GNU bug report logs - #45358
bootstrap fails due to a certificate mismatch

Previous Next

Package: coreutils;

Reported by: "j-james" <jj <at> j-james.me>

Date: Tue, 22 Dec 2020 02:02:01 UTC

Severity: normal

Done: Bob Proulx <bob <at> proulx.com>

Bug is archived. No further changes may be made.

Full log

Message #46 received at 45358-done <at> debbugs.gnu.org (full text, mbox):

From: Bob Proulx <bob <at> proulx.com>
To: Erik Auerswald <auerswal <at> unix-ag.uni-kl.de>
Cc: 45358-done <at> debbugs.gnu.org, 45358-submitter <at> debbugs.gnu.org,
 Grigoriy Sokolik <g.sokol99 <at> g-sokol.info>
Subject: Re: bug#45358: bootstrap fails due to a certificate mismatch
Date: Tue, 9 Mar 2021 11:30:02 -0700

Erik Auerswald wrote:
> Grigoriy Sokolik wrote:
> > I've rechecked:
> 
> I cannot reproduce the problem, the certificate is trusted by my system:
> 
>     # via IPv4
>     $ gnutls-cli --verbose translationproject.org </dev/null  | grep -E 'Connecting|Status'
>     Connecting to '80.69.83.146:443'...
>     - Status: The certificate is trusted. 
>     # via IPv6
>     $ gnutls-cli --verbose translationproject.org </dev/null  | grep -E 'Connecting|Status'
>     Connecting to '2a01:7c8:c037:6::20:443'...
>     - Status: The certificate is trusted.

I have the same results here.  Everything looks okay in the inspection
of it.

> It seems to me as if your system does not trust the used root CA.
> 
> >     [...]issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.'[...]
> 
> On my Ubuntu 18.04 system, I find it via symlink from /etc/ssl/certs:
> 
>     $ ls /etc/ssl/certs/DST_Root_CA_X3.pem -l
>     lrwxrwxrwx 1 root root 53 Mai 28  2018 /etc/ssl/certs/DST_Root_CA_X3.pem -> /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
>     $ certtool --certificate-info < /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt | grep Subject:
>     	Subject: CN=DST Root CA X3,O=Digital Signature Trust Co.

Again same here on my Debian system.  The root certificate store for
the trust anchor is in the ca-certificates package.

Looking at my oldest system I see this is distributed as package
version 20200601~deb9u1 and includes the above file.

    $ apt-cache policy ca-certificates
    ca-certificates:
      Installed: 20200601~deb9u1
      Candidate: 20200601~deb9u1
      Version table:
     *** 20200601~deb9u1 500
            500 http://ftp.us.debian.org/debian stretch/main amd64 Packages
            500 http://ftp.us.debian.org/debian stretch-updates/main amd64 Packages
            100 /var/lib/dpkg/status

Verifying that the equivalent of ca-certificates is installed on your
system should provide for it.

As this seems not to be a bug in Coreutils I am marking the bug as
closed with this mail.  However more discussion is always welcome.

Bob
This bug report was last modified 4 years and 132 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.