8c:4c:d7:86:5f:15:d4:
15:90:64:7d:a9:05:cd:4c:49:63:63:00:e3:a6:63:
bb:04:29:fb:67:ee:d7:25:17:4f:e1:87:23:fa:a1:
ea:38:aa:9d:dc:d6:a0:f7:ab:5f:44:43:1f:03:80:
d9:d3:39:e0:42:5a:48:91:b3:da:b3:b1:1e:fa:86:
0b:5d:b7:34:fe:f1:22:e7:96:58:2e:c3:86:09:e1:
5b:82:54:a0:e7:db:ba:fa:0c:6c:f6:42:4d:54:54:
2a:4a:48:87:35:f9:71:e8:67:a9:8e:ba:23:74:32:
12:dc:ff:15:9b:c3:98:bd:d1:0c:ba:3f:2d:de:50:
71:27:ef:a1:88:96:f2:d5:15:d8:ff:14:c2:c4:b8:
83:32:81:a8:91:67:97:19:c1:c2:c1:e2:0c:1b:4b:
4f:f2:19:fb:19:4a:07:ee:29:36:13:dd:0c:a2:76:
48:79:d7:a0:03:51:d4:7f:31:a5:5d:00:dc:4f:cc:
3b:f9:00:84:d6:2b:63:d7:86:e7:e3:aa:7a:f9:6f:
75:2b:87:0d:c9:82:3e:85:03:d6:a0:7a:2e:cf:b2:
85:9a:72:38:51:92:f6:a7:d9:d1:19:97:e3:3e:99:
c5:b6:ae:c9:55:77:34:34:ae:a5:66:3a:5d:13:57:
25:da:44:29:43:dd:33:ca:05:53:c0:3f:84:e3:64:
12:d2:b0:68:d9:05:55:8e:14:e6:99:6d:bd:73:e4:
e9:f9:3c:26:5b:f1:1c:fa:a2:28:dc:ea:24:af:71:
33:66:10:14:a9:3a:c1:a1:ca:66:f2:bd:31:08:60:
2c:b4:f9:d6:a9:6c:3b:7c:c4:bd:99:42:b4:7f:f5:
0e:14:ea:13:80:c2:bd:ea:4f:c2:ff:ff:ae:67:2c:
8e:5a:40:87:85:97:b8:c1:25:f5:5d:e2:1f:cf:bb:
f1:18:89:0a:08:2c:da:b1:d8:1d:4d:c2:7b:4b:67:
eb:af:e8:38:7c:74:41:8b:7f:08:cb:1a:24:d1:0e:
c4:2f:5c:cd:ff:6a:96:c3:34:b2:f8:bb:4e:50:66:
82:84:02:4b:b9:81:4b:a8:1c:d6:90:35:56:26:a1:
8f:b9:8b:68:a0:78:f5:f7:75:e9:cb:de:8a:b1:1d:
c6:e3:df:7b:08:bc:39:76:cf:ed:6b:29:9b:2c:f5:
06:3f:d5:9d:32:c6:cd:9a:42:1f:66:ee:3c:4e:21:
b3:30:7c:74:d0:ed:80:6c:d2:a9:01:1c:91:b1:b0:
ac:4d:99:09:4c:ac:dd:7b:d6:21:95:37:d5:6e:4a:
ef:0b:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:B3:90:A7:D8:C9:AF:4E:CD:61:3C:9F:7C:AD:5D:7F:41:FD:69:30:EA
X509v3 Subject Key Identifier:
92:53:21:4C:FE:33:67:8A:BB:CA:17:19:49:EF:30:FD:15:F9:EE:56
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.26
CPS: https://cps.usertrust.com
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.usertrust.com/GandiStandardSSLCA2.crl
Authority Information Access:
CA Issuers -
URI:http://crt.usertrust.com/GandiStandardSSLCA2.crt
OCSP - URI:http://ocsp.usertrust.com
X509v3 Subject Alternative Name:
DNS:wiki.debconf.org, DNS:www.wiki.debconf.org
Signature Algorithm: sha256WithRSAEncryption
4f:79:e2:3a:5a:51:57:a9:21:33:2f:36:3b:9e:91:4c:65:d4:
7d:63:61:e3:39:37:ae:d2:9c:db:fe:0b:5f:f7:08:7f:4e:36:
a1:7c:d0:6b:d6:c4:f4:10:2c:d5:b1:1c:ac:54:26:32:80:92:
f1:49:be:e0:c3:12:13:0a:3f:95:fb:bd:16:65:53:6c:08:8e:
02:a9:03:f1:aa:95:43:9f:d7:18:61:3d:4a:aa:1d:06:9e:bd:
68:a4:33:a3:38:47:75:df:7e:ec:55:7e:9f:72:4b:9a:6f:26:
29:c1:c1:84:4d:2b:a4:8d:1d:fe:d5:56:ec:07:34:13:5b:12:
0c:70:ae:3c:9d:27:21:9c:62:d7:e6:b3:de:c9:24:91:17:05:
f8:cc:ca:a0:2a:8d:13:b1:8f:22:b4:09:a7:94:a6:d6:f2:fc:
f1:a4:aa:b9:30:31:9c:40:eb:31:28:fe:18:fb:ab:af:d6:74:
c9:29:38:df:55:98:40:bf:42:56:f9:94:d0:5f:a4:40:2e:15:
73:d2:85:96:bb:52:fe:82:bc:45:89:ad:d3:d4:4f:91:e0:b0:
94:11:de:78:95:3d:c6:67:15:1f:ea:b2:97:9c:57:f3:66:55:
2b:36:1e:f8:d1:80:d2:13:0e:22:a8:28:3d:9f:d3:d6:0f:df:
95:8e:ef:72
> And no, it's not only debconf.org: https://mentors.debian.net/ is
> broken now, too. :-(
That certificate expires in ~4 months and will need to be replaced soon,
too.
--
Robert Edmonds
edmo...@debian.org
