http://bugzilla.opensuse.org/show_bug.cgi?id=1208210 Bug ID: 1208210 Summary: FUTURE crypto-policy: download (zypper) from download.opensuse.org fails due to 2048-bit intermediate CA certificate Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: walter.haidinger@gmx.at QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- More like a feature request: download.opensuse.org has a letsencrypt certificate with a 2048-bit in the intermediate CA chain ("R3" intermediate: https://crt.sh/?caid=183267). Not necessarily a bug but it hurts FUTURE crypto-policy adoption as FUTURE requires at least 3072 bits for certificates. Hence, downloading from download.opensuse.org via curl or zypper fails: update-crypto-policies --set FUTURE zypper ref will show: Error message: SSL certificate problem: CA certificate key too weak Yes, letsencrypt shouldn't use 2048-bit intermediates in 2023 but I don't see that changing before 2025. Still, simply setting the FUTURE crypto-policy shouldn't make zypper fail. Workaround: create a RSA-2048 crypto-policy module: echo "min_rsa_size = 2048" > /etc/crypto-policies/policies/modules/RSA2048.pmod update-crypto-policies --set FUTURE:RSA2048 -- You are receiving this mail because: You are on the CC list for the bug.