Lots of warnings for deprecated certificates

[cedric-mgx]

We are currently testing trust-manager and everything works well, but when using the flag useDefaultCAs: true in the bundle we are getting lots of warnings of deprecated certificates in our apps using it.

The trusted certificate with alias [4d249141|cn=staat der nederlanden ev root ca,o=staat der nederlanden,c=nl] and DN [CN=Staat der Nederlanden EV Root CA, O=Staat der Nederlanden, C=NL] is not valid due to [NotAfter: Thu Dec 08 11:10:28 GMT 2022]. Certificates signed by this trusted certificate WILL be accepted
The trusted certificate with alias [f9e67d33|cn=hongkong post root ca 1,o=hongkong post,c=hk] and DN [CN=Hongkong Post Root CA 1, O=Hongkong Post, C=HK] is not valid due to [NotAfter: Mon May 15 04:52:29 GMT 2023]. Certificates signed by this trusted certificate WILL be accepted
The trusted certificate with alias [06872603|cn=dst root ca x3,o=digital signature trust co.] and DN [CN=DST Root CA X3, O=Digital Signature Trust Co.] is not valid due to [NotAfter: Thu Sep 30 14:01:15 GMT 2021]. Certificates signed by this trusted certificate WILL be accepted
The trusted certificate with alias [7908b403|cn=sonera class2 ca,o=sonera,c=fi] and DN [CN=Sonera Class2 CA, O=Sonera, C=FI] is not valid due to [NotAfter: Tue Apr 06 07:29:40 GMT 2021]. Certificates signed by this trusted certificate WILL be accepted
The trusted certificate with alias [960adf00|cn=cybertrust global root,o=cybertrust\, inc] and DN [CN=Cybertrust Global Root, O="Cybertrust, Inc"] is not valid due to [NotAfter: Wed Dec 15 08:00:00 GMT 2021]. Certificates signed by this trusted certificate WILL be accepted
The trusted certificate with alias [b0bfd52b|cn=e-tugra certification authority,ou=e-tugra sertifikasyon merkezi,o=e-tuğra ebg bilişim teknolojileri ve hizmetleri a.ş.,l=ankara,c=tr] and DN [CN=E-Tugra Certification Authority, OU=E-Tugra Sertifikasyon Merkezi, O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş., L=Ankara, C=TR] is not valid due to [NotAfter: Fri Mar 03 12:09:48 GMT 2023]. Certificates signed by this trusted certificate WILL be accepted

I see that the image used in the init container is: quay.io/jetstack/cert-manager-package-debian:20210119.0 and it seems to be the latest one. Is there a more updated version or a path to follow to actually have an updated list of public certificates?

Thanks in advance.

[cedric-mgx]

I see that it still uses the ca-certificates:
bullseye (oldstable) (misc): Common CA certificates
20210119: all

but now there is:
bookworm (stable) (misc): Common CA certificates
20230311: all

[SgtCoDFish]

Hey, thanks for raising this!

Our "contract" for the debian package we currently provide is that we will give users whatever Debian bullseye has. A large proportion of the internet is going to be using the exact same ca-certificates package (since so much stuff runs on Debian) without issue - I don't think any of those warnings are anything to worry about.

I think it would also be nice to add a bookworm image and maybe even to default to that. We could add other images too! But I don't think there's any practical security risk - because Debian are happy with the way things are!

Adding a bookworm image is pretty low priority at the moment for me, so I'm kinda hoping someone in the community might pick it up and I'd happily review it.

To that end, I'll create an issue for that specifically, and I'll add a good first issue label. EDIT: #183

Does that make sense?

[SgtCoDFish]

Also, out of curiosity: which tool is giving those warnings?

[cedric-mgx]

Hey, thanks it's perfect. The ones giving those errors are java spring cloud applications. But I'm sure we'll see this error appear in other places.