From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Christoph Moench-Tegeder <cmt(at)burggraben(dot)net> |
Cc: | Cedric Rey <cerey(at)groupemutuel(dot)ch>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Certificate validity error download.postgresql.org |
Date: | 2021-10-14 14:51:26 |
Message-ID: | 766137.1634223086@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Christoph Moench-Tegeder <cmt(at)burggraben(dot)net> writes:
> I do know from my own experience that at least the "old" (2020.2.something)
> Redhat package is missing the new "ISRG Root X1" certificate, you'll
> need version 2021.2.something.
Seems unlikely that it changed that recently, for a couple of reasons:
* AFAICT, Red Hat's policy is to track the Mozilla NSS trusted-CA
list exactly. They do update from there only once a year or so,
but NSS has trusted ISRG Root X1 for five years.
* Looking at "rpm -q ca-certificates --changelog" on a RHEL8 machine,
the package maintainer appears to have started a policy in mid-2019
of listing every single cert addition and removal in the changelog.
None of the updates since then mention ISRG Root X1.
* While Let's Encrypt's list of compatible platforms [1] doesn't mention
Red Hat directly, they do say that NSS has trusted X1 since release 3.26.
According to the changelog, Red Hat adopted that in August 2016:
* Tue Aug 16 2016 Kai Engert <kaie(at)redhat(dot)com> - 2016.2.9-3
- Revert to the unmodified upstream CA list, changing the legacy trust
to an empty list. Keeping the ca-legacy tool and existing config,
however, the configuration has no effect after this change.
* Tue Aug 16 2016 Kai Engert <kaie(at)redhat(dot)com> - 2016.2.9-2
- Update to CKBI 2.9 from NSS 3.26 with legacy modifications
So it sure looks from here like Red Hat has trusted the X1 certificate
since mid-2016, pretty much the same length of time as other major
distros. The most probable explanation for the OP's problem seems
to be failure to update ca-certificates and/or openssl at all for
several years.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Gavin Flower | 2021-10-14 15:36:40 | Re: JOB | DBA (Canada) |
Previous Message | Jeff Ross | 2021-10-14 14:39:35 | Re: NOTIFY queue is at 66% and climbing... |