unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed
* Certificate problem with curl, though icecat works
@ 2020-08-11 11:31 TK
  2020-08-12 17:47 ` Giovanni Biscuolo
  0 siblings, 1 reply; 5+ messages in thread
From: TK @ 2020-08-11 11:31 UTC (permalink / raw)
  To: help-guix\@gnu.org


Hi all,

Opening this JSON in icecat happens without any error, the connection being described as secure:
https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N

However, doing the same thing with  curl errors out:

$ curl https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N

curl: (60) server certificate verification failed. CAfile: /home/user/.guix-profiles/profile/etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: https://curl.haxx.se/docs/sslcerts.html

ca-certificates.crt exists at the CAfile location and CURL_CA_BUNDLE is set properly.

Does anyone have an idea what could be going wrong?






^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Certificate problem with curl, though icecat works
  2020-08-11 11:31 Certificate problem with curl, though icecat works TK
@ 2020-08-12 17:47 ` Giovanni Biscuolo
  2020-08-13  6:55   ` Giovanni Biscuolo
  0 siblings, 1 reply; 5+ messages in thread
From: Giovanni Biscuolo @ 2020-08-12 17:47 UTC (permalink / raw)
  To: TK, help-guix\@gnu.org

[-- Attachment #1: Type: text/plain, Size: 972 bytes --]

Hi TK

TK <tkprom@protonmail.com> writes:

[...]

> However, doing the same thing with  curl errors out:
>
> $ curl https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N
>
> curl: (60) server certificate verification failed. CAfile: /home/user/.guix-profiles/profile/etc/ssl/certs/ca-certificates.crt CRLfile: none
> More details here: https://curl.haxx.se/docs/sslcerts.html
>
> ca-certificates.crt exists at the CAfile location and CURL_CA_BUNDLE is set properly.

This is similar to
https://lists.gnu.org/archive/html/help-guix/2020-06/msg00025.html

and it should be fixed in the latest GnuTLS, which is in Guix since
commiy 8951b9496b5c390adb3b3292d234bb8ab9936c40

Anyway I can confirm that I get the same results as you.

I'm going to investigare if I can add something useful and open a bug
(probably upstream?)

happy hacking! Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Certificate problem with curl, though icecat works
  2020-08-12 17:47 ` Giovanni Biscuolo
@ 2020-08-13  6:55   ` Giovanni Biscuolo
  2020-08-13  8:58     ` Todor Kondić
  0 siblings, 1 reply; 5+ messages in thread
From: Giovanni Biscuolo @ 2020-08-13  6:55 UTC (permalink / raw)
  To: TK, help-guix\@gnu.org

[-- Attachment #1: Type: text/plain, Size: 2377 bytes --]

Giovanni Biscuolo <g@xelera.eu> writes:

[...]

>> $ curl https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N
>>
>> curl: (60) server certificate verification failed. CAfile: /home/user/.guix-profiles/profile/etc/ssl/certs/ca-certificates.crt CRLfile: none
>> More details here: https://curl.haxx.se/docs/sslcerts.html
>>
>> ca-certificates.crt exists at the CAfile location and CURL_CA_BUNDLE is set properly.
>
> This is similar to
> https://lists.gnu.org/archive/html/help-guix/2020-06/msg00025.html

No, this is a different issue:

--8<---------------cut here---------------start------------->8---

gnutls-cli actorws.epa.gov

Processed 128 CA certificate(s).
Resolving 'actorws.epa.gov:443'...
Connecting to '134.67.99.60:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=*.epa.gov,OU=OMS/OITO/EHD,O=Environmental Protection Agency,L=Durham,ST=North Carolina,C=US', issuer `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', serial 0x0caca7602da89b50c3820b33518c827a, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-25 00:00:00 UTC', expires `2021-04-19 12:00:00 UTC', pin-sha256="o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk="
	Public Key ID:
		sha1:884a27ada33cc533411036cde08f7c83bee2580e
		sha256:a39776b6463318d12800bcda3e901de6af928a66b63276db22d13ae02a720c29
	Public Key PIN:
		pin-sha256:o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk=

- Certificate[1] info:
 - subject `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x01fda3eb6eca75c888438b724bcfbc91, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires `2023-03-08 12:00:00 UTC', pin-sha256="5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w="
|<1>| Got OCSP response with an unrelated certificate.
- Status: The certificate is NOT trusted. The received OCSP status response is invalid. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
[~]-

--8<---------------cut here---------------end--------------->8---

I'm going to open a bug report upstream (gnutls), thanks for your
report.

