[ATTN] ca-certificates-letsencrypt maintainer
Brian Inglis
Brian.Inglis@SystematicSW.ab.ca
Mon Jul 15 01:40:16 GMT 2024
On 2024-07-14 13:46, ASSI via Cygwin-apps wrote:
> Brian Inglis via Cygwin-apps writes:
>>> Re-installed last ca-certificates-letencrypt package and cygport
>>> announce and git send-email are working again.
>
> Then keep it installed one or two months longer, but I will not revive
> that package. The original problem with the R3 cross-signed through X3
> went away at least a year ago already and the last R3 signed
> certificates (that don't have this problem) should expire somewhere in
> the next two or three months latest. New certificates should be signed
> by R10 or R11 already.
Sorry Achim,
But given that the Cygwin certs appear that they may require some of these, and
does not expire until mid-August, might it not have been better to keep the
package around until after then?
>>> Some unexpired letsencrypt certificates should probably have been
>>> migrated to ca-certificates or left in ca-certificates-letencrypt?
>
> Nope.
>
>> so were any DigiCert certs harmed in the making of this package? ;^>
>
> Bollocks. If installing ca-certificates-letencrypt fixes it for you,
> then it's either an old TrustID X3 or Let's Encrypt R3 certificate
> (probably the latter) somewhere in the cert chain _plus_ an openssl
> earlier than 1.2 (as these had a bug in cert validation that gets
> triggered during validation of a cross-signed a CA).
I do not know how to figure out what is in these cert packages, and what
correlation is significant between those, my email server, cygwin/sourceware
email server, cygport pkg_upload(__pkg_announce) and git send-email.
> Anyway, the current openssl has no problems with either of the servers
> you mentioned:
It seems to me that both /usr/share/cygport/lib/pkg_upload.cygpart
__pkg_announce() and /usr/libexec/git-core/git-send-email send_message() have
Net::SMTP::SSL in common: those perl modules and dependencies all seem to be
5.36, and I have no idea how they link to OpenSSL, but could they eventually
link to the old OpenSSL 1.1.1w, and could that be causing an issue?
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut
-- Antoine de Saint-Exupéry
More information about the Cygwin-apps
mailing list