Re: Jessie iceweasel: This Connection is Untrusted

["Thomas Schmitt" <scdbackup@gmx.net>]

Hi,

tomas@tuxteam.de wrote:
> I assume Thomas knows pretty well what he's doing. He'd know much
> better than me, in any case :-)

Regrettably my sysadmin skills are severely underdeveloped.
I am qualified for the task only by being the guy who has Linux at home
and by having made fun of upgrade woes with other kinds of system.


> If I've understood you correctly, you only have to do with a limited
> set of sites.

I would prefer not to rely on an allow-list.

So i currently ponder how to transplant the certificates from a Debian 10
machine.
man update-ca-certificates talks of
  /etc/ssl/certs
  /etc/ca-certificates.conf
  /usr/share/ca-certificates
In the latter i see on Debian 10:
  ./mozilla
with 126 .crt files.
The Debian 8 machine has 172 files in there.
The ca-certificates.conf files seem just to list those files on both
machines.

So a brute force attempt would be to rename the two directories and
the file to other names and to then copy the Debian 10 stuff to the
original names. The new /etc/ssl/certs would start empty and be
populated by update-ca-certificates(8).

Well, same old question: How bad an idea is this ?
What should i read before making such theories ?


Have a nice day :)

Thomas