ca-certificates bundle incorrectly excludes root CAs with CKA_NSS_SERVER_DISTRUST_AFTER

The build script in ca-certificates incorrectly omits CA roots with a "DistrustAfter" attribute.

See this fix in curl: https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c#diff-672849fde302af412196cdff759aa84b274074a01561227ee4f8c102c1ee346dL556

And curl issue report here: https://github.com/curl/curl/issues/15547

This fix should be included in ca-certificates: https://gitlab.alpinelinux.org/alpine/ca-certificates/-/blob/master/mk-ca-bundle.pl?ref_type=heads#L555-600

https://sslmate.com/blog/post/entrust_distrust_more_disruptive_than_intended

Impact: Any consumers of ca-certificates@20241121-r0 connecting to an Entrust G2-issued certificate will fail outright. The intended behaviour is that leaf certificates issued only after the "distrust after" date should be distrusted. Not all certificates.

changed the description

mentioned in issue aports#16812 (closed)

changed the description

Yes, this just took our connections down to Entrust servers as it seems like Docker re-built their Alpine images a couple hours ago and we deployed :latest shortly after.

marked this issue as related to aports#16815 (closed)

mentioned in commit 45f9e4dd

mentioned in merge request !16 (merged)

Dependabot bumped docker images caused this problem to surface as well. It was caught in a build pipeline for one of them, but caught manually by a user in another environment.

mentioned in commit 103d13b0

mentioned in commit 914471a5

closed with commit 103d13b0

mentioned in commit aports@6629b908

mentioned in commit aports@707ff77a

mentioned in commit aports@147330a4

mentioned in commit aports@7a32ae69

mentioned in commit aports@e8c71d54

mentioned in merge request aports!81136 (merged)