cacert.pem file needs to be updated. #157
Comments
|
I did want to mention the cert.pem file that Mozilla generated has the new certificate for the root sever. I have tested it and confirmed that it does work. |
|
https://github.com/gisle/mozilla-ca/blob/master/lib/Mozilla/CA/cacert.pem Look at the last code change date. October 1st |
|
The PEM file on the caextract page was updated on Sep 30th and the latest (current) version does not contain the DST Root CA X3 cert. It was removed after an update of the mk-ca-bundle.pl script, also done on September 30. |
|
TY for moving the issue to the correct place. I wasn't sure where to report the problem. I saw how the expired certificate got included in the most recent cacert.pem file on the curl website. The cert expired at 11:59 PM and the file was generate at 3:12 AM on the same day. I also opened an issue with certifi for Python as well as that is the go to library for updating the cacert.pem file when using pycurl or requests or other such library for connecting to internet based resources. I was told there has not been any change to Mozilla's certificate db since September. If that is the case then I am not sure why the cacert.pem file linked to in the first post on Mozilla's repository has a correct and working certificate for DST Root CA X3. I would think that having an invalid root certificate for 9 days is not the most ideal of situations. I am not sure where things may have gotten goofed up. I m not sure if the process of updating the cacert.pem file on curl's website is an automatic thing or not. It seems like it might be an automatic process for certifi and they may be watching for changes that are reported using some other means then monitoring Mozilla's github. Mozilla may have made the update but didn't report the change to the system that certifi is watching. I do have a question tho. If Mozilla is generating a cacert.pem file and it appears like it is maintained (updated on Oct 1st to correct the expired cert) is there a need to generate one? You could link to the one on the Mozilla repo and call it done. Sorry about my previous post as that was actually intended for the issue I opened up for certifi, I was working from my cell phone and posted to the wrong issue. |
This is factually incorrect. Since 23:42 CEST Sep 30, the ca bundle provided on that page no longer contained the DST Root CA X3 cert.
No. The cert expired exactly "Thu Sep 30 14:01:15 2021"
No it wasn't. The date shown on the site is the time of the download, which happened at that time. Later during the day I fixed the script, ran it again and then the output no longer contained that cert.
No update was necessary. The cert was already marked as expiring at 14:01 on Sep 30. It should not be included in a CA bundle after that time. Entirely without any updates from Mozilla. This information was already in the certdata file. In fact, it still exists in that file upstream.
The URL you provided above is not Mozilla's PEM. It's just another PEM exported from the same source and even using our script, which thus should end up identical to the file provided on curl.se.
That's a matter of which sources you trust I think. Case closed. |
The cacert.pem file needs to be updated.
https://curl.se/docs/caextract.html
The DST root certificate expired on September 30th 2021 at 11:59 PM. The last update to the cacert.pem file was made sometime on the same day so it has the old certificate in it.
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
Mozilla updated their cacert.pem file on October 1st 2021
https://github.com/gisle/mozilla-ca/blob/master/lib/Mozilla/CA/cacert.pem
The text was updated successfully, but these errors were encountered: