Bob Proulx wrote: > All of those seem to be the outdated CA list and openssl on > download0. All but one of the above were issued by Comodo. Which is > the mostly common thread among them. They apparently have a newly > issued trust anchor.
It turns out that this was a pretty widely felt expired certificate. And tickles an openssl bug. And therefore fixes have been rippling through. The way I have been reading the blogs on this the problem is one of the certificate chains has expired. Coupled with openssl prior to 1.1 which flagged as invalid the chain if either were invalid. Requiring both of them to be valid. As opposed to validating it as okay if any of the chains validated as it is supposed to have been working. Over the weekend I realized that I could extract the expired certificate and leave only the valid one and this would fix the problem. And I could even update the bundle. But then the Debian Stretch LTS team prepared a package upgrade doing all of the work very nicely packaged making this trivial to install their package and not needing any work at all. :-) I have upgrade the CA certificate bundle on our three machines that were needing it, download0, vcs0, mgt0. Testing shows that the previous certificates that were previously invalid are now validating. I am going to wait and let the mirmon scripts run and hopefully that will now validate those mirrors and they will come back online in the redirector over the next couple of hours. Bob
