Bug 28763

Summary: rootcerts contains an expired CA that stops IPSec VPN from working.
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: RPM PackagesAssignee: All Packagers <pkg-bugs>
Status: RESOLVED INVALID QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, luigiwalser
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://www.ssl.com/blogs/addtrust-external-ca-root-expired-may-30-2020/
Whiteboard:
Source RPM: rootcerts-20210223.00-1.mga8.src.rpm CVE:
Status comment:

Description Zombie Ryushu 2021-04-11 20:19:18 CEST 
rootcerts bug contains an expired I use a third party Closed source VPN. It seems to throw a broken certificate chain error from a CA that expired in May of 2020. The Root Certs need to be updated to remove these Certs.

Key ID
AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
Comment 1 Lewis Smith 2021-04-12 10:26:20 CEST 
Thank you for this report, which we take as "rootcerts [] contains an expired [certificate]. I use ..."

Rootcerts has no dedicated maintainer, so assigning this bug globally; CC'ing DavidW who has most to do with it.

CC: (none) => luigiwalser
Summary: rootcerts bug contains an expired CA that stops IPSec VPN from working. => rootcerts contains an expired CA that stops IPSec VPN from working.
Assignee: bugsquad => pkg-bugs
Source RPM: rootcerts => rootcerts-20210223.00-1.mga8.src.rpm

Comment 2 David Walser 2021-04-12 15:18:28 CEST 
If your VPN's TLS certificate is signed by an expired CA cert, then you need to report it to the administrators of your VPN to fix their cert.  Our rootcerts are current.  Note that removing the CA cert won't fix anything for you, it would just change the problem from expired to unrecognized.

Status: NEW => RESOLVED
Resolution: (none) => INVALID

Comment 3 Dave Hodgins 2021-04-12 15:57:51 CEST 
It's not that simple. See the url above which links to the fix at
https://access.redhat.com/articles/5117881

CC: (none) => davidwhodgins

Comment 4 Dave Hodgins 2021-04-12 15:58:23 CEST 
Meant to reopen too.

Resolution: INVALID => (none)
Status: RESOLVED => REOPENED

Comment 5 David Walser 2021-04-12 16:05:49 CEST 
Those are not actions to be taken by the packagers.

Resolution: (none) => INVALID
Status: REOPENED => RESOLVED

Comment 6 Zombie Ryushu 2021-04-12 21:38:05 CEST 
I've tried to fix it the way described by RedHat, even using Root Access the faulty Cert breaking the chain of trust persists.

Resolution: INVALID => (none)
Status: RESOLVED => REOPENED

Comment 7 David Walser 2021-04-12 21:54:03 CEST 
Because your VPN provider needs to fix it.

Status: REOPENED => RESOLVED
Resolution: (none) => INVALID