unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* nss-certs@3.81: server certificate verification failed. CAfile: /gnu/store/…/ca-certificates.crt CRLfile: none
@ 2022-11-23 16:10 zimoun
  2022-11-23 17:18 ` Tobias Geerinckx-Rice
  0 siblings, 1 reply; 3+ messages in thread
From: zimoun @ 2022-11-23 16:10 UTC (permalink / raw)
  To: Guix Devel

Hi,

Well, using nss-certs@3.81, I get this failure,

--8<---------------cut here---------------start------------->8---
$ guix time-machine --commit=785fd09af0e161906e984944ddae363c384b66dd \
       -- show nss-certs | recsel -p version
version: 3.81

$ guix time-machine --commit=785fd09af0e161906e984944ddae363c384b66dd \
       -- shell -CN git nss-certs \
       -- git clone https://gitlab.in2p3.fr/reprovip/reprovip-guix nss-3.81
Cloning into 'nss-3.81'...
fatal: unable to access 'https://gitlab.in2p3.fr/reprovip/reprovip-guix/': server certificate verification failed. CAfile: /gnu/store/h51ffnnqqkydhvgmyd77fhswwcddlan9-profile/etc/ssl/certs/ca-certificates.crt CRLfile: none
--8<---------------cut here---------------end--------------->8---

but it does not happen when running nss-certs@3.71 instead,

--8<---------------cut here---------------start------------->8---
$ guix time-machine --commit=65cabb010e3388d10f9b25ec560bfcfab5f810d4 \
       -- show nss-certs | recsel -p version
version: 3.71

$ guix time-machine --commit=65cabb010e3388d10f9b25ec560bfcfab5f810d4 \
       -- shell -CN git nss-certs \
       -- git clone https://gitlab.in2p3.fr/reprovip/reprovip-guix nss-3.71
Cloning into 'nss-3.71'...
warning: redirecting to https://gitlab.in2p3.fr/reprovip/reprovip-guix.git/
remote: Enumerating objects: 303, done.        
remote: Counting objects: 100% (303/303), done.        
remote: Compressing objects: 100% (140/140), done.        
remote: Total 352 (delta 110), reused 267 (delta 89), pack-reused 49        
Receiving objects: 100% (352/352), 12.23 MiB | 22.01 MiB/s, done.
Resolving deltas: 100% (117/117), done.
--8<---------------cut here---------------end--------------->8---

Is it a bug in Guix nss-certs side?  Or on Gitlab server side?


Cheers,
simon


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: nss-certs@3.81: server certificate verification failed. CAfile: /gnu/store/…/ca-certificates.crt CRLfile: none
  2022-11-23 16:10 nss-certs@3.81: server certificate verification failed. CAfile: /gnu/store/…/ca-certificates.crt CRLfile: none zimoun
@ 2022-11-23 17:18 ` Tobias Geerinckx-Rice
  2022-11-23 20:01   ` zimoun
  0 siblings, 1 reply; 3+ messages in thread
From: Tobias Geerinckx-Rice @ 2022-11-23 17:18 UTC (permalink / raw)
  To: zimoun; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 314 bytes --]

Hi Simon,

zimoun 写道:
> Is it a bug in Guix nss-certs side?  Or on Gitlab server side?

No Guix bug, the server is misconfigured.

It's incorrectly sending an ISRG Root X1 certificate, which chains 
to the expired DST Root CA X3.

It should not send ISRG Root X1 at all.

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: nss-certs@3.81: server certificate verification failed. CAfile: /gnu/store/…/ca-certificates.crt CRLfile: none
  2022-11-23 17:18 ` Tobias Geerinckx-Rice
@ 2022-11-23 20:01   ` zimoun
  0 siblings, 0 replies; 3+ messages in thread
From: zimoun @ 2022-11-23 20:01 UTC (permalink / raw)
  To: Tobias Geerinckx-Rice; +Cc: guix-devel

Hi,

On Wed, 23 Nov 2022 at 18:18, Tobias Geerinckx-Rice <me@tobias.gr> wrote:

> It's incorrectly sending an ISRG Root X1 certificate, which chains 
> to the expired DST Root CA X3.
>
> It should not send ISRG Root X1 at all.

Thanks for the explanations.  Reported upstream.

Cheers,
simon


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-11-23 20:51 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-23 16:10 nss-certs@3.81: server certificate verification failed. CAfile: /gnu/store/…/ca-certificates.crt CRLfile: none zimoun
2022-11-23 17:18 ` Tobias Geerinckx-Rice
2022-11-23 20:01   ` zimoun

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).