ca-certificates: Symantec CA blacklisted for non-TLS uses

Status changed to 'Confirmed' because the bug affects multiple users.

You can find every details about the Nuget incident here: https://github.com/NuGet/Announcements/issues/49#issue-795386700

Version 20210119 in hirsute-proposed fixes this issue.

The Symantec certs were never blacklisted in focal and earlier, so they aren't affected.

This issue does affect Groovy, but even if we removed the blacklist from the ca-certificates package, the certs will still be blacklisted because of debian bug #743339. We need to investigate how to remove the blacklist in a maintainer script on package upgrade.

It looks like the reverted blacklist will work fine for new installs of groovy, so I'll be pushing a new version of the ca-certificates package tomorrow with an updated bundle that will solve this issue at the same time.

This bug was fixed in the package ca-certificates - 20210119~20.10.1

---------------
ca-certificates (20210119~20.10.1) groovy-security; urgency=medium

  * Update ca-certificates database to 20210119 (LP: #1914064):
    - mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate
      authority bundle to version 2.46.
    - backport certain changes from the Ubuntu 20.10 20210119 package
  * mozilla/blacklist.txt: revert Symantec CA blacklist (LP: #1913951)
    The following root certificates were added back (+):
    + "GeoTrust Primary Certification Authority - G2"
    + "VeriSign Universal Root Certification Authority"

 -- Marc Deslauriers <email address hidden> Mon, 01 Feb 2021 10:14:19 -0500

The nuget restore command works again on my Ubuntu 20.10 OS, thanks for the fix.

Will this issue also be fixed in Focal?

