| Summary: | lists.gentoo.org port 25 intermediate tls cert needs update | ||
|---|---|---|---|
| Product: | Gentoo Infrastructure | Reporter: | James Cloos <cloos> |
| Component: | Mailing Lists | Assignee: | Gentoo Infrastructure <infra-bugs> |
| Status: | RESOLVED OBSOLETE | ||
| Severity: | normal | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: | gnutls-cli output showing bad cert | ||
We no longer have CACert certificates in use. |
Created attachment 371196 [details] gnutls-cli output showing bad cert Lists.gentoo and mail.gentoo use CACert-signed tls end-entity certs. The intermediate certs on both are cacert’s old md5-signed intermediate. As such, gnutls — and perhaps other tls libs — refuse to trust it, even when cacert’s root cert is trusted. Cacert issued a new intermediate in 2011 which is signed with sha256. Mail.gentoo uses the new intermediate. Lists.gentoo also needs to. For lists, this only requires using the new intermediate; the rest of the config is OK. (tls to mail.gentoo fails because its cert is for dev.gentoo; it would be useful to have cacert issue it its own ee cert.)