[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SOLVED] Re: Jessie iceweasel: This Connection is Untrusted

On 2021年10月2日 1:32:21 JST, Thomas Schmitt <scdbackup@gmx.net> wrote:
Hi,

as tomas predicted it can be done by handwork.

Tobias Diekershoff gave a good hint but i was not smart enough to make
use of it before i found out the clicky way.

The solution was to import to iceweasel the certificate file

  /etc/ssl/certs/ISRG_Root_X1.pem
Long story:

I replaced the directory trees
  /etc/ssl/certs
  /usr/share/ca-certificates
and the file
  /etc/ca-certificates.conf
by their counterparts of Debian 10. Then i ran
  update-ca-certificates
This did not help, even with newly started Iceweasel.

So i clicked my way through Preferences -> Advanced -> Cerificates to
button "View Certificates" which offers me an obscure list and a button
"Import". This gives me a file browser which i navigate to /etc/ssl/certs.
There are 128 .pem files from Debian 10.

To reduce the work i diffed the list of .pem files in both /etc/ssl/certs
and began to add those which are new in Debian 10: 49 files.
Many new ones did have no effect. But
  /etc/ssl/certs/ISRG_Root_X1.pem
gives me back a lot of those sites which were unaccessible since yesterday.

I will have to wait for complaints to see if any of the previously working
sites still fails. A quick tour over the usual suspects finds none.
I nevertheless investied the clickwork to import the other new .pem files.
Just in case i forget what i did today.


Tobias Diekershoff wrote:
Are the untrusted certificates LetsEncrypt issued certs? Their old
R3 cert (signed by DST Root CA X3) expired Sept 29th (see e.g.
https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiratio
n-september-2021/149190

Looks like you are right.
In hindsight the hint to "ISRG Root X1" is in there. But i don't understand
their nomenclature. I looked for "DST*R3*.pem" but found no such file
in /etc/ssl/certs. (It's like with man pages: I understand their text only
when i finally found out by try and error.)
Remaining riddles:

How i would be supposed to find the name of the decisive certificate when
iceweasel refuses ?

Another riddle is why wget still does not work without option
  --no-check-certificate
I found no hint in its man page about its default stash of certificates.
Will have to go on with research next week ...


Have a nice day :)

Thomas


Hi,

the final solution is:
-disable
the certs with an ! before
the cert name
(vi /etc/ca-certificates.conf:
!DST_Root_CA_X3.crt)
-then, rebuild the cert directory
(update-ca-certificates --fresh)
-then, restart your servers.

HTH
Reply to: