From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id UMsQCw0e2V6LRgAA0tVLHw (envelope-from ) for ; Thu, 04 Jun 2020 16:15:09 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id yLn+Bg0e2V4LAgAAbx9fmQ (envelope-from ) for ; Thu, 04 Jun 2020 16:15:09 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6E5FA940C04 for ; Thu, 4 Jun 2020 16:15:08 +0000 (UTC) Received: from localhost ([::1]:32920 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jgsWJ-0007Q6-Em for larch@yhetil.org; Thu, 04 Jun 2020 12:15:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50788) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jgsWB-0007PQ-Dz for help-guix@gnu.org; Thu, 04 Jun 2020 12:14:59 -0400 Received: from ns13.heimat.it ([46.4.214.66]:56832) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jgsW9-0005kA-Gv for help-guix@gnu.org; Thu, 04 Jun 2020 12:14:59 -0400 Received: from localhost (ip6-localhost [127.0.0.1]) by ns13.heimat.it (Postfix) with ESMTP id 6A0C9300F9D; Thu, 4 Jun 2020 16:14:55 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it Received: from ns13.heimat.it ([127.0.0.1]) by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bMQrCJd6rCmx; Thu, 4 Jun 2020 16:14:53 +0000 (UTC) Received: from bourrache.mug.xelera.it (unknown [93.56.169.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ns13.heimat.it (Postfix) with ESMTPSA id 7D02A300F9C; Thu, 4 Jun 2020 16:14:53 +0000 (UTC) Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14]) by bourrache.mug.xelera.it (Postfix) with SMTP id CD601390036; Thu, 4 Jun 2020 18:14:51 +0200 (CEST) Received: (nullmailer pid 5584 invoked by uid 1000); Thu, 04 Jun 2020 16:14:51 -0000 From: Giovanni Biscuolo To: Jack Hill Subject: Re: curl server certificate verification failed for a few sites In-Reply-To: Organization: Xelera.eu References: <87sgfbkm7g.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me> Date: Thu, 04 Jun 2020 18:14:42 +0200 Message-ID: <87o8pylsel.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=46.4.214.66; envelope-from=g@xelera.eu; helo=ns13.heimat.it X-detected-operating-system: by eggs.gnu.org: First seen = 2020/06/04 12:14:55 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: -3.11 X-TUID: 95Q5/krgqbD4 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Jack, thanks for your help! ...and sorry if this is not Guix specific Jack Hill writes: [...] > I think that this is due to the recent AdTrust Root CA cert expiration=20 > [0]. The error wget gives is a little bit better, but you know about the= =20 > situation to interpret it correctly: > > """ > $ wget "https://voices.transparency.org" -O /dev/null > --2020-06-04 10:37:29-- https://voices.transparency.org/ > Resolving voices.transparency.org (voices.transparency.org)...=20 > 52.4.225.124, 52.4.240.221, 52.1.119.170, ... > Connecting to voices.transparency.org=20 > (voices.transparency.org)|52.4.225.124|:443... connected. > ERROR: The certificate of =E2=80=98voices.transparency.org=E2=80=99 is no= t trusted. > ERROR: The certificate of =E2=80=98voices.transparency.org=E2=80=99 has e= xpired. > """ oh I see, I get this error also... but I do not understand the different behaviour with what I see in Firefox (from Debian) or ungoogled-chromium (from Guix): using one of those browsers the certificate is valid, the certificate viewer shows that the root in cert hierarchy is "USERTrust RSA Certification Authority" The section in [0] titled "Certificate Chain Diagram" states: =2D-8<---------------cut here---------------start------------->8--- A legacy browser or older device that does not have the modern =E2=80=9CUSERTRust=E2=80=9D root would not trust it and so would look furth= er up the chain to a root it does trust, the AddTrust External CA Root. A more modern browser would have the USERTrust root already installed and trust itwithout needing to rely on the older AddTrust root. =2D-8<---------------cut here---------------end--------------->8--- I do not fully understand why curl and wget return error while Firefox and ungoogled-chromium not [...] > Therefore, I think the fix is for voices.transparency.org to update the=20 > certificate chain/bundle that they are sending. > > [0] > https://support.sectigo.com/Com_KnowledgeDetailPage?Id=3DkA03l00000117LT this page states: =2D-8<---------------cut here---------------start------------->8--- Will my certificate still be trusted after May 30, 2020? Yes. All modern clients and operating systems have the newer, modern COMODO and USERTrust roots which don=E2=80=99t expire until 2038. =2D-8<---------------cut here---------------end--------------->8--- Thanks! Gio' =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERcxjuFJYydVfNLI5030Op87MORIFAl7ZHfQACgkQ030Op87M ORI75Q//fGyNzvcJlfF921piB7P9siFatj5Iuy/Bg1bgZGeQ6BkhYgn8A9Sg2mvV YnKAPYiQSm+BBRV9vD3cbc/pij/EtOklumrcbDK1M/HLzMrqixZNMat2K/gTSFG8 WZGsoSullnlH3NfnhBSizeRifkPiuU2Wo44XfXxRhsKHALOQuO5JbIL5ULkOIQFA 4VmQmp7Ui6EEPCPRE+nvkDcri5J2kMWOTPQiz23v8l4pePy4IWAQ5vflDRPTao7q 5e8gZcFZlWHk2tJ8KrkVYA3FVUiXTScZ+wI28AM4aEGIHEeoziYN+NfMiQrZUZnl Vl3VsTy2AIOCgrFXqZTEr8PX+sYkQOPJYpW1uTXZ/CeXfhI8e3xsP23U8f6W4d39 8RSqvg4S+M12DLgMJYaK5pSaCf5JOQVTjmUk8XmrT6eyL2srtVW8nYOhcKk4QwmK Truz93jY0tOk6VVz5SCE4JFLzWXYRKE3MjQOxxue5NmpKX8qNcC36xj+SXGeoGEj 909thqdyffPe9jt4CB/J/xtmIQIGhUOqWxiAL8yAoKVELUEcU3nDcQGkbAjNzk4G PRxwX9EcfRnSP5xbLSCrN+fb+o6oJAVCDDkRdswYs9w5MY2rWvcnfn2F2anxtFQW DwrZWJ38/vAoxV+ULz7PO9tmKs1MZCfCZrITBhqyzK0xECdUzBA= =3lC5 -----END PGP SIGNATURE----- --=-=-=--