mark.janes@daimler.com wrote:
If anyone is finding that atg-apertis-recipes cannot be used since Sep 30, we were able to work around by removing the following file after the debootstrap step:
/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
Indeed, Friday has been a fun day. :)
We use Let's Encrypt for the TLS certificates of the server hosting our packages and one of the CA certificates in the Let's Encrypt chain expired. This should normally not be an issue since the chain is still valid thanks to the presence of other signatures, but a bug in the older GnuTLS version shipped in releases prior to v2022 causes it to fail in these cases.
By dropping the expired CA certificates your workaround works perfectly.
At the moment a updated ca-certificates package should be available in all the affected branches, v2020 and v2021, and no workaround should be needed anymore.
It has been fun to fix because the bug caused our CI to fail as well, so some manual tinkering has been needed. ;)
If anybody still faces similar issues please let us know!
Thank you again for you report!