I think what you're seeing can be explained if you had
ca-certificates/trust_new_crts disabled (see debconf-show
ca-certificates) when ISRG Root X1 was added, in which case the "new"
root wouldn't be in your bundle and so you wouldn't have a trust path to
LE certs after the DST Root's expiration.

Cheers,
Julien

On Mon, Oct 04, 2021 at 09:55:52AM -0400, Aristeu Rozanski wrote:
> Hello,
> 
> I'm running bullseye and fetchmail seems affected. I had these happening:
> 
> fetchmail: socket error while fetching from aris@<server>
> fetchmail: Query status=2 (SOCKET)
> fetchmail: Server certificate verification error: certificate has expired
> fetchmail: OpenSSL reported: error:1416F086:SSL 
> routines:tls_process_server_certificate:certificate verify failed
> 
> The machine I saw this error has been dist-upgraded since 2001 or so. Running
> openssl s_client -showcerts -connect <server>:995 -servername <server>:
> 
> (snip)
>     Start Time: 1633325277
>     Timeout   : 7200 (sec)
>     Verify return code: 10 (certificate has expired)
>     Extended master secret: no
>     Max Early Data: 0
> 
> Checking the certificate locally in the server it passed. Running same openssl
> command in another bullseye machine did work. Did try to run
> update-ca-certificates with and without -f, didn't help. It did reported
> warnings:
> 
>       Updating certificates in /etc/ssl/certs...
>       W: 
> /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
>  not found, but listed in /etc/ca-certificates.conf.
>       W: /usr/share/ca-certificates/mozilla/GeoTrust_Universal_CA_2.crt not 
> found, but listed in /etc/ca-certificates.conf.
>       W: /usr/share/ca-certificates/mozilla/Taiwan_GRCA.crt not found, but 
> listed in /etc/ca-certificates.conf.
>       W: 
> /usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt not 
> found, but listed in /etc/ca-certificates.conf.
>       W: 
> /usr/share/ca-certificates/mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt not 
> found, but listed in /etc/ca-certificates.conf.
>       W: 
> /usr/share/ca-certificates/mozilla/EE_Certification_Centre_Root_CA.crt not 
> found, but listed in /etc/ca-certificates.conf.
>       0 added, 0 removed; done.
>       Running hooks in /etc/ca-certificates/update.d...
> 
>       updates of cacerts keystore disabled.
>       done.
> 
> 
> Finally gave up and copied ca-certificates.conf from the machine that was
> working, re-ran update-ca-certificates and it got rid of the warnings and
> fetchmail and openssl were happy again. I don't fully understand how
> /etc/ca-certificates.conf is generated and don't remember ever changing it.
> 
> --
> Aristeu
> 

Reply via email to