* bug#50921: GNU ELPA TLS errors: server is returning chain with expired root
@ 2021-09-30 20:24 John Cummings
2021-09-30 20:47 ` John Cummings
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: John Cummings @ 2021-09-30 20:24 UTC (permalink / raw)
To: 50921
[-- Attachment #1: Type: text/plain, Size: 1450 bytes --]
I'm not sure if we are supposed to report infrastructure problems as Emacs bugs, but it should be easy to close if not. I, and at least a few others, have had TLS connection problems to GNU ELPA in the last day or two, with the errors:
|Issued by: R3
|Issued to: CN=elpa.gnu.org
|Hostname: elpa.gnu.org
|Public key: RSA, signature: RSA-SHA256
|Protocol: TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, mac: AEAD
|Security level: Medium
|Valid: From 2021-09-28 to 2021-12-27
|
|
|The TLS connection to elpa.gnu.org:443 is insecure for the following
|reasons:
|
|certificate has expired
|certificate could not be verified
It appears that elpa.gnu.org is returning a certificate chain referring to a root certificate that expired today. (More info: https://twitter.com/letsencrypt/status/1443621997288767491) I don't know if GnuTLS is supposed to be able to work around this (Firefox seems to, for instance), but I think it's a safe bet this is the cause of these connection errors.
I confirmed the chain that Emacs is seeing a couple ways. In Emacs 28, the security prompt lets you view certificate details by hitting "d", and in that window I confirmed it is seeing the root cert "CN=DST Root CA X3,O=Digital Signature Trust Co."
I also attached the chain I got by running:
openssl s_client -showcerts -servername elpa.gnu.org -connect elpa.gnu.org:443
Thanks!
[-- Attachment #2: chain.pem --]
[-- Type: application/x-x509-ca-cert, Size: 6016 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#50921: GNU ELPA TLS errors: server is returning chain with expired root
2021-09-30 20:24 bug#50921: GNU ELPA TLS errors: server is returning chain with expired root John Cummings
@ 2021-09-30 20:47 ` John Cummings
2021-09-30 21:03 ` Eric Abrahamsen
2021-10-01 5:49 ` Eli Zaretskii
[not found] ` <handler.50921.D50921.16330674029217.notifdone@debbugs.gnu.org>
2 siblings, 1 reply; 10+ messages in thread
From: John Cummings @ 2021-09-30 20:47 UTC (permalink / raw)
To: 50921
John Cummings <john@rootabega.net> wrote:
> It appears that elpa.gnu.org is returning a certificate chain referring
> to a root certificate that expired today. (More info:
> https://twitter.com/letsencrypt/status/1443621997288767491) I don't know
> if GnuTLS is supposed to be able to work around this (Firefox seems to, for instance)
One possibility (and note here that I'm clearly not a TLS expert) is that
Firefox recognizes the intermediate cert "ISRG Root X1" as one that is also
now a trusted root cert, and so short circuits the rest of the chain,
ignoring the expired cross-signature. Is this something that is possible
and desirable to have Emacs do with GnuTLS?
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#50921: GNU ELPA TLS errors: server is returning chain with expired root
2021-09-30 20:47 ` John Cummings
@ 2021-09-30 21:03 ` Eric Abrahamsen
0 siblings, 0 replies; 10+ messages in thread
From: Eric Abrahamsen @ 2021-09-30 21:03 UTC (permalink / raw)
To: John Cummings; +Cc: 50921
John Cummings <john@rootabega.net> writes:
> John Cummings <john@rootabega.net> wrote:
>
>> It appears that elpa.gnu.org is returning a certificate chain referring
>> to a root certificate that expired today. (More info:
>> https://twitter.com/letsencrypt/status/1443621997288767491) I don't know
>> if GnuTLS is supposed to be able to work around this (Firefox seems to, for instance)
>
> One possibility (and note here that I'm clearly not a TLS expert) is that
> Firefox recognizes the intermediate cert "ISRG Root X1" as one that is also
> now a trusted root cert, and so short circuits the rest of the chain,
> ignoring the expired cross-signature. Is this something that is possible
> and desirable to have Emacs do with GnuTLS?
