From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <goc-cygwin@m.gmane-mx.org>
Received: from ciao.gmane.io (ciao.gmane.io [116.202.254.214])
 by sourceware.org (Postfix) with ESMTPS id 3632D3858C39
 for <cygwin@cygwin.com>; Wed,  6 Oct 2021 23:34:01 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 3632D3858C39
Received: from list by ciao.gmane.io with local (Exim 4.92)
 (envelope-from <goc-cygwin@m.gmane-mx.org>) id 1mYGQB-0005Xf-K6
 for cygwin@cygwin.com; Thu, 07 Oct 2021 01:33:59 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: cygwin@cygwin.com
From: Jib Style <jibstyle209@gmail.com>
Subject: Re: Emacs, GnuTLS, and DST Root CA X3
Date: Wed, 06 Oct 2021 16:33:51 -0700
Message-ID: <vriuily94tk0.fsf@gmail.com>
References: <vriuy277ank1.fsf@gmail.com>
 <5e7db95b-7904-a991-5257-8c929efadc57@SystematicSw.ab.ca>
 <vriu1r4yibln.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (cygwin)
Cancel-Lock: sha1:SPKuhNjXlMafcN4a4oWKArzSaNM=
X-Spam-Status: No, score=1.2 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,
 FORGED_GMAIL_RCVD, FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,
 HEADER_FROM_DIFFERENT_DOMAINS, KAM_DMARC_STATUS, KAM_NUMSUBJECT,
 NML_ADSP_CUSTOM_MED, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=no autolearn_force=no version=3.4.4
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: cygwin@cygwin.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-request@cygwin.com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request@cygwin.com?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2021 23:34:02 -0000

Good news! My problem is solved.

> From the ca-certificates-letsencrypt-2.50-3 announcement:
> 
> > It may be necessary to also remove trust for the already expired DST
> > X3 root CA
> 
> I'm still trying to figure out _how_ to do this, although I'm not sure
> whether it should help my situation. I'll report back with the result.

This did the trick.

Regarding the outdated version of GnuTLS available in Cygwin, I see that
these trust anchor changes constitute a workaround.

Furthermore, I see that ca-certificates-2.50-4 and
ca-certificates-letsencrypt-2.50-4 were released, which automate the
above quoted process. Very nice! My final question would be if
ca-certificates-letsencrypt will eventually be merged into
ca-certificates?

I am now happily browsing the web again in Cygwin Emacs. Thank you to
this mailing list and those in IRC who helped me debug the problem. I
learned a lot about certificate trust chains in the process!