FS#69753 - ca-certificate-mozilla: Removal of GeoTrust Global CA

Attached to Project: Arch Linux
Opened by james stronz (comrumino) - Tuesday, 23 February 2021, 20:32 GMT
Last edited by Doug Newgard (Scimmia) - Tuesday, 23 February 2021, 21:00 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To No-one
Architecture x86_64
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Removal of GeoTrust results in certificates not being trusted when they should be. For example




Additional info:
* package version(s) 3.62-1
* link to upstream bug report, if any
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962596

Steps to reproduce:

Option 1: visit help.apple.com

Option 2: use gnutls-cli
> gnutls-cli help.apple.com
Processed 139 CA certificate(s).
Resolving 'help.apple.com:443'...
Connecting to '184.87.216.75:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `C=US,ST=California,O=Apple Inc.,OU=management:idms.group.1208920,CN=help.apple.com', issuer `C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1', serial 0x3b387dc7032e7e1eb93b4243d21586d3, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-15 01:37:24 UTC', expires `2021-05-14 01:37:24 UTC', pin-sha256="cSD+Ca9FxkRPXk9DMwaj6gprVTHA7qPsDY202NLJYac="
Public Key ID:
sha1:25e24f80cd3a44beabd88fe392e4e0d65c4586b5
sha256:7120fe09af45c6444f5e4f433306a3ea0a6b5531c0eea3ec0d8db4d8d2c961a7
Public Key PIN:
pin-sha256:cSD+Ca9FxkRPXk9DMwaj6gprVTHA7qPsDY202NLJYac=

- Certificate[1] info:
- subject `C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1', issuer `CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US', serial 0x023a74, RSA key 2048 bits, signed using RSA-SHA256, activated `2014-06-16 15:42:02 UTC', expires `2022-05-20 15:42:02 UTC', pin-sha256="tc+C1H75gj+ap48SMYbFLoh56oSw+CLJHYPgQnm3j9U="
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
This task depends upon

Closed by  Doug Newgard (Scimmia)
Tuesday, 23 February 2021, 21:00 GMT
Reason for closing:  Upstream
Additional comments about closing:  https://developer.mozilla.org/en-US/docs /Mozilla/Projects/NSS/NSS_3.60_release_n otes

Loading...