[Devel] let's encrypt expired certificate

Emanuele Aina emanuele.aina at collabora.com
Sun Oct 3 22:27:24 CEST 2021

mark.janes at daimler.com wrote:

> If anyone is finding that atg-apertis-recipes cannot be used since Sep
> 30, we were able to work around by removing the following file after
> the debootstrap step:
>   /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt

Indeed, Friday has been a fun day. :)

We use Let's Encrypt for the TLS certificates of the server hosting our
packages and one of the CA certificates in the Let's Encrypt chain
expired. This should normally not be an issue since the chain is still
valid thanks to the presence of other signatures, but a bug in the
older GnuTLS version shipped in releases prior to v2022 causes it to
fail in these cases.

By dropping the expired CA certificates your workaround works

At the moment a updated ca-certificates package should be available in
all the affected branches, v2020 and v2021, and no workaround should be
needed anymore.

It has been fun to fix because the bug caused our CI to fail as well,
so some manual tinkering has been needed. ;)

If anybody still faces similar issues please let us know! 

Thank you again for you report!

Emanuele Aina

More information about the devel mailing list