Bob Proulx <b...@proulx.com> writes:
> Bob Proulx wrote: >> All of those seem to be the outdated CA list and openssl on >> download0. All but one of the above were issued by Comodo. Which is >> the mostly common thread among them. They apparently have a newly >> issued trust anchor. > > It turns out that this was a pretty widely felt expired certificate. > And tickles an openssl bug. And therefore fixes have been rippling > through. > > The way I have been reading the blogs on this the problem is one of > the certificate chains has expired. Coupled with openssl prior to 1.1 > which flagged as invalid the chain if either were invalid. Requiring > both of them to be valid. As opposed to validating it as okay if any > of the chains validated as it is supposed to have been working. > > Over the weekend I realized that I could extract the expired > certificate and leave only the valid one and this would fix the > problem. And I could even update the bundle. > > But then the Debian Stretch LTS team prepared a package upgrade doing > all of the work very nicely packaged making this trivial to install > their package and not needing any work at all. :-) > > I have upgrade the CA certificate bundle on our three machines that > were needing it, download0, vcs0, mgt0. Testing shows that the > previous certificates that were previously invalid are now validating. > I am going to wait and let the mirmon scripts run and hopefully that > will now validate those mirrors and they will come back online in the > redirector over the next couple of hours. > > Bob Awesome. Onto server upgrades! I just decommissioned a debian lenny machine this last weekend.
