After upgrading to that release of ca-certs and trying to update zsh and gvfs, wget failed to fetch the distfiles due to both my mirror and {zsh,gnome}.org having LE certificates. https://paste.pound-python.org/show/38GyIhe71MjEb8mLvxVo/ Downgrading ca-certificates to 20170717.3.36.1 fixed this and DigiCert certificates, at the very least, may have still worked.
with app-misc/ca-certificates-20170717.3.36.1::gentoo $ openssl s_client -connect gitweb.gentoo.org:443 CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = default.gentoo.org verify return:1 --- Certificate chain 0 s:/CN=default.gentoo.org i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- subject=/CN=default.gentoo.org issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 5030 bytes and written 434 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: F558F80BC20AD45E4293660ABD314EE863C9A748DF871E99EDDBC1AB3CD9606E Session-ID-ctx: Master-Key: C2628A8D85894E934AB2B4B1C779383C1702A14DEDD98D267FCD11475EFC57E19AD53DE23116A1EE80B8B2DAF9AA216C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1523977559 Timeout : 300 (sec) Verify return code: 0 (ok) --- WITH app-misc/ca-certificates-20180409.3.36.1::gentoo $ openssl s_client -connect gitweb.gentoo.org:443 CONNECTED(00000003) depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify error:num=20:unable to get local issuer certificate --- Certificate chain 0 s:/CN=default.gentoo.org i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server Certificate -----END CERTIFICATE----- subject=/CN=default.gentoo.org issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 5030 bytes and written 434 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 011D927550CA7BCEE6EF62F2D5491B8CFF00F3A8C0D5D8B4BDD9BF8FA2CA5645 Session-ID-ctx: Master-Key: 8AD56E42D07FBC890B2966C6D6D8F8BD94000C9F0C7C163FB7920A4F2410BE5E1C820AAB781B2ECBEE3E8C4685FFC7A8 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1523976962 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) ---
Turns out Debian updated their update-ca-certificates script which depends on >=OpenSSL 1.1.x. Due to silent failure in pkg_postinst we don't notice that we are doing nothing.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03f9b674ca3315198c72849e8dd77583974759c2 commit 03f9b674ca3315198c72849e8dd77583974759c2 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-04-17 16:00:26 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-04-17 16:01:19 +0000 app-misc/ca-certificates: Fix update-ca-certificates to use c_rehash Closes: https://bugs.gentoo.org/653382 Package-Manager: Portage-2.3.28, Repoman-2.3.9 ...-20180409.3.36.1.ebuild => ca-certificates-20180409.3.36.1-r1.ebuild} | 1 + 1 file changed, 1 insertion(+)
