On Sat 02 Oct 2021 at 08:15:59 (+0200), to...@tuxteam.de wrote: > On Fri, Oct 01, 2021 at 03:18:22PM -0500, David Wright wrote: > > [...] > > > I have a buster system that was up-to-date from the last point-release > > and kernel (2021-09-10 18:22:47). > > > > The only certificate expiration problem I have observed (and still > > observe, having taken no action) is with apt-listbugs: > > [...] > > > However, my next thought was to temporarily move my > > /etc/apt/apt.conf file, which contains just the one proxy > > line pointing at apt-cacher-ng, with the result that > > apt-listbugs was able to run without any problem. > > I understand correctly: using apt-cacher-ng somehow breaks > certificate validation for apt-listbugs?
Yes. Here's a summary. Note that I had DST_Root_CA_X3.crt as trusted in /etc/ssl/ until after it expired, and its expiry caused no problems with browsers, package downloads etc, but only this symptom. Since then, I have removed it from /etc/ca-certificates.conf using the ! mechanism, yet this symptom persists as shown here: ——✄—— # update-ca-certificates --fresh Clearing symlinks in /etc/ssl/certs... done. Updating certificates in /etc/ssl/certs... 125 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... Replacing debian:ACCVRAIZ1.pem [ … ] Replacing debian:DigiCert_Trusted_Root_G4.pem Replacing debian:D-TRUST_Root_Class_3_CA_2_2009.pem [ … ] Replacing debian:ISRG_Root_X1.pem [ … ] Replacing debian:emSign_Root_CA_-_G1.pem done. done. # logout $ cat /etc/apt/apt.conf #Acquire::http::Proxy "http://192.168.1.14:3142/";; $ apt-listbugs list base-files Retrieving bug reports... Done Parsing Found/Fixed information... Done $ cat /etc/apt/apt.conf Acquire::http::Proxy "http://192.168.1.14:3142/";; $ apt-listbugs list base-files Retrieving bug reports... 0% Fail Error retrieving bug reports from the server with the following error message: E: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired) It could be because your network is down, or because of broken proxy servers, or the BTS server itself is down. Check network configuration and try again Retry downloading bug information? [Y/n] n Continue the installation anyway? [y/N] E: Exiting with error $ cat /etc/debian_version 10.10 $ ——✄—— AFAICT ISRG_Root_X1.pem points to the ordinary ISRG_Root_X1, not the cross-signed one, BTW. So I thought I would investigate a little further by running apt-listbugs under strace -f. Note that though the apt-cacher-ng service is running on the same machine, that service is AIUI not being traced and so is opaque. 99% of the traces (without/with proxy) look the same, until you pass the three lstat references to /usr/lib/ruby/vendor_ruby/http/cookie_jar/hash_store.rb whereupon they diverge. Without proxy: after 47 lines of faffing about, it reads /etc/hosts, does some DNS, and appears to communicate with the University of Oregon, which would seem reasonable. With proxy: after 222 lines of, I assume, chatting to the proxy, it opens /usr/lib/ruby/vendor_ruby/httpclient/cacert.pem and this contains a list of actual certificates, amongst which, wouldn't you know, is DST Root CA X3. So the problem lies in ruby, specifically the package ruby-httpclient, version 2.8.3-2. This might explain why "random" applications fail while other ones don't. I verified the above by editing out the DST Root CA X3 certificate from /usr/lib/ruby/vendor_ruby/httpclient/cacert.pem and restarting apt-cacher-ng.service, whereupon: ——✄—— $ apt-listbugs list base-files Retrieving bug reports... 0% Fail Error retrieving bug reports from the server with the following error message: E: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) It could be because your network is down, or because of broken proxy servers, or the BTS server itself is down. Check network configuration and try again Retry downloading bug information? [Y/n] n Continue the installation anyway? [y/N] E: Exiting with error $ ——✄—— and the error changes from expired to missing as cacert.pem does not include ISRG Root X1. Cheers, David.
