601496 – app-misc/ca-certificates: scary warnings from nss cert database

Bug 601496 - app-misc/ca-certificates: scary warnings from nss cert database

Summary: app-misc/ca-certificates: scary warnings from nss cert database

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Duplicates (1):	627458 (view as bug list)
Depends on:
Blocks:

Reported:	2016-12-03 07:20 UTC by Patrick Lauer
Modified:	2018-04-22 21:17 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Patrick Lauer gentoo-dev

2016-12-03 07:20:52 UTC

>>> Compiling source in /var/tmp/portage/app-misc/ca-certificates-20161102.3.27.2-r1/work ...
make -j4 -C /var/tmp/portage/app-misc/ca-certificates-20161102.3.27.2-r1/work/ca-certificates/mozilla
make: Entering directory '/var/tmp/portage/app-misc/ca-certificates-20161102.3.27.2-r1/work/ca-certificates/mozilla'
python certdata2pem.py
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Distrust a pb.com certificate that does not comply with the baseline requirements."
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 2/3)"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ignoring certificate "UTN USERFirst Object Root CA".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_MUST_VERIFY_TRUST
Certificate "MD5 Collisions Forged Rogue CA 25c3" blacklisted, ignoring.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Distrusted AC DG Tresor SSL"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ignoring certificate "ComSign Secured CA".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_MUST_VERIFY_TRUST
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Mozilla Addons"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Global Trustee"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus GMail"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Google"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Skype"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Yahoo 1"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Yahoo 2"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus Yahoo 3"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Bogus live.com"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Root CA"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Services 1024 CA"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Cyber CA"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrust DigiNotar Cyber CA 2nd"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrusted DigiNotar PKIoverheid"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrusted DigiNotar PKIoverheid G2"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrusted Malaysian Digicert Sdn. Bhd. (cyb)"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrusted Malaysian Digicert Sdn. Bhd. (en)"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "MITM subCA 1 issued by Trustwave"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "MITM subCA 2 issued by Trustwave"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "TURKTRUST Mis-issued Intermediate CA 1"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "TURKTRUST Mis-issued Intermediate CA 2"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ignoring certificate "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_MUST_VERIFY_TRUST
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: "Explicitly Distrusted MCSHOLDING CA"
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Found duplicate certificate name b'StartCom_Certification_Authority', renaming.
make: Leaving directory '/var/tmp/portage/app-misc/ca-certificates-20161102.3.27.2-r1/work/ca-certificates/mozilla'
Updating certificates in /var/tmp/portage/app-misc/ca-certificates-20161102.3.27.2-r1/work/image/etc/ssl/certs...
158 added, 0 removed; done.
Running hooks in /var/tmp/portage/app-misc/ca-certificates-20161102.3.27.2-r1/work/image/etc/ca-certificates/update.d...
done.
>>> Source compiled.

To the naive user this looks like some bad/broken certificates are included that shouldn't be allowed to install.

Comment 1 email200202 2017-02-15 05:36:58 UTC

I had the same problem. Is it something to worry about?

Comment 2 SpanKY gentoo-dev

2017-02-15 08:10:30 UTC

it's just what the debian build is reporting directly from the nss cert store

Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2017-08-10 13:09:22 UTC

*** Bug 627458 has been marked as a duplicate of this bug. ***

Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-08-13 20:27:25 UTC

(In reply to SpanKY from comment #2)
> it's just what the debian build is reporting directly from the nss cert store

The difference being that most debian users doesn't see the messages, we likely want to remove the certs as to not scare our users unnecessarily.

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2018-04-22 21:17:52 UTC

Like vapier explained in comment #2, that's coming from build system, in detail from https://sources.debian.org/src/ca-certificates/20180409/mozilla/certdata2pem.py/#L98

Regarding comment #4: We are not going to patch build system due to this and hiding this output would also affect other (real) error messages.

So there's nothing left to do for us, closing as WON'T FIX.

If you want to change message, please work with upstream. Current package (ca-certificates-20180409.3.36.1-r1) only shows

> python certdata2pem.py
> Ignoring certificate "Verisign Class 1 Public Primary Certification Authority - G3".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR
> Ignoring certificate "Verisign Class 2 Public Primary Certification Authority - G3".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR
> Certificate "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)" blacklisted, ignoring.
> Certificate "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 2/3)" blacklisted, ignoring.
> Certificate "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)" blacklisted, ignoring.
> Ignoring certificate "AddTrust Low-Value Services Root".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR
> Ignoring certificate "Certum Root CA".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR
> Ignoring certificate "UTN USERFirst Email Root CA".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR
> Ignoring certificate "Camerfirma Chambers of Commerce Root".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR
> Ignoring certificate "Camerfirma Global Chambersign Root".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR
> Ignoring certificate "SwissSign Platinum CA - G2".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR
> Ignoring certificate "AC Ra\xC3\xADz Certic\xC3\xA1mara S.A.".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR
> Ignoring certificate "TC TrustCenter Class 3 CA II".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR
> Ignoring certificate "ComSign CA".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR
> Certificate "Explicitly Distrust DigiNotar Root CA" blacklisted, ignoring.
> Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2" blacklisted, ignoring.
> Certificate "MITM subCA 1 issued by Trustwave" blacklisted, ignoring.
> Certificate "MITM subCA 2 issued by Trustwave" blacklisted, ignoring.
> Certificate "TURKTRUST Mis-issued Intermediate CA 1" blacklisted, ignoring.
> Certificate "TURKTRUST Mis-issued Intermediate CA 2" blacklisted, ignoring.
> Ignoring certificate "Swisscom Root CA 2".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR
> Ignoring certificate "S-TRUST Universal Root CA".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR
> Ignoring certificate "Symantec Class 1 Public Primary Certification Authority - G6".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR
> Ignoring certificate "Symantec Class 2 Public Primary Certification Authority - G6".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR
> Ignoring certificate "Symantec Class 1 Public Primary Certification Authority - G4".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR
> Ignoring certificate "Symantec Class 2 Public Primary Certification Authority - G4".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR
> Ignoring certificate "D-TRUST Root CA 3 2013".  SAUTH=CKT_NSS_MUST_VERIFY_TRUST, EPROT=CKT_NSS_TRUSTED_DELEGATOR
> Found duplicate certificate name b'CAcert_Inc.', renaming.
> make: Leaving directory '/var/tmp/portage/app-misc/ca-certificates-20180409.3.36.1-r1/work/ca-certificates/mozilla'
> Updating certificates in /var/tmp/portage/app-misc/ca-certificates-20180409.3.36.1-r1/work/image/etc/ssl/certs...
> 135 added, 0 removed; done.
So this also depends on the actual data.