* bug#50921: GNU ELPA TLS errors: server is returning chain with expired root
@ 2021-09-30 20:24 John Cummings
2021-09-30 20:47 ` John Cummings
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: John Cummings @ 2021-09-30 20:24 UTC (permalink / raw)
To: 50921
[-- Attachment #1: Type: text/plain, Size: 1450 bytes --]
I'm not sure if we are supposed to report infrastructure problems as Emacs bugs, but it should be easy to close if not. I, and at least a few others, have had TLS connection problems to GNU ELPA in the last day or two, with the errors:
|Issued by: R3
|Issued to: CN=elpa.gnu.org
|Hostname: elpa.gnu.org
|Public key: RSA, signature: RSA-SHA256
|Protocol: TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, mac: AEAD
|Security level: Medium
|Valid: From 2021-09-28 to 2021-12-27
|
|
|The TLS connection to elpa.gnu.org:443 is insecure for the following
|reasons:
|
|certificate has expired
|certificate could not be verified
It appears that elpa.gnu.org is returning a certificate chain referring to a root certificate that expired today. (More info: https://twitter.com/letsencrypt/status/1443621997288767491) I don't know if GnuTLS is supposed to be able to work around this (Firefox seems to, for instance), but I think it's a safe bet this is the cause of these connection errors.
I confirmed the chain that Emacs is seeing a couple ways. In Emacs 28, the security prompt lets you view certificate details by hitting "d", and in that window I confirmed it is seeing the root cert "CN=DST Root CA X3,O=Digital Signature Trust Co."
I also attached the chain I got by running:
openssl s_client -showcerts -servername elpa.gnu.org -connect elpa.gnu.org:443
Thanks!
[-- Attachment #2: chain.pem --]
[-- Type: application/x-x509-ca-cert, Size: 6016 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#50921: GNU ELPA TLS errors: server is returning chain with expired root
2021-09-30 20:24 bug#50921: GNU ELPA TLS errors: server is returning chain with expired root John Cummings
@ 2021-09-30 20:47 ` John Cummings
2021-09-30 21:03 ` Eric Abrahamsen
2021-10-01 5:49 ` Eli Zaretskii
[not found] ` <handler.50921.D50921.16330674029217.notifdone@debbugs.gnu.org>
2 siblings, 1 reply; 10+ messages in thread
From: John Cummings @ 2021-09-30 20:47 UTC (permalink / raw)
To: 50921
John Cummings <john@rootabega.net> wrote:
> It appears that elpa.gnu.org is returning a certificate chain referring
> to a root certificate that expired today. (More info:
> https://twitter.com/letsencrypt/status/1443621997288767491) I don't know
> if GnuTLS is supposed to be able to work around this (Firefox seems to, for instance)
One possibility (and note here that I'm clearly not a TLS expert) is that
Firefox recognizes the intermediate cert "ISRG Root X1" as one that is also
now a trusted root cert, and so short circuits the rest of the chain,
ignoring the expired cross-signature. Is this something that is possible
and desirable to have Emacs do with GnuTLS?
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#50921: GNU ELPA TLS errors: server is returning chain with expired root
2021-09-30 20:47 ` John Cummings
@ 2021-09-30 21:03 ` Eric Abrahamsen
0 siblings, 0 replies; 10+ messages in thread
From: Eric Abrahamsen @ 2021-09-30 21:03 UTC (permalink / raw)
To: John Cummings; +Cc: 50921
John Cummings <john@rootabega.net> writes:
> John Cummings <john@rootabega.net> wrote:
>
>> It appears that elpa.gnu.org is returning a certificate chain referring
>> to a root certificate that expired today. (More info:
>> https://twitter.com/letsencrypt/status/1443621997288767491) I don't know
>> if GnuTLS is supposed to be able to work around this (Firefox seems to, for instance)
>
> One possibility (and note here that I'm clearly not a TLS expert) is that
> Firefox recognizes the intermediate cert "ISRG Root X1" as one that is also
> now a trusted root cert, and so short circuits the rest of the chain,
> ignoring the expired cross-signature. Is this something that is possible
> and desirable to have Emacs do with GnuTLS?
Not only that: I deleted the offending line from my ~/.ssh/known_hosts,
re-accepted the key as valid (of course I have no idea), and attempted
to pull, and it asked me for my Savannah password -- ie, did not go to
my local ssh key.
That really made me wonder -- does that mean we've switched machines
altogether, and the new machines don't have our public keys? I don't
know how all these things work well enough to know what's going on, but
it certainly seems broken.
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#50921: GNU ELPA TLS errors: server is returning chain with expired root
2021-09-30 20:24 bug#50921: GNU ELPA TLS errors: server is returning chain with expired root John Cummings
2021-09-30 20:47 ` John Cummings
@ 2021-10-01 5:49 ` Eli Zaretskii
[not found] ` <handler.50921.D50921.16330674029217.notifdone@debbugs.gnu.org>
2 siblings, 0 replies; 10+ messages in thread
From: Eli Zaretskii @ 2021-10-01 5:49 UTC (permalink / raw)
To: John Cummings; +Cc: 50921-done
> Date: Thu, 30 Sep 2021 20:24:28 +0000
> From: John Cummings <john@rootabega.net>
>
> I'm not sure if we are supposed to report infrastructure problems as Emacs bugs, but it should be easy to close if not. I, and at least a few others, have had TLS connection problems to GNU ELPA in the last day or two, with the errors:
>
> |Issued by: R3
> |Issued to: CN=elpa.gnu.org
> |Hostname: elpa.gnu.org
> |Public key: RSA, signature: RSA-SHA256
> |Protocol: TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, mac: AEAD
> |Security level: Medium
> |Valid: From 2021-09-28 to 2021-12-27
> |
> |
> |The TLS connection to elpa.gnu.org:443 is insecure for the following
> |reasons:
> |
> |certificate has expired
> |certificate could not be verified
>
> It appears that elpa.gnu.org is returning a certificate chain referring to a root certificate that expired today. (More info: https://twitter.com/letsencrypt/status/1443621997288767491) I don't know if GnuTLS is supposed to be able to work around this (Firefox seems to, for instance), but I think it's a safe bet this is the cause of these connection errors.
It isn't our issue, it's a possible issue with gnu.org infrastructure
and "older" TLS libraries. The issue is known to GNU sysadmins and
they are working on it. However, what they advise is to upgrade your
TLS libraries. Here's a quote from what they told me:
[GNU machines] have a lets encrypt cert that is valid, it seems some
older tls libraries dont like that is has 2 alternate intermediate
certificates and one of them expired.
So this is not an Emacs problem, and I'm therefore closing this bug.
If you want to pursue this further, please write to sysadmin@gnu.org.
^ permalink raw reply [flat|nested] 10+ messages in thread
[parent not found: <handler.50921.D50921.16330674029217.notifdone@debbugs.gnu.org>]
end of thread, other threads:[~2021-10-04 21:47 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-09-30 20:24 bug#50921: GNU ELPA TLS errors: server is returning chain with expired root John Cummings
2021-09-30 20:47 ` John Cummings
2021-09-30 21:03 ` Eric Abrahamsen
2021-10-01 5:49 ` Eli Zaretskii
[not found] ` <handler.50921.D50921.16330674029217.notifdone@debbugs.gnu.org>
2021-10-04 15:34 ` Glenn Morris
2021-10-04 19:50 ` Eric Abrahamsen
2021-10-04 21:28 ` Glenn Morris
2021-10-04 21:38 ` Glenn Morris
2021-10-04 21:47 ` Eric Abrahamsen
2021-10-04 20:21 ` John Cummings
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).