On Tue, 2021-11-23 at 17:26 -0500, Jack wrote: > On 2021.11.23 14:43, Branko Grubić wrote: > > Hi, > > [1] https://gitlab.com/gnutls/gnutls/-/issues/1131 > OK, diff of your output to mine: > 1,2c1,2 > < $ gnutls-cli distrowatch.com:443 > < Processed 130 CA certificate(s). > --- > > $gnutls-cli distrowatch.com:443 > > Processed 128 CA certificate(s). > 21,23c21,29 > < - Status: The certificate is NOT trusted. The certificate issuer > is > unknown. > < *** PKI verification of server certificate failed... > < *** Fatal error: Error in the certificate. > --- > > - Status: The certificate is trusted. > > - Description: > > (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256- > > GCM) > > - Session ID: > > 83:62:97:D1:C0:77:19:76:F8:2F:41:7E:DD:CD:C5:A6:35:2A:5D:4C:39:B4:F > > 5:12:CA:09:0F:07:26:BA:83:5F > > - Options: > > - Handshake was completed > > > > - Simple Client Mode: > > > > - Peer has closed the GnuTLS connection > > So I have two fewer CA Certs than you do, but somehow I know the > issuer > and you do not. > I have app-misc/ca-certificates 20210119.3.66, but there are two ~ > versions. I wonder if something got dropped (whether intentionally > or > not.) >
Hi, Thanks for testing. Not happy that it's only me :D I don't think my issue is related to ca-certificates, btw. I'm "fully" on ~amd64 (unstable/testing). Here is what's installed here: app-misc/ca-certificates-20211016.3.72 -cacert Also, as I said Let's Encrypt certificates from other sites work fine with gnutls-cli (and other clients using gnutls), which have similar certificate chain's (same, except the server certificate, same intermediate and same "Root" certificate), so I don't think it's related to a "missing trust". Could be something specific to my system or ~arch (unstable), that some library gnutls uses is causing issues (but I cannot remember now when it started happening to pinpoint after which update it stopped working). Regards, Branko
