On 2021年10月2日 1:32:21 JST, Thomas Schmitt <scdbac...@gmx.net> wrote: >Hi, > >as tomas predicted it can be done by handwork. > >Tobias Diekershoff gave a good hint but i was not smart enough to make >use of it before i found out the clicky way. > >The solution was to import to iceweasel the certificate file > > /etc/ssl/certs/ISRG_Root_X1.pem > >------------------------------------------------------------------------ >Long story: > >I replaced the directory trees > /etc/ssl/certs > /usr/share/ca-certificates >and the file > /etc/ca-certificates.conf >by their counterparts of Debian 10. Then i ran > update-ca-certificates >This did not help, even with newly started Iceweasel. > >So i clicked my way through Preferences -> Advanced -> Cerificates to >button "View Certificates" which offers me an obscure list and a button >"Import". This gives me a file browser which i navigate to /etc/ssl/certs. >There are 128 .pem files from Debian 10. > >To reduce the work i diffed the list of .pem files in both /etc/ssl/certs >and began to add those which are new in Debian 10: 49 files. >Many new ones did have no effect. But > /etc/ssl/certs/ISRG_Root_X1.pem >gives me back a lot of those sites which were unaccessible since yesterday. > >I will have to wait for complaints to see if any of the previously working >sites still fails. A quick tour over the usual suspects finds none. >I nevertheless investied the clickwork to import the other new .pem files. >Just in case i forget what i did today. > > >Tobias Diekershoff wrote: >> Are the untrusted certificates LetsEncrypt issued certs? Their old >> R3 cert (signed by DST Root CA X3) expired Sept 29th (see e.g. >> https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiratio >> n-september-2021/149190 > >Looks like you are right. >In hindsight the hint to "ISRG Root X1" is in there. But i don't understand >their nomenclature. I looked for "DST*R3*.pem" but found no such file >in /etc/ssl/certs. (It's like with man pages: I understand their text only >when i finally found out by try and error.) > >------------------------------------------------------------------------- >Remaining riddles: > >How i would be supposed to find the name of the decisive certificate when >iceweasel refuses ? > >Another riddle is why wget still does not work without option > --no-check-certificate >I found no hint in its man page about its default stash of certificates. >Will have to go on with research next week ... > > >Have a nice day :) > >Thomas >
Hi, the final solution is: -disable the certs with an ! before the cert name (vi /etc/ca-certificates.conf: !DST_Root_CA_X3.crt) -then, rebuild the cert directory (update-ca-certificates --fresh) -then, restart your servers. HTH
