Skip to content

Stop bundling root certificates and use the system certs instead #5547

Description

@bdewater-thatch

Same issue as stripe/stripe-ruby#1783 - while I worked in the past on this repo, I am not a current user of AM but figured the least I could do is flag it for the current maintainers.

For Stripe specifically it looks like the following certificates are missing from lib/certs/cacerts.pem:

  • DigiCert TLS ECC P384 Root G5
  • DigiCert TLS RSA4096 Root G5
  • Let's Encrypt ISRG Root X2

Similar to the Stripe gem bundling these certs seems to be a historical leftover - from 2007 to be exact. It is not needed anymore on a modern system nor it is this gems responsibility to fix broken installations.

There is also a risk in keeping outdated root certificates around when the larger internet ecosystem (Chrome, Firefox, Apple, Microsoft, etc) have distrusted root certificates due to misuse or breaches. One example is CNNIC, which was removed in cc11644 (2021), well after issues were found by Mozilla in 2015.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions