Bug#1022199: apt: certificate verification fails after adding custom root certificates through ca-certificates

[Marc Riudalbas Clemente]

Good morning,

I tested the same setup on a Buster system and it works perfectly.

Same CA, same intermediates, same configuration and same file locations. 
Also with update-ca-certificates.

And, however, if there was a problem with the algorithm implementing the 
EC curves on certificates I am using, the verification should not fail 
for all certificates, but only for the one I added. Correct me if I'm wrong.

Best regards,

Marc

On 25.10.22 08:01, David Kalnischkies wrote:
> On Sun, Oct 23, 2022 at 11:03:19PM +0200, Julian Andres Klode wrote:
>> apt just calls gnutls_certificate_set_x509_system_trust() and
>> gnutls_set_default_priority() so this should not be our issue.
> Also, on a side note, I have a custom CA (without an immediate) and apt
> and co are happy with it. The other difference to my setup is that
> I place my certificate in /usr/local/share/ca-certificates/ which avoids
> further configuration as update-ca-certificates will pick them up
> directly from there (see its manpage).
>
> It might help if you can check if the chaining is part of the problem
> or what else might be specific to your setup. Perhaps its the algorithms
> used and e.g. gnutls not implementing the EC curves you used (or
> something like that or not at all – its just something I ran into in
> the past, although not with gnutls, that worked back then…).
>
>
> Best regards
>
> David Kalnischkies

-- 
aiticon GmbH
Stephanstraße 1
60313 Frankfurt am Main

t. +49 69 795 83 83-0
f. +49 69 795 83 83-28

Geschäftsführer: Matthias Herlitzius
Amtsgericht Frankfurt am Main · HRB 79310
USt.-ID-Nr.: DE 218319776
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnutls-maint/attachments/20221025/270acd4c/attachment.htm>