On 2009-12-31 Sam Morris <s...@robots.org.uk> wrote: > On Thu, 2009-12-31 at 09:22 +0100, Andreas Metzler wrote: [...] >> color me stupid, but I cannot find any reference to the certificate in >> the file /etc/ssl/certs/Go_Daddy_Class_2_CA.pem (C=US,O=The Go Daddy >> Group\, Inc.,OU=Go Daddy Class 2 Certification Authority valid >> 2004-2034) in the debugging output. I think you need to use >> /etc/ssl/certs/ValiCert_Class_2_VA.pem instead.
> *blinks* hm, indeed! However I get the same 'Peer's certificate issuer > is not a CA' message with that certificate as well. > I would be grateful if you could try to confirm this yourself -- the > server is XXXXXXXXXXXXXXXXXXXXXXX. Sorry to be a bother, but I'm rather > stumped as to why this has ceased to work recently. [...] Hello, Taking this back to the BTS, to keep the other maintainers in the boat. The toplevel certificate ------------------------ Subject: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCertClass 2 Policy Validation Authority,CN=http://www.valicert.com/,email=i...@valicert.com SHA-1 fingerprint: 317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca6 ------------------------ is a V1 CA. GnuTLS does not accept V1 CAs by default. (The version of GnuTLS in lenny is patched to behave differently.) Possible workarounds: * --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT * Make one of the two intermediary certificates or the server certificate itself trusted. Was this certificate really issued April 2009? Is Godaddy still using their V1 CA? cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
