Since app-misc/ca-certificates is using nss as a source for certificate and applying on top of source the cacert patch, then CAcert Class 3 certificate is missing, leading to let use unable to access website using CAcert Class 3 certificate. Host with app-misc/ca-certificates-20140325.3.16.3, USE=cacert $ openssl s_client -connect 87.98.169.212:6514 < /dev/null | sed '/^---/q' depth=0 CN = ssl.as29.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = ssl.as29.net verify error:num=27:certificate not trusted verify return:1 depth=0 CN = ssl.as29.net verify error:num=21:unable to verify the first certificate verify return:1 DONE CONNECTED(00000003) --- Host with app-misc/ca-certificates-20130906-r1, USE=cacert $ openssl s_client -connect 176.31.104.63:443 < /dev/null | sed '/^---/q' depth=2 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support@cacert.org verify return:1 depth=1 O = CAcert Inc., OU = http://www.CAcert.org, CN = CAcert Class 3 Root verify return:1 depth=0 CN = ssl.as29.net verify return:1 CONNECTED(00000003) --- DONE Reproducible: Always
This bug is invalid, even if examples were using different host:port, the issue was the same. In this case, it was an issue with certificate chain on remote host, but CAcert Class 3 Intermediate certificate is still missing in >=app-misc/ca-certificates-20140223.3
once it's rolled into nss, the ca-certificates package will get it more or less automatically -- we just apply the nss patch there
Created attachment 399440 [details, diff] cacert class 3 Will be added in next bump
*** Bug 545262 has been marked as a duplicate of this bug. ***
+*nss-3.18.1 (23 Apr 2015) + + 23 Apr 2015; Lars Wendler <polynomial-c@gentoo.org> +nss-3.18.1.ebuild, + +files/nss-cacert-class3.patch: + Version bump. Install man pages for utils (bug #516810). Include cacert.org + Class 3 PKI Key (bug #521462). Added dev-db/sqlite and sys-libs/zlib to + DEPEND (bug #544774). +