From: jcristau@debian.org   
      
   On 12/4/25 22:41, John Scott wrote:   
   > I was digging into an unrelated issue in GnuPG and noticed this has been   
   showing up in logs:   
   > dirmngr[312195]: enabled debug flags: x509 crypto memory cache memstat   
   hashing ipc dns network lookup extprog keeptmp   
   > dirmngr[312195.0]: error loading certificate '/etc/ssl/certs/c   
   -certificates.crt': Certificate expired   
   > dirmngr[312195.0]: permanently loaded certificates: 149   
   > dirmngr[312195.0]: 	runtime cached certificates: 0   
   > dirmngr[312195.0]: 		trusted certificates: 149 (149,0,0,0)   
   >   
   > At first the "error loading certificate '/etc/ssl/certs/ca-cer   
   ificates.crt'" gave me alarm: that file is a collection of certificates and if   
   a single one being expired would cause an error to load the file at all,   
   that'd be very bad. To investigate    
   one can run a pipeline like this:   
   > $ find /usr/share/ca-certificates/mozilla/ -name '*.crt' -a -type f -exec   
   env 'OPENSSL_CONF=""' openssl verify -trusted '{}' '{}' ';' > /dev/null   
   > C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root   
   > error 10 at 0 depth lookup: certificate has expired   
   > error /usr/share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt:   
   verification failed   
   >   
   > That seems to be the only certificate affected.   
   > $ openssl x509 -nocert -in Baltimore_CyberTrust_Root.crt -enddate   
   > notAfter=May 12 23:59:00 2025 GMT   
   >   
   > There are 150 Mozilla certificates in total as indicated by e.g. 'echo   
   /usr/share/ca-certificates/mozilla/*.crt | wc -w', so in saying it loaded 149   
   certificates, it looks like GnuPG did indeed skip over just that one and load   
   the rest fine. Therefore    
   its message is kind of a false alarm.   
   >   
   > I guess I'm not sure what I'd like to see done about this, but wanted to   
   bring this to your attention. Do programs usually handle expiration of a   
   certificate in the bundle as gracefully as GnuPG does? Is removing the expired   
   root certificate sensible?    
   If there's nothing to be done on the ca-certificates side of things, it'd be   
   helpful to leave this bug as a "won't fix" to save someone the confusion.   
   Thanks   
   This is pretty much a cosmetic issue as far as I know.  It's debatable   
   whether client libraries should even care about expiration dates on   
   trust anchors.  In any case this root has been removed from the Mozilla   
   trust store so the latest ca-certificates package removes it.   
      
   Cheers,   
   Julien   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)