Investigate and remove CA pinning

See also bug 1381359 - an example of a routine SRU updating the pin.

Original design principle: https://blog.dustinkirkland.com/2014/02/random-seeds-in-ubuntu-1404-lts-cloud.html

"""
Q: What about SSL compromises, or CA Man-in-the-Middle attacks?
A: We are mitigating that by bundling the public certificates in the client.

    The pollinate package ships the public certificate of entropy.ubuntu.com
        /etc/pollinate/entropy.ubuntu.com.pem
        And curl uses this certificate exclusively by default
    If this really is your concern (and perhaps it should be!)
        Add more URLs to the $POOL variable in /etc/default/pollinate
        Put one of those behind your firewall
        You simply need to ensure that at least one of those is outside of the control of your attackers
"""

Status changed to 'Confirmed' because the bug affects multiple users.

For services that are not meant to be accessible by generic clients but that are instead bound to a specific client, then I think the best practice is to avoid the use of a public CA altogether, and rely on a private CA pinned in the client. This removes the (possibly-not-)trusted third party from the game and this is what many smartphone apps are doing, as they're the only consumer clients. The downside is of course the burden of properly maintaining a CA.

Again, I think there are good reasons for pinning the certificate (I agree with myself of ~14 months ago). Even better would be to use a certificate generated by a private CA, so there's no third party that can generate a malicious certificate that is trusted by the client. We don't need a third party as Ubuntu "owns" both the sides of the channel to secure (entropy.ubuntu.com:443 and the pollinate package).

As of today the entropy.ubuntu.com is still issues by DigiCert:

Certificate chain
 0 s:C = GB, L = London, O = Canonical Group Ltd, CN = entropy.ubuntu.com
   i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
 1 s:C = GB, L = London, O = Canonical Group Ltd, CN = entropy.ubuntu.com
   i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
 2 s:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA

and I didn't hear anymore of plans to switch to Letsencrypt, so I'd say that there's nothing to fix here at the moment, but as I may be missing some aspects of this I'm setting the bug status to Incomplete. I'm still willing to work at it, provided that we agree there's something to do!

[Expired for pollinate (Ubuntu) because there has been no activity for 60 days.]