>>> Compiling source in /var/tmp/portage/app-misc/ca-certificates-20161102.3.27.2-r1/work ... make -j4 -C /var/tmp/portage/app-misc/ca-certificates-20161102.3.27.2-r1/work/ca-certificates/mozilla make: Entering directory '/var/tmp/portage/app-misc/ca-certificates-20161102.3.27.2-r1/work/ca-certificates/mozilla' python certdata2pem.py !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Distrust a pb.com certificate that does not comply with the baseline requirements." !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 2/3)" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ignoring certificate "UTN USERFirst Object Root CA". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_MUST_VERIFY_TRUST Certificate "MD5 Collisions Forged Rogue CA 25c3" blacklisted, ignoring. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Distrusted AC DG Tresor SSL" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ignoring certificate "ComSign Secured CA". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_MUST_VERIFY_TRUST !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Mozilla Addons" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Global Trustee" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus GMail" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Google" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Skype" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Yahoo 1" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Yahoo 2" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Yahoo 3" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus live.com" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Root CA" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Services 1024 CA" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Cyber CA" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Cyber CA 2nd" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrusted DigiNotar PKIoverheid" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrusted DigiNotar PKIoverheid G2" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrusted Malaysian Digicert Sdn. Bhd. (cyb)" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrusted Malaysian Digicert Sdn. Bhd. (en)" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "MITM subCA 1 issued by Trustwave" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "MITM subCA 2 issued by Trustwave" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "TURKTRUST Mis-issued Intermediate CA 1" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "TURKTRUST Mis-issued Intermediate CA 2" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ignoring certificate "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_MUST_VERIFY_TRUST !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrusted MCSHOLDING CA" !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Found duplicate certificate name b'StartCom_Certification_Authority', renaming. make: Leaving directory '/var/tmp/portage/app-misc/ca-certificates-20161102.3.27.2-r1/work/ca-certificates/mozilla' Updating certificates in /var/tmp/portage/app-misc/ca-certificates-20161102.3.27.2-r1/work/image/etc/ssl/certs... 158 added, 0 removed; done. Running hooks in /var/tmp/portage/app-misc/ca-certificates-20161102.3.27.2-r1/work/image/etc/ca-certificates/update.d... done. >>> Source compiled. To the naive user this looks like some bad/broken certificates are included that shouldn't be allowed to install.
I had the same problem. Is it something to worry about?
it's just what the debian build is reporting directly from the nss cert store
*** Bug 627458 has been marked as a duplicate of this bug. ***
(In reply to SpanKY from comment #2) > it's just what the debian build is reporting directly from the nss cert store The difference being that most debian users doesn't see the messages, we likely want to remove the certs as to not scare our users unnecessarily.
Like vapier explained in comment #2, that's coming from build system, in detail from https://sources.debian.org/src/ca-certificates/20180409/mozilla/certdata2pem.py/#L98 Regarding comment #4: We are not going to patch build system due to this and hiding this output would also affect other (real) error messages. So there's nothing left to do for us, closing as WON'T FIX. If you want to change message, please work with upstream. Current package (ca-certificates-20180409.3.36.1-r1) only shows > python certdata2pem.py > Ignoring certificate "Verisign Class 1 Public Primary Certification Authority - G3". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR > Ignoring certificate "Verisign Class 2 Public Primary Certification Authority - G3". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR > Certificate "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)" blacklisted, ignoring. > Certificate "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 2/3)" blacklisted, ignoring. > Certificate "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)" blacklisted, ignoring. > Ignoring certificate "AddTrust Low-Value Services Root". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR > Ignoring certificate "Certum Root CA". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR > Ignoring certificate "UTN USERFirst Email Root CA". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR > Ignoring certificate "Camerfirma Chambers of Commerce Root". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR > Ignoring certificate "Camerfirma Global Chambersign Root". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR > Ignoring certificate "SwissSign Platinum CA - G2". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR > Ignoring certificate "AC Ra\xC3\xADz Certic\xC3\xA1mara S.A.". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR > Ignoring certificate "TC TrustCenter Class 3 CA II". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR > Ignoring certificate "ComSign CA". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR > Certificate "Explicitly Distrust DigiNotar Root CA" blacklisted, ignoring. > Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2" blacklisted, ignoring. > Certificate "MITM subCA 1 issued by Trustwave" blacklisted, ignoring. > Certificate "MITM subCA 2 issued by Trustwave" blacklisted, ignoring. > Certificate "TURKTRUST Mis-issued Intermediate CA 1" blacklisted, ignoring. > Certificate "TURKTRUST Mis-issued Intermediate CA 2" blacklisted, ignoring. > Ignoring certificate "Swisscom Root CA 2". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR > Ignoring certificate "S-TRUST Universal Root CA". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR > Ignoring certificate "Symantec Class 1 Public Primary Certification Authority - G6". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR > Ignoring certificate "Symantec Class 2 Public Primary Certification Authority - G6". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR > Ignoring certificate "Symantec Class 1 Public Primary Certification Authority - G4". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR > Ignoring certificate "Symantec Class 2 Public Primary Certification Authority - G4". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR > Ignoring certificate "D-TRUST Root CA 3 2013". SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR > Found duplicate certificate name b'CAcert_Inc.', renaming. > make: Leaving directory '/var/tmp/portage/app-misc/ca-certificates-20180409.3.36.1-r1/work/ca-certificates/mozilla' > Updating certificates in /var/tmp/portage/app-misc/ca-certificates-20180409.3.36.1-r1/work/image/etc/ssl/certs... > 135 added, 0 removed; done. So this also depends on the actual data.