502370 – lists.gentoo.org port 25 intermediate tls cert needs update

Bug 502370 - lists.gentoo.org port 25 intermediate tls cert needs update

Summary: lists.gentoo.org port 25 intermediate tls cert needs update

Status:	RESOLVED OBSOLETE

Alias:	None

Product:	Gentoo Infrastructure
Classification:	Unclassified
Component:	Mailing Lists (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Infrastructure

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-02-25 01:15 UTC by James Cloos
Modified:	2014-04-24 21:32 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
gnutls-cli output showing bad cert (file_502370.txt,1.77 KB, text/plain) 2014-02-25 01:15 UTC, James Cloos	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description James Cloos 2014-02-25 01:15:50 UTC

Created attachment 371196 [details]
gnutls-cli output showing bad cert

Lists.gentoo and mail.gentoo use CACert-signed tls end-entity certs.

The intermediate certs on both are cacert’s old md5-signed intermediate.  As such, gnutls — and perhaps other tls libs — refuse to trust it, even when cacert’s root cert is trusted.

Cacert issued a new intermediate in 2011 which is signed with sha256.

Mail.gentoo uses the new intermediate.  Lists.gentoo also needs to.

For lists, this only requires using the new intermediate; the rest of the config is OK.

(tls to mail.gentoo fails because its cert is for dev.gentoo; it would be useful to have cacert issue it its own ee cert.)

Comment 1 Alex Legler (RETIRED) archtester

2014-04-24 21:32:42 UTC

We no longer have CACert certificates in use.