Bug 1190858

Summary: need to remove expired letsencrypt root ca
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: ralph.roth, stefan.kunze
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2021-09-24 13:53:32 UTC 
the current letsencrypt setup will fail october 1st.

Certificate chain
 0 s:CN = opensuse.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

the root level 2 ca will expire sept 30th.
Comment 1 Marcus Meissner 2021-09-24 13:54:03 UTC 
this only is a problem on SLE12 and likely SLE11 ... SLE15 seems to cope nicely.
Comment 2 ralph roth 2021-09-24 14:34:27 UTC 
We assume the man page UPDATE-CA-CERTIFICATES(8) is also wrong:

>> To blacklist certificates symlinks to the respective certificates can be placed in /etc/pki/trust/blacklist

copy instead of symlinking?
Comment 4 Swamp Workflow Management 2021-09-27 13:18:50 UTC 
SUSE-RU-2021:3230-1: An update that has one recommended fix can now be installed.

Category: recommended (important)
Bug References: 1190858
CVE References: 
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    ca-certificates-mozilla-2.44-12.34.1
SUSE OpenStack Cloud Crowbar 8 (src):    ca-certificates-mozilla-2.44-12.34.1
SUSE OpenStack Cloud 9 (src):    ca-certificates-mozilla-2.44-12.34.1
SUSE OpenStack Cloud 8 (src):    ca-certificates-mozilla-2.44-12.34.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    ca-certificates-mozilla-2.44-12.34.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    ca-certificates-mozilla-2.44-12.34.1
SUSE Linux Enterprise Server 12-SP5 (src):    ca-certificates-mozilla-2.44-12.34.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    ca-certificates-mozilla-2.44-12.34.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    ca-certificates-mozilla-2.44-12.34.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    ca-certificates-mozilla-2.44-12.34.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    ca-certificates-mozilla-2.44-12.34.1
HPE Helion Openstack 8 (src):    ca-certificates-mozilla-2.44-12.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-09-27 13:19:58 UTC 
SUSE-RU-2021:14809-1: An update that has one recommended fix can now be installed.

Category: recommended (important)
Bug References: 1190858
CVE References: 
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    openssl-certs-2.44-0.7.24.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    openssl-certs-2.44-0.7.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Marcus Meissner 2021-09-29 07:49:59 UTC 
updates submitted
tid written
Comment 8 Swamp Workflow Management 2021-10-01 13:17:18 UTC 
openSUSE-RU-2021:3274-1: An update that has one recommended fix can now be installed.

Category: recommended (important)
Bug References: 1190858
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    ca-certificates-mozilla-2.44-18.1
Comment 9 Swamp Workflow Management 2021-10-01 13:22:16 UTC 
SUSE-RU-2021:3274-1: An update that has one recommended fix can now be installed.

Category: recommended (important)
Bug References: 1190858
CVE References: 
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    ca-certificates-mozilla-2.44-18.1
SUSE MicroOS 5.0 (src):    ca-certificates-mozilla-2.44-18.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    ca-certificates-mozilla-2.44-18.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    ca-certificates-mozilla-2.44-18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 OBSbugzilla Bot 2021-10-02 10:40:10 UTC 
This is an autogenerated message for OBS integration:
This bug (1190858) was mentioned in
https://build.opensuse.org/request/show/922766 Factory / ca-certificates-mozilla
Comment 11 Swamp Workflow Management 2021-10-04 13:18:14 UTC 
SUSE-RU-2021:3278-1: An update that has one recommended fix can now be installed.

Category: recommended (important)
Bug References: 1190858
CVE References: 
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    ca-certificates-mozilla-2.44-4.32.1
SUSE Linux Enterprise Server for SAP 15 (src):    ca-certificates-mozilla-2.44-4.32.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    ca-certificates-mozilla-2.44-4.32.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    ca-certificates-mozilla-2.44-4.32.1
SUSE Linux Enterprise Server 15-LTSS (src):    ca-certificates-mozilla-2.44-4.32.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    ca-certificates-mozilla-2.44-4.32.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    ca-certificates-mozilla-2.44-4.32.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    ca-certificates-mozilla-2.44-4.32.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    ca-certificates-mozilla-2.44-4.32.1
SUSE Enterprise Storage 6 (src):    ca-certificates-mozilla-2.44-4.32.1
SUSE CaaS Platform 4.0 (src):    ca-certificates-mozilla-2.44-4.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-10-04 19:24:12 UTC 
openSUSE-RU-2021:1332-1: An update that has one recommended fix can now be installed.

Category: recommended (important)
Bug References: 1190858
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    ca-certificates-mozilla-2.44-lp152.2.10.1