RE: Certificate validity error download.postgresql.org
| От | Cedric Rey |
|---|---|
| Тема | RE: Certificate validity error download.postgresql.org |
| Дата | |
| Msg-id | 34e52bcafa144d0ea59f8bf6abd09b3d@groupemutuel.ch обсуждение исходный текст |
| Ответ на | Re: Certificate validity error download.postgresql.org (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-general |
rpm -q ca-certificates --changelog
* Tue Sep 14 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-72
- Fix expired certificate.
- Removing:
- # Certificate "DST Root CA X3"
As you can see they just remove the old "DST Root CA X3" in the latest el7 ca-certificate version which correct the
problemI had before.
Openssl v1.0.2 is still the default version for Red Hat 7 and is already in the latest version available.
So no, it wasn't a failure to update ca-certificates for "several years" but for several days since the latest
ca-certificatesrpm was release Sep 14 2021.
Anyway thanks for pointing me out that it was an error related to this expired Root CA and not related to postgresql
downloadsite certificate.
Regards,
Cédric
-----Message d'origine-----
De : Tom Lane [mailto:tgl@sss.pgh.pa.us]
Envoyé : jeudi 14 octobre 2021 16:51
À : Christoph Moench-Tegeder <cmt@burggraben.net>
Cc : Cedric Rey <cerey@groupemutuel.ch>; pgsql-general@lists.postgresql.org
Objet : Re: Certificate validity error download.postgresql.org
Christoph Moench-Tegeder <cmt@burggraben.net> writes:
> I do know from my own experience that at least the "old"
> (2020.2.something) Redhat package is missing the new "ISRG Root X1"
> certificate, you'll need version 2021.2.something.
Seems unlikely that it changed that recently, for a couple of reasons:
* AFAICT, Red Hat's policy is to track the Mozilla NSS trusted-CA list exactly. They do update from there only once a
yearor so, but NSS has trusted ISRG Root X1 for five years.
* Looking at "rpm -q ca-certificates --changelog" on a RHEL8 machine, the package maintainer appears to have started a
policyin mid-2019 of listing every single cert addition and removal in the changelog.
None of the updates since then mention ISRG Root X1.
* While Let's Encrypt's list of compatible platforms [1] doesn't mention Red Hat directly, they do say that NSS has
trustedX1 since release 3.26.
According to the changelog, Red Hat adopted that in August 2016:
* Tue Aug 16 2016 Kai Engert <kaie@redhat.com> - 2016.2.9-3
- Revert to the unmodified upstream CA list, changing the legacy trust
to an empty list. Keeping the ca-legacy tool and existing config,
however, the configuration has no effect after this change.
* Tue Aug 16 2016 Kai Engert <kaie@redhat.com> - 2016.2.9-2
- Update to CKBI 2.9 from NSS 3.26 with legacy modifications
So it sure looks from here like Red Hat has trusted the X1 certificate since mid-2016, pretty much the same length of
timeas other major distros. The most probable explanation for the OP's problem seems to be failure to update
ca-certificatesand/or openssl at all for several years.
regards, tom lane
[1] https://letsencrypt.org/docs/certificate-compatibility/
-
https://www.groupemutuel.ch
https://www.facebook.com/groupemutuel.ch
https://twitter.com/Groupe_Mutuel
https://www.linkedin.com/company/groupe-mutuel
https://www.instagram.com/groupemutuel/
--------------------------------
This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and
deletethis e-mail.
Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
В списке pgsql-general по дате отправления: