Bug#1021749: ca-certificates: expired certificates: Cybertrust_Global_Root.crt GlobalSign_Root_CA_-_R2.crt

Thu, 13 Oct 2022 18:06:17 -0700 

Package: ca-certificates
Version: 20211016
Severity: normal
File: /usr/share/ca-certificates/mozilla/Cybertrust_Global_Root.crt
File: /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R2.crt

I noticed that there are two expired certificates in ca-certificates,
presumably Mozilla would have removed them and so an update is needed.

   $ cat test
   now=$(date -u)
   date -d "$now"
   now="$(date -d "$now" +%s)"
   for f in /usr/share/ca-certificates/mozilla/* ; do
    date="$(openssl x509 -enddate -noout -in "$f" | cut -d= -f2)"
    d="$(date -d "$date" +%s)"
    if [ $((d<=now)) -eq 1 ] ; then
     echo Expired: $f $date $d $now
    fi
   done
   
   $ sh test
   Fri 14 Oct 2022 08:53:43 AWST
   Expired: /usr/share/ca-certificates/mozilla/Cybertrust_Global_Root.crt Dec 
15 08:00:00 2021 GMT 1639555200 1665708823
   Expired: /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R2.crt Dec 
15 08:00:00 2021 GMT 1639555200 1665708823

This results in some programs such as GnuPG dirmngr printing errors.

   $ journalctl --no-hostname --user -ru dirmngr | head | grep error
   Oct 14 08:59:38 dirmngr[986199]: error loading certificate 
'/etc/ssl/certs/ca-certificates.crt': Certificate expired
   Oct 14 08:59:38 dirmngr[986199]: error loading certificate 
'/etc/ssl/certs/ca-certificates.crt': Certificate expired

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing-debug
  APT policy: (900, 'testing-debug'), (900, 'testing'), (800, 
'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 
'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental')
merged-usr: no
Architecture: amd64 (x86_64)

Kernel: Linux 5.19.0-2-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ca-certificates depends on:
ii  debconf [debconf-2.0]  1.5.79
ii  openssl                3.0.5-2

ca-certificates recommends no packages.

ca-certificates suggests no packages.

