RE: Certificate validity error download.postgresql.org

rpm -q ca-certificates --changelog
* Tue Sep 14 2021 Bob Relyea <rrelyea(at)redhat(dot)com> - 2021.2.50-72
- Fix expired certificate.
- Removing:
- # Certificate "DST Root CA X3"

As you can see they just remove the old "DST Root CA X3" in the latest el7 ca-certificate version which correct the problem I had before.

Openssl v1.0.2 is still the default version for Red Hat 7 and is already in the latest version available.

So no, it wasn't a failure to update ca-certificates for "several years" but for several days since the latest ca-certificates rpm was release Sep 14 2021.

Anyway thanks for pointing me out that it was an error related to this expired Root CA and not related to postgresql download site certificate.

Regards,

Cédric

-----Message d'origine-----
De : Tom Lane [mailto:tgl(at)sss(dot)pgh(dot)pa(dot)us]
Envoyé : jeudi 14 octobre 2021 16:51
À : Christoph Moench-Tegeder <cmt(at)burggraben(dot)net>
Cc : Cedric Rey <cerey(at)groupemutuel(dot)ch>; pgsql-general(at)lists(dot)postgresql(dot)org
Objet : Re: Certificate validity error download.postgresql.org

Christoph Moench-Tegeder <cmt(at)burggraben(dot)net> writes:
> I do know from my own experience that at least the "old"
> (2020.2.something) Redhat package is missing the new "ISRG Root X1"
> certificate, you'll need version 2021.2.something.

Seems unlikely that it changed that recently, for a couple of reasons:

* AFAICT, Red Hat's policy is to track the Mozilla NSS trusted-CA list exactly. They do update from there only once a year or so, but NSS has trusted ISRG Root X1 for five years.

* Looking at "rpm -q ca-certificates --changelog" on a RHEL8 machine, the package maintainer appears to have started a policy in mid-2019 of listing every single cert addition and removal in the changelog.
None of the updates since then mention ISRG Root X1.

* While Let's Encrypt's list of compatible platforms [1] doesn't mention Red Hat directly, they do say that NSS has trusted X1 since release 3.26.
According to the changelog, Red Hat adopted that in August 2016:

* Tue Aug 16 2016 Kai Engert <kaie(at)redhat(dot)com> - 2016.2.9-3
- Revert to the unmodified upstream CA list, changing the legacy trust
to an empty list. Keeping the ca-legacy tool and existing config,
however, the configuration has no effect after this change.

* Tue Aug 16 2016 Kai Engert <kaie(at)redhat(dot)com> - 2016.2.9-2
- Update to CKBI 2.9 from NSS 3.26 with legacy modifications

So it sure looks from here like Red Hat has trusted the X1 certificate since mid-2016, pretty much the same length of time as other major distros. The most probable explanation for the OP's problem seems to be failure to update ca-certificates and/or openssl at all for several years.

regards, tom lane

[1] https://letsencrypt.org/docs/certificate-compatibility/
-
https://www.groupemutuel.ch
https://www.facebook.com/groupemutuel.ch
https://twitter.com/Groupe_Mutuel
https://www.linkedin.com/company/groupe-mutuel
https://www.instagram.com/groupemutuel/
--------------------------------
This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail.
Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.