Not only that: I deleted the offending line from my ~/.ssh/known_hosts,
re-accepted the key as valid (of course I have no idea), and attempted
to pull, and it asked me for my Savannah password -- ie, did not go to
my local ssh key.
That really made me wonder -- does that mean we've switched machines
altogether, and the new machines don't have our public keys? I don't
know how all these things work well enough to know what's going on, but
it certainly seems broken.
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#50921: GNU ELPA TLS errors: server is returning chain with expired root
2021-09-30 20:24 bug#50921: GNU ELPA TLS errors: server is returning chain with expired root John Cummings
2021-09-30 20:47 ` John Cummings
@ 2021-10-01 5:49 ` Eli Zaretskii
[not found] ` <handler.50921.D50921.16330674029217.notifdone@debbugs.gnu.org>
2 siblings, 0 replies; 10+ messages in thread
From: Eli Zaretskii @ 2021-10-01 5:49 UTC (permalink / raw)
To: John Cummings; +Cc: 50921-done
> Date: Thu, 30 Sep 2021 20:24:28 +0000
> From: John Cummings <john@rootabega.net>
>
> I'm not sure if we are supposed to report infrastructure problems as Emacs bugs, but it should be easy to close if not. I, and at least a few others, have had TLS connection problems to GNU ELPA in the last day or two, with the errors:
>
> |Issued by: R3
> |Issued to: CN=elpa.gnu.org
> |Hostname: elpa.gnu.org
> |Public key: RSA, signature: RSA-SHA256
> |Protocol: TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, mac: AEAD
> |Security level: Medium
> |Valid: From 2021-09-28 to 2021-12-27
> |
> |
> |The TLS connection to elpa.gnu.org:443 is insecure for the following
> |reasons:
> |
> |certificate has expired
> |certificate could not be verified
>
> It appears that elpa.gnu.org is returning a certificate chain referring to a root certificate that expired today. (More info: https://twitter.com/letsencrypt/status/1443621997288767491) I don't know if GnuTLS is supposed to be able to work around this (Firefox seems to, for instance), but I think it's a safe bet this is the cause of these connection errors.
It isn't our issue, it's a possible issue with gnu.org infrastructure
and "older" TLS libraries. The issue is known to GNU sysadmins and
they are working on it. However, what they advise is to upgrade your
TLS libraries. Here's a quote from what they told me:
[GNU machines] have a lets encrypt cert that is valid, it seems some
older tls libraries dont like that is has 2 alternate intermediate
certificates and one of them expired.
So this is not an Emacs problem, and I'm therefore closing this bug.
If you want to pursue this further, please write to sysadmin@gnu.org.
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#50921: GNU ELPA TLS errors: server is returning chain with expired root
[not found] ` <handler.50921.D50921.16330674029217.notifdone@debbugs.gnu.org>
@ 2021-10-04 15:34 ` Glenn Morris
2021-10-04 19:50 ` Eric Abrahamsen
2021-10-04 20:21 ` John Cummings
0 siblings, 2 replies; 10+ messages in thread
From: Glenn Morris @ 2021-10-04 15:34 UTC (permalink / raw)
To: 50921
Nice summary of what I assume is the same issue at:
http://savannah.nongnu.org/forum/forum.php?forum_id=10054
If you are experiencing invalid certificate chain problems with Let's
Encrypt certificates (not a Savannah problem) then please upgrade
your client to the latest security patches for your system.
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#50921: GNU ELPA TLS errors: server is returning chain with expired root
2021-10-04 15:34 ` Glenn Morris
@ 2021-10-04 19:50 ` Eric Abrahamsen
2021-10-04 21:28 ` Glenn Morris
2021-10-04 20:21 ` John Cummings
1 sibling, 1 reply; 10+ messages in thread
From: Eric Abrahamsen @ 2021-10-04 19:50 UTC (permalink / raw)
To: Glenn Morris; +Cc: 50921
Glenn Morris <rgm@gnu.org> writes:
> Nice summary of what I assume is the same issue at:
>
> http://savannah.nongnu.org/forum/forum.php?forum_id=10054
>
> If you are experiencing invalid certificate chain problems with Let's
> Encrypt certificates (not a Savannah problem) then please upgrade
> your client to the latest security patches for your system.
