I think what you're seeing can be explained if you had ca-certificates/trust_new_crts disabled (see debconf-show ca-certificates) when ISRG Root X1 was added, in which case the "new" root wouldn't be in your bundle and so you wouldn't have a trust path to LE certs after the DST Root's expiration.
Cheers, Julien On Mon, Oct 04, 2021 at 09:55:52AM -0400, Aristeu Rozanski wrote: > Hello, > > I'm running bullseye and fetchmail seems affected. I had these happening: > > fetchmail: socket error while fetching from aris@<server> > fetchmail: Query status=2 (SOCKET) > fetchmail: Server certificate verification error: certificate has expired > fetchmail: OpenSSL reported: error:1416F086:SSL > routines:tls_process_server_certificate:certificate verify failed > > The machine I saw this error has been dist-upgraded since 2001 or so. Running > openssl s_client -showcerts -connect <server>:995 -servername <server>: > > (snip) > Start Time: 1633325277 > Timeout : 7200 (sec) > Verify return code: 10 (certificate has expired) > Extended master secret: no > Max Early Data: 0 > > Checking the certificate locally in the server it passed. Running same openssl > command in another bullseye machine did work. Did try to run > update-ca-certificates with and without -f, didn't help. It did reported > warnings: > > Updating certificates in /etc/ssl/certs... > W: > /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt > not found, but listed in /etc/ca-certificates.conf. > W: /usr/share/ca-certificates/mozilla/GeoTrust_Universal_CA_2.crt not > found, but listed in /etc/ca-certificates.conf. > W: /usr/share/ca-certificates/mozilla/Taiwan_GRCA.crt not found, but > listed in /etc/ca-certificates.conf. > W: > /usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt not > found, but listed in /etc/ca-certificates.conf. > W: > /usr/share/ca-certificates/mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt not > found, but listed in /etc/ca-certificates.conf. > W: > /usr/share/ca-certificates/mozilla/EE_Certification_Centre_Root_CA.crt not > found, but listed in /etc/ca-certificates.conf. > 0 added, 0 removed; done. > Running hooks in /etc/ca-certificates/update.d... > > updates of cacerts keystore disabled. > done. > > > Finally gave up and copied ca-certificates.conf from the machine that was > working, re-ran update-ca-certificates and it got rid of the warnings and > fetchmail and openssl were happy again. I don't fully understand how > /etc/ca-certificates.conf is generated and don't remember ever changing it. > > -- > Aristeu >