Best regards, Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Certificate problem with curl, though icecat works
  2020-08-13  6:55   ` Giovanni Biscuolo
@ 2020-08-13  8:58     ` Todor Kondić
  2020-08-13 10:26       ` Giovanni Biscuolo
  0 siblings, 1 reply; 5+ messages in thread
From: Todor Kondić @ 2020-08-13  8:58 UTC (permalink / raw)
  To: Giovanni Biscuolo; +Cc: help-guix\\@gnu.org

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, 13 August 2020 08:55, Giovanni Biscuolo <g@xelera.eu> wrote:

> Giovanni Biscuolo g@xelera.eu writes:
>
> [...]
>
> > > $ curl https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N
> > > curl: (60) server certificate verification failed. CAfile: /home/user/.guix-profiles/profile/etc/ssl/certs/ca-certificates.crt CRLfile: none
> > > More details here: https://curl.haxx.se/docs/sslcerts.html
> > > ca-certificates.crt exists at the CAfile location and CURL_CA_BUNDLE is set properly.
> >
> > This is similar to
> > https://lists.gnu.org/archive/html/help-guix/2020-06/msg00025.html
>
> No, this is a different issue:
>
> --8<---------------cut here---------------start------------->8---
>
> gnutls-cliactorws.epa.gov
>
> Processed 128 CA certificate(s).
> Resolving 'actorws.epa.gov:443'...
> Connecting to '134.67.99.60:443'...
>
> -   Certificate type: X.509
>
> -   Got a certificate list of 2 certificates.
>
> -   Certificate[0] info:
>
> -   subject `CN=*.epa.gov,OU=OMS/OITO/EHD,O=Environmental Protection Agency,L=Durham,ST=North Carolina,C=US', issuer`CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', serial 0x0caca7602da89b50c3820b33518c827a, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-25 00:00:00 UTC', expires`2021-04-19 12:00:00 UTC', pin-sha256="o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk="
>     Public Key ID:
>     sha1:884a27ada33cc533411036cde08f7c83bee2580e
>     sha256:a39776b6463318d12800bcda3e901de6af928a66b63276db22d13ae02a720c29
>     Public Key PIN:
>     pin-sha256:o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk=
>
> -   Certificate[1] info:
>
> -   subject `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', issuer`CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x01fda3eb6eca75c888438b724bcfbc91, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires`2023-03-08 12:00:00 UTC', pin-sha256="5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w="
>     |<1>| Got OCSP response with an unrelated certificate.
>
> -   Status: The certificate is NOT trusted. The received OCSP status response is invalid.
>     *** PKI verification of server certificate failed...
>     *** Fatal error: Error in the certificate.
>     [~]-
>
>     --8<---------------cut here---------------end--------------->8---
>
>
> I'm going to open a bug report upstream (gnutls), thanks for your
> report.
>
> Best regards, Gio'
>
> ------------------------------------------------------------------------------------------------
>
> Giovanni Biscuolo
>
> Xelera IT Infrastructures


Thanks for confirming this! I pulled the newest Guix and updated gnutls and that did not solve the issue. Please let me know when you post the issue, so I can track it.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Certificate problem with curl, though icecat works
  2020-08-13  8:58     ` Todor Kondić
@ 2020-08-13 10:26       ` Giovanni Biscuolo
  0 siblings, 0 replies; 5+ messages in thread
From: Giovanni Biscuolo @ 2020-08-13 10:26 UTC (permalink / raw)
  To: Todor Kondić; +Cc: help-guix\\@gnu.org

[-- Attachment #1: Type: text/plain, Size: 1890 bytes --]

Hi Totor,

Todor Kondić <tk.code@protonmail.com> writes:

[...]

>> I'm going to open a bug report upstream (gnutls), thanks for your
>> report.

This is the bug report https://gitlab.com/gnutls/gnutls/-/issues/1062

I checked other OCSP issues and I did not understand if this is already
fixed in latest GnuTLS releases

> Thanks for confirming this!

(Y)

> I pulled the newest Guix and updated gnutls and that did not solve the
> issue.

Me too, but…

I'm not explicitly installing gnutls in my profile (via manifest), I'm just installing
curl and in that profile I get:

--8<---------------cut here---------------start------------->8---

giovanni@roquette: gnutls-cli --version
gnutls-cli 3.6.7
Copyright (C) 2000-2020 Free Software Foundation, and others, all rights reserved.
This is free software. It is licensed for use, modification and
redistribution under the terms of the GNU General Public License,
version 3 or later <http://gnu.org/licenses/gpl.html>


Please send bug reports to:  <bugs@gnutls.org>

--8<---------------cut here---------------end--------------->8---

But:

--8<---------------cut here---------------start------------->8---

giovanni@roquette: curl --version
curl 7.71.0 (x86_64-unknown-linux-gnu) libcurl/7.71.0 GnuTLS/3.6.14 zlib/1.2.11 libidn2/2.3.0 nghttp2/1.41.0
Release-Date: 2020-06-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets

--8<---------------cut here---------------end--------------->8---

curl should use gnutls 3.6.14... I should double check my profile update

I'll report as soon as I understand what's happening

Thanks, Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-08-13 10:27 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-11 11:31 Certificate problem with curl, though icecat works TK
2020-08-12 17:47 ` Giovanni Biscuolo
2020-08-13  6:55   ` Giovanni Biscuolo
2020-08-13  8:58     ` Todor Kondić
2020-08-13 10:26       ` Giovanni Biscuolo

unofficial mirror of help-guix@gnu.org 

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://yhetil.org/guix-user/0 guix-user/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 guix-user guix-user/ https://yhetil.org/guix-user \
		help-guix@gnu.org
	public-inbox-index guix-user

Example config snippet for mirrors.
Newsgroups are available over NNTP:
	nntp://news.yhetil.org/yhetil.gnu.guix.user
	nntp://news.gmane.io/gmane.comp.gnu.guix.user


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git