Summary: | lists.gentoo.org port 25 intermediate tls cert needs update | ||
---|---|---|---|
Product: | Gentoo Infrastructure | Reporter: | James Cloos <cloos> |
Component: | Mailing Lists | Assignee: | Gentoo Infrastructure <infra-bugs> |
Status: | RESOLVED OBSOLETE | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | gnutls-cli output showing bad cert |
We no longer have CACert certificates in use. |
Created attachment 371196 [details] gnutls-cli output showing bad cert Lists.gentoo and mail.gentoo use CACert-signed tls end-entity certs. The intermediate certs on both are cacert’s old md5-signed intermediate. As such, gnutls — and perhaps other tls libs — refuse to trust it, even when cacert’s root cert is trusted. Cacert issued a new intermediate in 2011 which is signed with sha256. Mail.gentoo uses the new intermediate. Lists.gentoo also needs to. For lists, this only requires using the new intermediate; the rest of the config is OK. (tls to mail.gentoo fails because its cert is for dev.gentoo; it would be useful to have cacert issue it its own ee cert.)