Why does Debian 11 still have the expired DST Root CA X3 certificate?

PierreF

2/4/23, 7:15 AM

On an up-to-date Debian 11 server, I noticed the expired DST Root CA X3 certificate is still present:

$ grep DST /etc/ca-certificates.conf 
mozilla/DST_Root_CA_X3.crt

This certificate is expired since last week:

$ openssl x509 -in /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt  -text | grep "Not After"
            Not After : Sep 30 14:01:15 2021 GMT

I know I can disable it (prepending it with ! in /etc/ca-certificates.conf + update-ca-certificates), but I'm wondering why Debian keeps this expired certificates ? Shouldn't apt upgrade remove it ?

My ca-certificate version and my apt sources are the following (after apt-get update/upgrade):

$ dpkg -l | grep ca-certificate
ii  ca-certificates           20210119                       all          Common CA certificates

$ grep -v "^#" /etc/apt/sources.list
deb http://deb.debian.org/debian bullseye main
deb http://security.debian.org/debian-security bullseye-security main
deb http://deb.debian.org/debian bullseye-updates main

1541

0 + 0

debian

certificate-authority

lets-encrypt

drookie

2/4/23, 7:23 AM

Have you tried to update ca-certificate package ?

PierreF

2/4/23, 7:26 AM

Yes, it stay in the same version and keeps this expired cert. My question is more: is it a "wanted" behaviour on the Debian side to keep this expired cert, or is the newer version of ca-certificate "late" ?

Gerald Schneider

2/4/23, 7:31 AM

Why update a package just because a single certificate is expired? It doesn't hurt if it's there. I'm sure it will be removed at the next regular update cycle of the package.

Håkan Lindqvist

2/4/23, 7:50 AM

I don't know what their exact reasoning is, but I imagine it's just not urgent in any way to update the package in relation to this. The cert is expired, it shouldn't hurt anything (it might even make for a better error message to keep it around). Why are you considering manually disabling the already expired cert, it feels like there is something more to this question than what is explicitly stated?

math

3/10/24, 9:01 PM

there is harm if it's there: debian 11 certbot default installs will use this CA to generate CSR's and happily complete the process - only for remote systems to claim its expired when used. You must upgrade certbot (see EFF install instructions, debian 11 certbot nor backports is new enough) and force a new key: --force-renewal --preferred-chain "ISRG Root X1"

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why does Debian 11 still have the expired DST Root CA X3 certificate?

TH: เหตุใด Debian 11 จึงยังคงมีใบรับรอง DST Root CA X3 ที่หมดอายุแล้ว

RO: De ce Debian 11 mai are certificatul DST Root CA X3 expirat?

RU: Почему в Debian 11 все еще есть сертификат DST Root CA X3 с истекшим сроком действия?

VI: Tại sao Debian 11 vẫn có chứng chỉ DST Root CA X3 đã hết hạn?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.