Description of problem: After updating to the latest ca-certificates (2022.2.54-1.0.fc36) the "Microsec e-Szigno Root CA 2009" disappearing from the /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem file and sites using certificates issued by this CA are stop working. Version-Release number of selected component (if applicable): 2022.2.54-1.0.fc36 How reproducible: Install latest ca-certificates (2022.2.54-1.0.fc36) curl https://gate.gov.hu Actual results: Unkown cert error # curl https://gate.gov.hu curl: (60) SSL certificate problem: self-signed certificate in certificate chain More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
So it's still in certdata.txt with TLS Email and code signing permissions. It's in /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit, but the trust object attributes are missing!
Setting to assigned and raising the priority. This may not be the only cert that has this issue.
ok, there are a number of certs, some of them have been missing for a while. The problem is p11-kit expects the labels on Trust objects and certs to be unique, and appearantly barfs if they aren't (well barfs on the trust objects that aren't). I'll file a separate bug against p11-kit, but for now I'll make sure the merge script I use to merge code-signing certificates generates a unique label for each trust object and cert. bob
Hello. This issue is still present and prevents some hungarian websites from working. It feels like some CA certificates that should be globally trusted not being trusted in fedora is a pretty big regression, especially since it was introduced in a stable version. Workaround for now seems to be to dnf downgrade ca-certificates This worked for me, though I think it only works for chrome and chromium, I've had this issue with firefox even before the latest ca-certificates update. Thanks!
I have patches that fix this, I'm just having build problems on f35 and f36. The rawhide package should be correct.
FEDORA-2022-205041cb1c has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-205041cb1c
I've pushed builds to updates-testing. Please verify those builds fix this issue for you.
FEDORA-2022-205041cb1c has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-205041cb1c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-205041cb1c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
This fixed my issue in both firefox and chrome. Thanks!
FEDORA-2022-205041cb1c has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.
Please, help with the testing of the new Fedora 35 package too! https://bodhi.fedoraproject.org/updates/FEDORA-2022-3fc29aa0e1
The new, fixed ca-certificates package is still not available for Fedora 35 from the repo.
That's because you were the only one to give it karma. It needs at least 2 testers, then the developers can push it. It was submitted by time On Thursday (Aug 18) and and pushed on Friday (Aug 19). It should be available now.