-- debconf information:
  ca-certificates/title:
* ca-certificates/trust_new_crts: yes
* ca-certificates/enable_crts: mozilla/ACCVRAIZ1.crt, 
mozilla/AC_RAIZ_FNMT-RCM.crt, mozilla/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.crt, 
mozilla/Actalis_Authentication_Root_CA.crt, mozilla/AffirmTrust_Commercial.crt, 
mozilla/AffirmTrust_Networking.crt, mozilla/AffirmTrust_Premium.crt, 
mozilla/AffirmTrust_Premium_ECC.crt, mozilla/Amazon_Root_CA_1.crt, 
mozilla/Amazon_Root_CA_2.crt, mozilla/Amazon_Root_CA_3.crt, 
mozilla/Amazon_Root_CA_4.crt, mozilla/ANF_Secure_Server_Root_CA.crt, 
mozilla/Atos_TrustedRoot_2011.crt, 
mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt, 
mozilla/Baltimore_CyberTrust_Root.crt, mozilla/Buypass_Class_2_Root_CA.crt, 
mozilla/Buypass_Class_3_Root_CA.crt, mozilla/CA_Disig_Root_R2.crt, 
mozilla/Certigna.crt, mozilla/Certigna_Root_CA.crt, 
mozilla/certSIGN_ROOT_CA.crt, mozilla/certSIGN_Root_CA_G2.crt, 
mozilla/Certum_EC-384_CA.crt, mozilla/Certum_Trusted_Network_CA_2.crt, 
mozilla/Certum_Trusted_Network_CA.crt, mozilla/Certum_Trusted_Root_CA.crt, 
mozilla/CFCA_EV_ROOT.crt, mozilla/Comodo_AAA_Services_root.crt, 
mozilla/COMODO_Certification_Authority.crt, 
mozilla/COMODO_ECC_Certification_Authority.crt, 
mozilla/COMODO_RSA_Certification_Authority.crt, 
mozilla/Cybertrust_Global_Root.crt, mozilla/DigiCert_Assured_ID_Root_CA.crt, 
mozilla/DigiCert_Assured_ID_Root_G2.crt, 
mozilla/DigiCert_Assured_ID_Root_G3.crt, mozilla/DigiCert_Global_Root_CA.crt, 
mozilla/DigiCert_Global_Root_G2.crt, mozilla/DigiCert_Global_Root_G3.crt, 
mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, 
mozilla/DigiCert_Trusted_Root_G4.crt, 
mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt, 
mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt, mozilla/EC-ACC.crt, 
mozilla/emSign_ECC_Root_CA_-_C3.crt, mozilla/emSign_ECC_Root_CA_-_G3.crt, 
mozilla/emSign_Root_CA_-_C1.crt, mozilla/emSign_Root_CA_-_G1.crt, 
mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt, 
mozilla/Entrust_Root_Certification_Authority.crt, 
mozilla/Entrust_Root_Certification_Authority_-_EC1.crt, 
mozilla/Entrust_Root_Certification_Authority_-_G2.crt, 
mozilla/Entrust_Root_Certification_Authority_-_G4.crt, 
mozilla/ePKI_Root_Certification_Authority.crt, 
mozilla/e-Szigno_Root_CA_2017.crt, mozilla/E-Tugra_Certification_Authority.crt, 
mozilla/GDCA_TrustAUTH_R5_ROOT.crt, mozilla/GlobalSign_ECC_Root_CA_-_R4.crt, 
mozilla/GlobalSign_ECC_Root_CA_-_R5.crt, mozilla/GlobalSign_Root_CA.crt, 
mozilla/GlobalSign_Root_CA_-_R2.crt, mozilla/GlobalSign_Root_CA_-_R3.crt, 
mozilla/GlobalSign_Root_CA_-_R6.crt, mozilla/GlobalSign_Root_E46.crt, 
mozilla/GlobalSign_Root_R46.crt, mozilla/GLOBALTRUST_2020.crt, 
mozilla/Go_Daddy_Class_2_CA.crt, 
mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt, mozilla/GTS_Root_R1.crt, 
mozilla/GTS_Root_R2.crt, mozilla/GTS_Root_R3.crt, mozilla/GTS_Root_R4.crt, 
mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt, 
mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt, 
mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt, 
mozilla/Hongkong_Post_Root_CA_1.crt, mozilla/Hongkong_Post_Root_CA_3.crt, 
mozilla/IdenTrust_Commercial_Root_CA_1.crt, 
mozilla/IdenTrust_Public_Sector_Root_CA_1.crt, mozilla/ISRG_Root_X1.crt, 
mozilla/Izenpe.com.crt, mozilla/Microsec_e-Szigno_Root_CA_2009.crt, 
mozilla/Microsoft_ECC_Root_Certificate_Authority_2017.crt, 
mozilla/Microsoft_RSA_Root_Certificate_Authority_2017.crt, 
mozilla/NAVER_Global_Root_Certification_Authority.crt, 
mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt, 
mozilla/Network_Solutions_Certificate_Authority.crt, 
mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt, 
mozilla/OISTE_WISeKey_Global_Root_GC_CA.crt, mozilla/QuoVadis_Root_CA_1_G3.crt, 
mozilla/QuoVadis_Root_CA_2.crt, mozilla/QuoVadis_Root_CA_2_G3.crt, 
mozilla/QuoVadis_Root_CA_3.crt, mozilla/QuoVadis_Root_CA_3_G3.crt, 
mozilla/Secure_Global_CA.crt, mozilla/SecureSign_RootCA11.crt, 
mozilla/SecureTrust_CA.crt, mozilla/Security_Communication_RootCA2.crt, 
mozilla/Security_Communication_Root_CA.crt, 
mozilla/SSL.com_EV_Root_Certification_Authority_ECC.crt, 
mozilla/SSL.com_EV_Root_Certification_Authority_RSA_R2.crt, 
mozilla/SSL.com_Root_Certification_Authority_ECC.crt, 
mozilla/SSL.com_Root_Certification_Authority_RSA.crt, 
mozilla/Staat_der_Nederlanden_EV_Root_CA.crt, mozilla/Starfield_Class_2_CA.crt, 
mozilla/Starfield_Root_Certificate_Authority_-_G2.crt, 
mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt, 
mozilla/SwissSign_Gold_CA_-_G2.crt, mozilla/SwissSign_Silver_CA_-_G2.crt, 
mozilla/SZAFIR_ROOT_CA2.crt, mozilla/TeliaSonera_Root_CA_v1.crt, 
mozilla/TrustCor_ECA-1.crt, mozilla/TrustCor_RootCert_CA-1.crt, 
mozilla/TrustCor_RootCert_CA-2.crt, 
mozilla/Trustwave_Global_Certification_Authority.crt, 
mozilla/Trustwave_Global_ECC_P256_Certification_Authority.crt, 
mozilla/Trustwave_Global_ECC_P384_Certification_Authority.crt, 
mozilla/T-TeleSec_GlobalRoot_Class_2.crt, 
mozilla/T-TeleSec_GlobalRoot_Class_3.crt, 
mozilla/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt, 
mozilla/TWCA_Global_Root_CA.crt, mozilla/TWCA_Root_Certification_Authority.crt, 
mozilla/UCA_Extended_Validation_Root.crt, mozilla/UCA_Global_G2_Root.crt, 
mozilla/USERTrust_ECC_Certification_Authority.crt, 
mozilla/USERTrust_RSA_Certification_Authority.crt, 
mozilla/XRamp_Global_CA_Root.crt
  ca-certificates/new_crts:

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to