It's currently not possible to connect to Apple Push servers in Ubuntu 20.04 due to the removal of the GeoTrust Global Root which Apple returns in their certificate chain from api.push.apple.com.

```
~cat /etc/issue
Ubuntu 20.04.2 LTS \n \l

~ apt list ca-certificates -a
Listing... Done
ca-certificates/focal-updates,focal-updates,focal-security,focal-security,now 20210119~20.04.1 all [installed]
ca-certificates/focal,focal 20190110ubuntu1 all

~ echo "Q" | openssl s_client -connect api.push.apple.com:443
CONNECTED(00000003)
depth=1 CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = api.push.apple.com, OU = management:idms.group.533599, O = Apple Inc., ST = California, C = US
verify return:1
---
Certificate chain
 0 s:CN = api.push.apple.com, OU = management:idms.group.533599, O = Apple Inc., ST = California, C = US
   i:CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US
 1 s:CN = Apple IST CA 2 - G1, OU = Certification Authority, O = Apple Inc., C = US
   i:C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIljCCB36gAwIBAgIQdSHfCVs4iuOJe4Ja2rbxdjANBgkqhkiG9w0BAQsFADBi
MRwwGgYDVQQDExNBcHBsZSBJU1QgQ0EgMiAtIEcxMSAwHgYDVQQLExdDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eTETMBEGA1UEChMKQXBwbGUgSW5jLjELMAkGA1UEBhMC
VVMwHhcNMTkwMzE0MTc1MDEwWhcNMjEwNDEyMTc1MDEwWjB7MRswGQYDVQQDDBJh
cGkucHVzaC5hcHBsZS5jb20xJTAjBgNVBAsMHG1hbmFnZW1lbnQ6aWRtcy5ncm91
cC41MzM1OTkxEzARBgNVBAoMCkFwcGxlIEluYy4xEzARBgNVBAgMCkNhbGlmb3Ju
aWExCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
tWbNpQnuwvVCjPhif9E3mYASUhteM5FWWFDIjkZ8dHPuhXnk8NX46My2VTQeEHS8
OGgfG8ruloU7syiRZSkCkq6WaosPXMJ+eBRbHVqGAIClBE/LdCd6uMoMYbMOX3W2
ch9Q5mDrO0IOCOEnGhzFQNwF0xfRcRwG1+tw7CQpIfR9XoKkyxBZ8LQfCX7NNcmH
DHS26F9jFaCrS/CnK/rzTl31PBJOhq42VsqfYo9vGp0JQxJgN9R6/EAvEDwCmc5L
U5ZBxMVo2LvH9mXn3J7+VuZz1yEsLSQfLhWiH9mDuEAWn5MGJU9CjnY8zdvEAxk7
OVfwhcn6L/SrMAZlHja2VwIDAQABo4IFLTCCBSkwDAYDVR0TAQH/BAIwADAfBgNV
HSMEGDAWgBTYepREfJBwkBae3RecAUQDhtYqKTB+BggrBgEFBQcBAQRyMHAwNAYI
KwYBBQUHMAKGKGh0dHA6Ly9jZXJ0cy5hcHBsZS5jb20vYXBwbGVpc3RjYTJnMS5k
ZXIwOAYIKwYBBQUHMAGGLGh0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDMtYXBw
bGVpc3RjYTJnMTIwMHwGA1UdEQR1MHOCEmFwaS5wdXNoLmFwcGxlLmNvbYIYYXBp
LWNhcnJ5LnB1c2guYXBwbGUuY29tghVtci1hcGkucHVzaC5hcHBsZS5jb22CFXB2
LWFwaS5wdXNoLmFwcGxlLmNvbYIVc3QtYXBpLnB1c2guYXBwbGUuY29tMIH/BgNV
HSAEgfcwgfQwgfEGCiqGSIb3Y2QFCwQwgeIwgaQGCCsGAQUFBwICMIGXDIGUUmVs
aWFuY2Ugb24gdGhpcyBjZXJ0aWZpY2F0ZSBieSBhbnkgcGFydHkgYXNzdW1lcyBh
Y2NlcHRhbmNlIG9mIGFueSBhcHBsaWNhYmxlIHRlcm1zIGFuZCBjb25kaXRpb25z
IG9mIHVzZSBhbmQvb3IgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRz
LjA5BggrBgEFBQcCARYtaHR0cDovL3d3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVh
dXRob3JpdHkvcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATA3BgNV
HR8EMDAuMCygKqAohiZodHRwOi8vY3JsLmFwcGxlLmNvbS9hcHBsZWlzdGNhMmcx
LmNybDAdBgNVHQ4EFgQUrKXVnJ+gzUh8UQ2Yfz/rnudZxT4wDgYDVR0PAQH/BAQD
AgWgMIICbwYKKwYBBAHWeQIEAgSCAl8EggJbAlkAdQCkuQmQtBhYFIe7E6LMZ3AK
PDWYBPkb37jjd80OyA3cEAAAAWl9XIxaAAAEAwBGMEQCID+yu2PPyWszJnLFzyue
exKgs0Id8nTEUE6GSyNx/VBjAiBB13SWmcPE95+UFdQ7VHP6gi9K2af...

No, GeoTrust Global CA is no longer to be used and has been removed from the CA list as requested by DigiCert.

Please see:

https://bugzilla.mozilla.org/show_bug.cgi?id=1670769

Odd. I can see that the package ca-certificates 20210119~20.10.1 is installed on my ubuntu 20.10, but I still can't restore my nuget packages. I'm getting the following error message:
error NU3028: Package 'Microsoft.Extensions.Configuration 3.1.10' from source 'https://api.nuget.org/v3/index.json': The author primary signature's timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain.

Yes. I can confirm that the package ca-certificates 20210119~20.10.1, make possible to restore nuget packages using "nuget restore". Although invoking the dotnet cli, like doing "dotnet restore" yields the same certificate error. Is it possible to solve this certificate issue once and for all?

It's possible in certain upgrade scenarios that the certs have been permanently blacklisted on your system.

Look at the /etc/ca-certificates.conf file to see if the following two lines start with a "!" character:

mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt
mozilla/VeriSign_Universal_Root_Certification_Authority.crt

If they do begin with "!", you need to reconfigure ca-certificates with:

sudo dpkg-reconfigure ca-certificates

That should ask you which certificates to activate. Make sure those two are checked.

Hello,

Will Ubuntu hirsute be affected by this bug? For context, Network Security Services (NSS) 3.63 and newer distrusts Symantec which will cause failures when installing NuGet packages. As per this question, Ubuntu contains NSS 3.63 in hirsute-proposed: https://answers.launchpad.net/ubuntu/+source/ca-certificates/+question/696339

For more information, please see: https://github.com/NuGet/Announcements/issues/56

Best,
Loic