On 2025-06-16 14:39:42 [+0200], Julien Cristau wrote: > Hi Sebastian, Hi Julien,
> On Sat, Jun 14, 2025 at 20:55:43 +0200, Sebastian Andrzej Siewior wrote: > > > I don't object this change in any way. I just want to point that if > > connections errors are observed because this certificate is missing then > > the server is not configured properly. Nothing the user can do about. > > > Normally I'd be tempted to agree, in practice though requiring server > operators to know and choose to do this doesn't scale if the CA don't > make it easy, and the problem largely doesn't affect browsers, so adding > the new root in stable's ca-certificates seemed like the more realistic > path to get things working for clients. Sure. I completly agree. My point is simply to educate the server owner how to fixup their chain should they end up in this bug by pointing to the root cause and a possible sollution. Also Sectigo could ship better chains for their customers so it does not become a scale issue for them by testing and studing the chains and so on. I'm not a customer so I have no idea how Sectigo shipps this but since so many people complain here it does not look small (or it is a single server with a big user base :)). While this fixes the issue for the Bookworm users (which is great), there is still for instance the older Android (pre 14) where the certificate store can not be updated without an OS update shipped by the vendor. > Cheers, > Julien Sebastian
