On Sat, Jul 16, 2016 at 09:04:47PM +0200, nee wrote: > ./certtool: line 83: datefudge: command not found > > You need datefudge to run this test > > FAIL: name-constraints > ====================== > > Loaded 3 certificates, 1 CAs and 0 CRLs > > Subject: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key > Infrastructure > Issuer: C=US,O=Foo Bar Inc.,CN=Foo Bar Root CA,OU=Public Key > Infrastructure > Output: Not verified. The certificate is NOT trusted. The certificate > issuer is unknown. > > Subject: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key > Infrastructure > Issuer: C=US,O=Foo Bar Inc.,CN=Foo Bar Root CA,OU=Public Key > Infrastructure > Checked against: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key > Infrastructure > Output: Verified. The certificate is trusted. > > Subject: C=US,O=Foo Bar Inc.,CN=bazz.foobar.com > Issuer: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key > Infrastructure > Checked against: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key > Infrastructure > Output: Not verified. The certificate is NOT trusted. The certificate > chain uses expired certificate. > > Chain verification output: Not verified. The certificate is NOT trusted. The > certificate chain uses expired certificate. > > name constraints test 1 failed
The test certificates have expired. I think we need to apply this patch with a graft, from the gnutls_3_4_x branch: https://gitlab.com/gnutls/gnutls/commit/47f25d9e08d4e102572804a2aed186b01db23c65 The effect is to skip the test, because we are missing the datefudge program [0]. Or, we could package datefudge and add it to the gnutls recipe. Thanks to Jookia for the tip. [0] https://packages.debian.org/sid/datefudge
