Hi Sebastian, On Sat, Jun 14, 2025 at 20:55:43 +0200, Sebastian Andrzej Siewior wrote:
> On 2025-06-12 19:40:45 [+0200], Julien Cristau wrote: > > > CA vendor Entrust has started selling server certificates with a chain > > > that > > > ends in > > > > > > mozilla/Sectigo_Public_Server_Authentication_Root_R46.crt > > > > > > This selfsigned CA root does not exist in ca-certificates currently > > > present > > > in Debian 12, but is present in ca-certificates >= 20240203 . > > > > > > Picking that file from ca-certificates in trixie/sid, adding it to > > > /usr/local/share/ca-certificates and running update-ca-certificates > > > is a viable workaround. > > > > > > TLDR: Please consider adding this specific root CA to ca-certificates in > > > stable. > > > > > I'll prepare a stable update in the next few days. > > I don't object this change in any way. I just want to point that if > connections errors are observed because this certificate is missing then > the server is not configured properly. Nothing the user can do about. > Normally I'd be tempted to agree, in practice though requiring server operators to know and choose to do this doesn't scale if the CA don't make it easy, and the problem largely doesn't affect browsers, so adding the new root in stable's ca-certificates seemed like the more realistic path to get things working for clients. Cheers, Julien
