The only available version of app-misc/ca-certificates is from 2021-01-19 and it contains the by now expired cacert class3 certificate. It has been updated recently: http://blog.cacert.org/2021/05/re-signed-class-3-certificate-take-action-now/ In package: openssl x509 -enddate -noout -in cacert.org_class3.crt notAfter=May 20 17:48:02 2021 GMT The new one, which shall be in app-misc/ca-certificates: openssl x509 -enddate -noout -in cacert.org_class3.crt notAfter=Apr 17 12:18:30 2031 GMT Reproducible: Always
Hrm, I think I addressed this via https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-libs/nss?id=c2cc6f938e7d434886140bba6c0e96e27d09384a which should be also in use by ca-certificates... Need to check, app-misc/ca-certificates-20210119.3.64/image/usr/share/ca-certificates/cacert.org/cacert.org_class3.crt seems to be the old one :/
Are there any news to this issue? In my opinion there is a certain urgency and the fix is trivial: Switching to the new certificate.
I think I now understand what went wrong: Various sources, including $URL, are pointing to https://www.cacert.org/index.php?id=3 which is still offering the old, now expired, certificate. :]
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36eb48e212a6d2bbecc2af712a956eded8c76bbf commit 36eb48e212a6d2bbecc2af712a956eded8c76bbf Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2021-05-28 19:07:42 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2021-05-28 19:16:21 +0000 app-misc/ca-certificates: update CAcert Root 3 certificate Closes: https://bugs.gentoo.org/791286 Package-Manager: Portage-3.0.19, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-misc/ca-certificates/Manifest | 4 ++-- ...es-20210119.3.64.ebuild => ca-certificates-20210119.3.65.ebuild} | 6 +++--- app-misc/ca-certificates/metadata.xml | 3 +-- 3 files changed, 6 insertions(+), 7 deletions(-) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cbf168552e2bc2111b344be2f42e794a0146d48a commit cbf168552e2bc2111b344be2f42e794a0146d48a Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2021-05-28 19:11:53 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2021-05-28 19:16:22 +0000 dev-libs/nss: update CAcert Root 3 certificate Bug: https://bugs.gentoo.org/791286 Package-Manager: Portage-3.0.19, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-libs/nss/Manifest | 2 +- dev-libs/nss/metadata.xml | 2 +- dev-libs/nss/{nss-3.63.1.ebuild => nss-3.63.1-r1.ebuild} | 4 ++-- dev-libs/nss/{nss-3.65.ebuild => nss-3.65-r1.ebuild} | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-)
(In reply to Thomas Deutschmann from comment #3) > I think I now understand what went wrong: Various sources, including $URL, > are pointing to https://www.cacert.org/index.php?id=3 which is still > offering the old, now expired, certificate. :] Thanks for fixing it. Just installed the new version.