FWIW I had to disable strict checking for this host in order to get ssh
to connect. I'm on Arch Linux, which has no old libraries: if anything,
it's what everyone else can expect in the future.
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#50921: GNU ELPA TLS errors: server is returning chain with expired root
2021-10-04 15:34 ` Glenn Morris
2021-10-04 19:50 ` Eric Abrahamsen
@ 2021-10-04 20:21 ` John Cummings
1 sibling, 0 replies; 10+ messages in thread
From: John Cummings @ 2021-10-04 20:21 UTC (permalink / raw)
To: Glenn Morris; +Cc: 50921
Since gnu.org has replied to this bug, seemingly on behalf of GNU, I feel fine continuing the dialog. Is there a reason that GNU/FSF wants the servers to present this cert chain?
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#50921: GNU ELPA TLS errors: server is returning chain with expired root
2021-10-04 19:50 ` Eric Abrahamsen
@ 2021-10-04 21:28 ` Glenn Morris
2021-10-04 21:38 ` Glenn Morris
0 siblings, 1 reply; 10+ messages in thread
From: Glenn Morris @ 2021-10-04 21:28 UTC (permalink / raw)
To: Eric Abrahamsen; +Cc: 50921
?
ssh is unrelated to https, so I think whatever issue you are talking
about is unrelated to the topic of this report.
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#50921: GNU ELPA TLS errors: server is returning chain with expired root
2021-10-04 21:28 ` Glenn Morris
@ 2021-10-04 21:38 ` Glenn Morris
2021-10-04 21:47 ` Eric Abrahamsen
0 siblings, 1 reply; 10+ messages in thread
From: Glenn Morris @ 2021-10-04 21:38 UTC (permalink / raw)
To: Eric Abrahamsen; +Cc: 50921
Glenn Morris wrote:
> ssh is unrelated to https, so I think whatever issue you are talking
> about is unrelated to the topic of this report.
Perhaps your issue is:
https://savannah.nongnu.org/support/?110545
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#50921: GNU ELPA TLS errors: server is returning chain with expired root
2021-10-04 21:38 ` Glenn Morris
@ 2021-10-04 21:47 ` Eric Abrahamsen
0 siblings, 0 replies; 10+ messages in thread
From: Eric Abrahamsen @ 2021-10-04 21:47 UTC (permalink / raw)
To: Glenn Morris; +Cc: 50921
On 10/04/21 17:38 PM, Glenn Morris wrote:
> Glenn Morris wrote:
>
>> ssh is unrelated to https, so I think whatever issue you are talking
>> about is unrelated to the topic of this report.
Gah, you're right, I was confusing the two issues (I started getting the
angry SSH banner about the fingerprint change right at the same time as
the TLS issue was raised, and conflated them in my head).
> Perhaps your issue is:
> https://savannah.nongnu.org/support/?110545
I _also_ had that issue. I ended up solving it by creating a new ssh key
that used ED25519 and using that for my account instead. That worked
fine.
Sorry for the noise,
Eric
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2021-10-04 21:47 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-30 20:24 bug#50921: GNU ELPA TLS errors: server is returning chain with expired root John Cummings
2021-09-30 20:47 ` John Cummings
2021-09-30 21:03 ` Eric Abrahamsen
2021-10-01 5:49 ` Eli Zaretskii
[not found] ` <handler.50921.D50921.16330674029217.notifdone@debbugs.gnu.org>
2021-10-04 15:34 ` Glenn Morris
2021-10-04 19:50 ` Eric Abrahamsen
2021-10-04 21:28 ` Glenn Morris
2021-10-04 21:38 ` Glenn Morris
2021-10-04 21:47 ` Eric Abrahamsen
2021-10-04 20:21 ` John Cummings
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).