Same issue as stripe/stripe-ruby#1783 - while I worked in the past on this repo, I am not a current user of AM but figured the least I could do is flag it for the current maintainers.
For Stripe specifically it looks like the following certificates are missing from lib/certs/cacerts.pem:
- DigiCert TLS ECC P384 Root G5
- DigiCert TLS RSA4096 Root G5
- Let's Encrypt ISRG Root X2
Similar to the Stripe gem bundling these certs seems to be a historical leftover - from 2007 to be exact. It is not needed anymore on a modern system nor it is this gems responsibility to fix broken installations.
There is also a risk in keeping outdated root certificates around when the larger internet ecosystem (Chrome, Firefox, Apple, Microsoft, etc) have distrusted root certificates due to misuse or breaches. One example is CNNIC, which was removed in cc11644 (2021), well after issues were found by Mozilla in 2015.
Same issue as stripe/stripe-ruby#1783 - while I worked in the past on this repo, I am not a current user of AM but figured the least I could do is flag it for the current maintainers.
For Stripe specifically it looks like the following certificates are missing from
lib/certs/cacerts.pem:Similar to the Stripe gem bundling these certs seems to be a historical leftover - from 2007 to be exact. It is not needed anymore on a modern system nor it is this gems responsibility to fix broken installations.
There is also a risk in keeping outdated root certificates around when the larger internet ecosystem (Chrome, Firefox, Apple, Microsoft, etc) have distrusted root certificates due to misuse or breaches. One example is CNNIC, which was removed in cc11644 (2021), well after issues were found by Mozilla in 2015.