[gnutls-devel] GnuTLS | Unable to verify certificate chain on app.usmobile.com (#1771)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Tue Dec 9 14:34:39 CET 2025
František Krenželok commented: https://gitlab.com/gnutls/gnutls/-/issues/1771#note_2942222823
This is correct behavior, The root certificate `CN=AAA Certificate Services` has been distrusted for TLS by google and Mozilla as is their [policy](https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#74-root-ca-lifecycles), this change has propagated to root stores such as ca-certificates on rhel and fedora. The service provider `app.usmobile.com` should have replaced the intermediate with a newly issued cross-signed certificate https://crt.sh/?id=8505503577 or reissued their leaf/server certificate.
Best way to go here is to report it to them.
For a **temporary** fix you could add the aforementioned tls distrusted certificate manually to the client.
Additional resources:
* https://access.redhat.com/solutions/7133942
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1771#note_2942222823
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20251209/74be7746/attachment.html>
More information about the Gnutls-devel
mailing list