On Sat, January 16, 2016 22:15, Robert Edmonds wrote: > Axel Beckert wrote: >> So why was the CA then removed already if debconf.org still uses this >> CA? https://www.debconf.org/ is now reported as broken. > > Hi, > > If you examine the certificate served by www.debconf.org:443, it has a > common name of wiki.debconf.org, with SANs for wiki.debconf.org and > www.wiki.debconf.org. It will report as broken regardless of which CAs > are in the ca-certificates package, because the server does not appear > to be configured to correctly serve its www.debconf.org virtual host via > HTTPS. > > Also note that the certificate is issued by "Gandi Standard SSL CA 2", > not SPI, Inc. > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 71:12:ca:53:8d:33:d4:41:c7:c6:63:f5:04:ed:22:84 > Signature Algorithm: sha256WithRSAEncryption > Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA > 2 > Validity > Not Before: Jan 1 00:00:00 2016 GMT > Not After : Jan 1 23:59:59 2017 GMT > Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, > CN=wiki.debconf.org > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (4096 bit) > Modulus: > 00:c0:84:16:fc:c8:8b:78:aa:b9:ac:db:b4:23:fc: > 2a:db:d9:6b:76:1d:de:92:8c:4c:d7:86:5f:15:d4: > 15:90:64:7d:a9:05:cd:4c:49:63:63:00:e3:a6:63: > bb:04:29:fb:67:ee:d7:25:17:4f:e1:87:23:fa:a1: > ea:38:aa:9d:dc:d6:a0:f7:ab:5f:44:43:1f:03:80: > d9:d3:39:e0:42:5a:48:91:b3:da:b3:b1:1e:fa:86: > 0b:5d:b7:34:fe:f1:22:e7:96:58:2e:c3:86:09:e1: > 5b:82:54:a0:e7:db:ba:fa:0c:6c:f6:42:4d:54:54: > 2a:4a:48:87:35:f9:71:e8:67:a9:8e:ba:23:74:32: > 12:dc:ff:15:9b:c3:98:bd:d1:0c:ba:3f:2d:de:50: > 71:27:ef:a1:88:96:f2:d5:15:d8:ff:14:c2:c4:b8: > 83:32:81:a8:91:67:97:19:c1:c2:c1:e2:0c:1b:4b: > 4f:f2:19:fb:19:4a:07:ee:29:36:13:dd:0c:a2:76: > 48:79:d7:a0:03:51:d4:7f:31:a5:5d:00:dc:4f:cc: > 3b:f9:00:84:d6:2b:63:d7:86:e7:e3:aa:7a:f9:6f: > 75:2b:87:0d:c9:82:3e:85:03:d6:a0:7a:2e:cf:b2: > 85:9a:72:38:51:92:f6:a7:d9:d1:19:97:e3:3e:99: > c5:b6:ae:c9:55:77:34:34:ae:a5:66:3a:5d:13:57: > 25:da:44:29:43:dd:33:ca:05:53:c0:3f:84:e3:64: > 12:d2:b0:68:d9:05:55:8e:14:e6:99:6d:bd:73:e4: > e9:f9:3c:26:5b:f1:1c:fa:a2:28:dc:ea:24:af:71: > 33:66:10:14:a9:3a:c1:a1:ca:66:f2:bd:31:08:60: > 2c:b4:f9:d6:a9:6c:3b:7c:c4:bd:99:42:b4:7f:f5: > 0e:14:ea:13:80:c2:bd:ea:4f:c2:ff:ff:ae:67:2c: > 8e:5a:40:87:85:97:b8:c1:25:f5:5d:e2:1f:cf:bb: > f1:18:89:0a:08:2c:da:b1:d8:1d:4d:c2:7b:4b:67: > eb:af:e8:38:7c:74:41:8b:7f:08:cb:1a:24:d1:0e: > c4:2f:5c:cd:ff:6a:96:c3:34:b2:f8:bb:4e:50:66: > 82:84:02:4b:b9:81:4b:a8:1c:d6:90:35:56:26:a1: > 8f:b9:8b:68:a0:78:f5:f7:75:e9:cb:de:8a:b1:1d: > c6:e3:df:7b:08:bc:39:76:cf:ed:6b:29:9b:2c:f5: > 06:3f:d5:9d:32:c6:cd:9a:42:1f:66:ee:3c:4e:21: > b3:30:7c:74:d0:ed:80:6c:d2:a9:01:1c:91:b1:b0: > ac:4d:99:09:4c:ac:dd:7b:d6:21:95:37:d5:6e:4a: > ef:0b:6f > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Authority Key Identifier: > > keyid:B3:90:A7:D8:C9:AF:4E:CD:61:3C:9F:7C:AD:5D:7F:41:FD:69:30:EA > > X509v3 Subject Key Identifier: > 92:53:21:4C:FE:33:67:8A:BB:CA:17:19:49:EF:30:FD:15:F9:EE:56 > X509v3 Key Usage: critical > Digital Signature, Key Encipherment > X509v3 Basic Constraints: critical > CA:FALSE > X509v3 Extended Key Usage: > TLS Web Server Authentication, TLS Web Client > Authentication > X509v3 Certificate Policies: > Policy: 1.3.6.1.4.1.6449.1.2.2.26 > CPS: https://cps.usertrust.com > Policy: 2.23.140.1.2.1 > > X509v3 CRL Distribution Points: > > Full Name: > URI:http://crl.usertrust.com/GandiStandardSSLCA2.crl > > Authority Information Access: > CA Issuers - > URI:http://crt.usertrust.com/GandiStandardSSLCA2.crt > OCSP - URI:http://ocsp.usertrust.com > > X509v3 Subject Alternative Name: > DNS:wiki.debconf.org, DNS:www.wiki.debconf.org > Signature Algorithm: sha256WithRSAEncryption > 4f:79:e2:3a:5a:51:57:a9:21:33:2f:36:3b:9e:91:4c:65:d4: > 7d:63:61:e3:39:37:ae:d2:9c:db:fe:0b:5f:f7:08:7f:4e:36: > a1:7c:d0:6b:d6:c4:f4:10:2c:d5:b1:1c:ac:54:26:32:80:92: > f1:49:be:e0:c3:12:13:0a:3f:95:fb:bd:16:65:53:6c:08:8e: > 02:a9:03:f1:aa:95:43:9f:d7:18:61:3d:4a:aa:1d:06:9e:bd: > 68:a4:33:a3:38:47:75:df:7e:ec:55:7e:9f:72:4b:9a:6f:26: > 29:c1:c1:84:4d:2b:a4:8d:1d:fe:d5:56:ec:07:34:13:5b:12: > 0c:70:ae:3c:9d:27:21:9c:62:d7:e6:b3:de:c9:24:91:17:05: > f8:cc:ca:a0:2a:8d:13:b1:8f:22:b4:09:a7:94:a6:d6:f2:fc: > f1:a4:aa:b9:30:31:9c:40:eb:31:28:fe:18:fb:ab:af:d6:74: > c9:29:38:df:55:98:40:bf:42:56:f9:94:d0:5f:a4:40:2e:15: > 73:d2:85:96:bb:52:fe:82:bc:45:89:ad:d3:d4:4f:91:e0:b0: > 94:11:de:78:95:3d:c6:67:15:1f:ea:b2:97:9c:57:f3:66:55: > 2b:36:1e:f8:d1:80:d2:13:0e:22:a8:28:3d:9f:d3:d6:0f:df: > 95:8e:ef:72 > >> And no, it's not only debconf.org: https://mentors.debian.net/ is >> broken now, too. :-( > > That certificate expires in ~4 months and will need to be replaced soon, > too.
Thanks Robert for the explanation. This decision has not been made by just the package maintainers in isolation. DSA has made it explicit that they've migrated away from the SPI CA. Any remaining use is just indicative of a certificate that is in need of replacement. Cheers, Thijs
