The upstream Mozilla CA certificates list version 2.1, as released by Mozilla with NSS 3.16.4, removed trust for several old roots, which are considered to have weak keys. The related upstream bugs are: https://bugzilla.mozilla.org/show_bug.cgi?id=936304 https://bugzilla.mozilla.org/show_bug.cgi?id=986005 Unfortunately we see issues with software that uses OpenSSL/GnuTLS after these removals with many popular web sites. The issue is that web sites may be configured to send multiple intermediate CA certificates, intended for maximum compatibility with client software. One intermediate points to one of the removed CA certificates, and another second points to a newer root. The problem is that OpenSSL/GnuTLS don't search for an alternative trusted root, after being unable to construct a trust chain for the topmost intermediate CA certificate sent by the servers. In order to allow more time to implement enhancements or workarounds, the CA-certificates package will temporarily add back trust to the related root CA certificates.
This will be done for Fedora 21 and Rawhide (22), which had already picked up these changes for everyone. In addition, it will be done for Fedora 19 and 20, which so far had these changes only in updates-testing. Adding this change will allow us to ship the other new changes to the stable 19/20 distributions.
I'm adding several files to allow for tracking and review of these changes.
Created attachment 939722 [details] certdata 1.98, from NSS 3.16.2, which had old roots still trusted
Created attachment 939723 [details] certdata 2.1, from NSS 3.16.4, which removed trust for several legacy roots
Created attachment 939724 [details] non-upstream version, based on certdata 2.1, with several legacy roots re-enabled
ca-certificates-2014.2.1-1.1.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.1.fc21
Package ca-certificates-2014.2.1-1.1.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing ca-certificates-2014.2.1-1.1.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-11172/ca-certificates-2014.2.1-1.1.fc21 then log in and leave karma (feedback).
ca-certificates-2014.2.1-1.1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
As a warning, the Equifax root expires in August 2018 and hopefully will removed from Mozilla soon. Right now GeoTrust is still promoting the use of their GeoTrust to Equifax cross-certificate, and they do issue four year certificates.