X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 3B5C73858015 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1633563270; bh=Elo8isJ+U9OoFY4gctcbApyfJHAxSgKPh3UKZWmsfzU=; h=To:Subject:Date:References:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From:Reply-To:From; b=GZ+jP89SuZWL0PBzHiCj22jNPWiEPp8qbsbTnbIQ0829skFeYjfgEEnRsmvFM0e/8 zR3JoavpM2In677/zywvcvpi5Tj8bWJ03bS6dpHbA1issohNFmgrM8Ub1gms4bkBEh PEVIEklrksGLthLY9DVCKAwkldqZckxTxkMBgsjM= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 3632D3858C39 X-Injected-Via-Gmane: http://gmane.org/ To: cygwin AT cygwin DOT com Subject: Re: Emacs, GnuTLS, and DST Root CA X3 Date: Wed, 06 Oct 2021 16:33:51 -0700 Message-ID: References: <5e7db95b-7904-a991-5257-8c929efadc57 AT SystematicSw DOT ab DOT ca> Mime-Version: 1.0 User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (cygwin) Cancel-Lock: sha1:SPKuhNjXlMafcN4a4oWKArzSaNM= X-Spam-Status: No, score=1.2 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, FORGED_GMAIL_RCVD, FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS, KAM_DMARC_STATUS, KAM_NUMSUBJECT, NML_ADSP_CUSTOM_MED, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=no autolearn_force=no version=3.4.4 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.29 List-Id: General Cygwin discussions and problem reports List-Archive: List-Post: List-Help: List-Subscribe: , From: Jib Style via Cygwin Reply-To: Jib Style Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Cygwin" Good news! My problem is solved. > From the ca-certificates-letsencrypt-2.50-3 announcement: > > > It may be necessary to also remove trust for the already expired DST > > X3 root CA > > I'm still trying to figure out _how_ to do this, although I'm not sure > whether it should help my situation. I'll report back with the result. This did the trick. Regarding the outdated version of GnuTLS available in Cygwin, I see that these trust anchor changes constitute a workaround. Furthermore, I see that ca-certificates-2.50-4 and ca-certificates-letsencrypt-2.50-4 were released, which automate the above quoted process. Very nice! My final question would be if ca-certificates-letsencrypt will eventually be merged into ca-certificates? I am now happily browsing the web again in Cygwin Emacs. Thank you to this mailing list and those in IRC who helped me debug the problem. I learned a lot about certificate trust chains in the process! -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple