Re: [SOLVED] Re: Buster wget: The certificate of 'lists.debian.org' is not trusted

To: debian-user@lists.debian.org
Subject: Re: [SOLVED] Re: Buster wget: The certificate of 'lists.debian.org' is not trusted
From: David Wright <deblis@lionunicorn.co.uk>
Date: Tue, 5 Oct 2021 11:12:09 -0500
Message-id: <[🔎] 20211005161209.GC11581@axis.corp>
Reply-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20211002061559.GA3383@tuxteam.de>
References: <[🔎] 25101368212372253588@scdbackup.webframe.org> <[🔎] 25591368213798433903@scdbackup.webframe.org> <[🔎] 20211001201822.GB6726@axis.corp> <[🔎] 20211002061559.GA3383@tuxteam.de>

On Sat 02 Oct 2021 at 08:15:59 (+0200), tomas@tuxteam.de wrote:
> On Fri, Oct 01, 2021 at 03:18:22PM -0500, David Wright wrote:
> 
> [...]
> 
> > I have a buster system that was up-to-date from the last point-release
> > and kernel (2021-09-10  18:22:47).
> > 
> > The only certificate expiration problem I have observed (and still
> > observe, having taken no action) is with apt-listbugs:
> 
> [...]
> 
> > However, my next thought was to temporarily move my
> > /etc/apt/apt.conf file, which contains just the one proxy
> > line pointing at apt-cacher-ng, with the result that
> > apt-listbugs was able to run without any problem.
> 
> I understand correctly: using apt-cacher-ng somehow breaks
> certificate validation for apt-listbugs?

Yes. Here's a summary. Note that I had DST_Root_CA_X3.crt as
trusted in /etc/ssl/ until after it expired, and its expiry
caused no problems with browsers, package downloads etc, but
only this symptom. Since then, I have removed it from
/etc/ca-certificates.conf using the ! mechanism, yet this
symptom persists as shown here:

——✄——

# update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
125 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

Replacing debian:ACCVRAIZ1.pem
[ … ]
Replacing debian:DigiCert_Trusted_Root_G4.pem
Replacing debian:D-TRUST_Root_Class_3_CA_2_2009.pem
[ … ]
Replacing debian:ISRG_Root_X1.pem
[ … ]
Replacing debian:emSign_Root_CA_-_G1.pem
done.
done.
# logout
$ cat /etc/apt/apt.conf 
#Acquire::http::Proxy "http://192.168.1.14:3142/";;
$ apt-listbugs list base-files
Retrieving bug reports... Done
Parsing Found/Fixed information... Done
$ cat /etc/apt/apt.conf 
Acquire::http::Proxy "http://192.168.1.14:3142/";;
$ apt-listbugs list base-files
Retrieving bug reports... 0% Fail
Error retrieving bug reports from the server with the following error message:
E: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)
It could be because your network is down, or because of broken proxy servers, or the BTS server itself is down. Check network configuration and try again
Retry downloading bug information? [Y/n] n
Continue the installation anyway? [y/N] 
E: Exiting with error
$ cat /etc/debian_version 
10.10
$ 

——✄——

AFAICT ISRG_Root_X1.pem points to the ordinary ISRG_Root_X1,
not the cross-signed one, BTW.

So I thought I would investigate a little further by running
apt-listbugs under strace -f. Note that though the apt-cacher-ng
service is running on the same machine, that service is AIUI
not being traced and so is opaque.

99% of the traces (without/with proxy) look the same,
until you pass the three lstat references to
/usr/lib/ruby/vendor_ruby/http/cookie_jar/hash_store.rb
whereupon they diverge.

Without proxy: after 47 lines of faffing about, it reads
/etc/hosts, does some DNS, and appears to communicate
with the University of Oregon, which would seem reasonable.

With proxy: after 222 lines of, I assume, chatting to the
proxy, it opens /usr/lib/ruby/vendor_ruby/httpclient/cacert.pem
and this contains a list of actual certificates, amongst
which, wouldn't you know, is DST Root CA X3.

So the problem lies in ruby, specifically the package
ruby-httpclient, version 2.8.3-2. This might explain
why "random" applications fail while other ones don't.

I verified the above by editing out the DST Root CA X3
certificate from /usr/lib/ruby/vendor_ruby/httpclient/cacert.pem
and restarting apt-cacher-ng.service, whereupon:

——✄——

$ apt-listbugs list base-files
Retrieving bug reports... 0% Fail
Error retrieving bug reports from the server with the following error message:
E: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
It could be because your network is down, or because of broken proxy servers, or the BTS server itself is down. Check network configuration and try again
Retry downloading bug information? [Y/n] n
Continue the installation anyway? [y/N] 
E: Exiting with error
$ 

——✄——

and the error changes from expired to missing as
cacert.pem does not include ISRG Root X1.

Cheers,
David.

Reply to:

References:
- Re: Buster wget: The certificate of 'lists.debian.org' is not trusted
  - From: "Thomas Schmitt" <scdbackup@gmx.net>
- [SOLVED] Re: Buster wget: The certificate of 'lists.debian.org' is not trusted
  - From: "Thomas Schmitt" <scdbackup@gmx.net>
- Re: [SOLVED] Re: Buster wget: The certificate of 'lists.debian.org' is not trusted
  - From: David Wright <deblis@lionunicorn.co.uk>
- Re: [SOLVED] Re: Buster wget: The certificate of 'lists.debian.org' is not trusted
  - From: <tomas@tuxteam.de>

Prev by Date: Re: unhappy upgrade
Next by Date: Re: excessive memory use by several gnome programs
Previous by thread: Re: [SOLVED] Re: Buster wget: The certificate of 'lists.debian.org' is not trusted
Next by thread: Re: Buster wget: The certificate of 'lists.debian.org' is not trusted
Index(es):
- Date
- Thread