Package: ca-certificates Version: 20230311+deb12u1 Dear maintainer,
One of our partners (an American health insurance company) recently changed the certificates for their API and this broke our connectivity. This report is similar to #1095913 since it also involves certificates issued by Entrust, but the root missing in question is "SSL.com TLS RSA Root CA 2022" and not one from Sectigo. We were able to work around it by manually adding this root certificate and running update-ca-certificates. After doing so the chain looks like this with openssl s_client: depth=2 C=US, O=SSL Corporation, CN=SSL.com TLS RSA Root CA 2022 verify return:1 depth=1 C=US, O=SSL Corporation, CN=Entrust OV TLS Issuing RSA CA 1 verify return:1 depth=0 [leaf cert details omitted] verify return:1 https://crt.sh/?id=7439767372 and https://crt.sh/?id=14258407195 respectively. FWIW, on July 24, 2024 SSL.com posted this announcement about partnering with Entrust: https://www.ssl.com/blogs/ssl-com-and-entrust-form-strategic-partnership/ > SSL.com plans to implement multiple integration paths with Entrust, including > Entrust serving as an external Registration Authority (RA) for Identity > Validation. As an external RA, Entrust will be aligned with the policies and > practices of SSL.com, with SSL.com acting as the Certification Authority. Same as with the aforementioned bug report, please consider adding the root CA to ca-certificates in stable. Kind regards, Bart

