Ubuntu
pollinate package

Intermediate SSL cert in entropy.ubuntu.com.pem expires on March 8 2023

Bug #2006567 reported by Ferry Boender
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
pollinate (Ubuntu)
Triaged
Undecided
Unassigned

Bug Description

Pollinate provides a standalone SSL certificate bundle in `/etc/pollinate/entropy.ubuntu.com.pem` for subjects `CN=DigiCert Global Root CA` and `CN=DigiCert SHA2 Secure Server CA`.

The intermediate certificate in that file for subject `CN = DigiCert SHA2 Secure Server CA` is about to expire:

```
  - path: /etc/pollinate/entropy.ubuntu.com.pem
    subject: C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
    not after: 2023-03-08 12:00:00
    expires: 28 days
```

I'm not sure whether this will impact the proper operation of Pollinate, or if it will simply use a different certificate path automatically.

This issue seems to exist on at least Ubuntu 18.04 and 20.04, on a fully upgraded installation.

LSB release:

```
lsb_release -rd
Description: Ubuntu 20.04.5 LTS
Release: 20.04
```

Package version:

```
apt-cache policy pollinate
pollinate:
  Installed: 4.33-3ubuntu1.20.04.1
  Candidate: 4.33-3ubuntu1.20.04.1
  Version table:
 *** 4.33-3ubuntu1.20.04.1 500
        500 http://nl.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     4.33-3ubuntu1 500
        500 http://nl.archive.ubuntu.com/ubuntu focal/main amd64 Packages
```

Revision history for this message
Paride Legovini (paride) wrote :

Hello Ferry and thanks for this bug report. How did you get to the 2023-03-08 expiration date? I get this on a Bionic system:

$ openssl x509 -noout -text < /etc/pollinate/entropy.ubuntu.com.pem
[...]
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Validity
    Not Before: Nov 10 00:00:00 2006 GMT
    Not After : Nov 10 00:00:00 2031 GMT

And the same on Focal.

Changed in pollinate (Ubuntu):
status: New → Incomplete
Revision history for this message
Lizard (lizard) wrote :

There are 2 certificates in the mentioned file.
openssl x509 only shows the first certificate.

Use openssl storeutl to get info on both certificates:

$ openssl storeutl -noout -text -certs /etc/pollinate/entropy.ubuntu.com.pem | grep -b2 'Not Before'
197- Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
283- Validity
300: Not Before: Nov 10 00:00:00 2006 GMT
349- Not After : Nov 10 00:00:00 2031 GMT
398- Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
--
3435- Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
3521- Validity
3538: Not Before: Mar 8 12:00:00 2013 GMT
3587- Not After : Mar 8 12:00:00 2023 GMT
3636- Subject: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA

Lizard (lizard)
Changed in pollinate (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

I was able to reproduce what Lizard mentioned, marking the bug as Triaged.

Changed in pollinate (Ubuntu):
status: Confirmed → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.