Bug 1722213

Summary: Update ca-certificates
Product: [Fedora] Fedora Reporter: Bob Relyea <rrelyea>
Component: ca-certificatesAssignee: Bob Relyea <rrelyea>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 31CC: awilliam, crypto-team, extras-qa, jorton, kengert, pwouters, rrelyea, tmraz, yselkowi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ca-certificates-2019.2.32-2.fc31 ca-certificates-2020.2.41-1.1.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1689628 Environment:
Last Closed: 2020-06-16 19:54:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1689628    
Bug Blocks: 1722211    

Description Bob Relyea 2019-06-19 17:15:54 UTC 
+++ This bug was initially created as a clone of Bug #1689628 +++

ca-certificates currently matches NSS 3.39 in all current Fedora branches.  That puts us several months behind, during which there have been several additions and removals:

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.40_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.41_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.43_release_notes

Please update ca-certificates to match NSS 3.43 ASAP.

--- Additional comment from Yaakov Selkowitz on 2019-05-02 08:09 PDT ---

Update to CKBI 2.30 from NSS 3.43

Scratch build: https://koji.fedoraproject.org/koji/taskinfo?taskID=34580195
Comment 1 Bob Relyea 2019-06-19 17:45:56 UTC 
fixed in ca-certificates-2019.2.32-2.fc31 for rawhide
Upgrading 2018.2.26 -> 2019.2.32:
*Wed Jun 19 2019 Bob Relyea <rrelyea> 2019.2.32-1.0
 - Update to CKBI 2.32 from NSS 3.44
   Removing: 
    # Certificate "Visa eCommerce Root"
    # Certificate "AC Raiz Certicamara S.A."
    # Certificate "Certplus Root CA G1"
    # Certificate "Certplus Root CA G2"
    # Certificate "OpenTrust Root CA G1"
    # Certificate "OpenTrust Root CA G2"
    # Certificate "OpenTrust Root CA G3"
   Adding: 
    # Certificate "GTS Root R1"
    # Certificate "GTS Root R2"
    # Certificate "GTS Root R3"
    # Certificate "GTS Root R4"
    # Certificate "UCA Global G2 Root"
    # Certificate "UCA Extended Validation Root"
    # Certificate "Certigna Root CA"
    # Certificate "emSign Root CA - G1"
    # Certificate "emSign ECC Root CA - G3"
    # Certificate "emSign Root CA - C1"
    # Certificate "emSign ECC Root CA - C3"
    # Certificate "Hongkong Post Root CA 3"
Comment 2 Ben Cotton 2019-08-13 16:57:24 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.
Comment 3 Ben Cotton 2019-08-13 19:09:58 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.
Comment 4 Adam Williamson 2020-06-16 19:54:25 UTC 
Don't see any reason why this would still be open.
Comment 5 Fedora Update System 2020-06-16 22:56:27 UTC 
FEDORA-2020-dfa2b94854 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-dfa2b94854
Comment 6 Fedora Update System 2020-06-18 13:41:10 UTC 
FEDORA-2020-dfa2b94854 has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-dfa2b94854`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-dfa2b94854

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2020-07-03 01:37:12 UTC 
FEDORA-2020-dfa2b94854 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.