From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <help-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id yOtsFjTkNF8VRwAA0tVLHw
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 13 Aug 2020 06:56:52 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id IDc/EjTkNF8tUAAAB5/wlQ
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 13 Aug 2020 06:56:52 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id CE784940214
	for <larch@yhetil.org>; Thu, 13 Aug 2020 06:56:51 +0000 (UTC)
Received: from localhost ([::1]:42354 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1k67AQ-0000Mw-OU
	for larch@yhetil.org; Thu, 13 Aug 2020 02:56:50 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:33328)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <g@xelera.eu>) id 1k679w-00083z-S1
 for help-guix@gnu.org; Thu, 13 Aug 2020 02:56:21 -0400
Received: from ns13.heimat.it ([46.4.214.66]:35398)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <g@xelera.eu>) id 1k679u-0005Ti-Md
 for help-guix@gnu.org; Thu, 13 Aug 2020 02:56:20 -0400
Received: from localhost (ip6-localhost [127.0.0.1])
 by ns13.heimat.it (Postfix) with ESMTP id 6AE0C3021BA;
 Thu, 13 Aug 2020 06:56:16 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it
Received: from ns13.heimat.it ([127.0.0.1])
 by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id mg0ykstijYn8; Thu, 13 Aug 2020 06:55:56 +0000 (UTC)
Received: from bourrache.mug.xelera.it (unknown [93.56.169.211])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by ns13.heimat.it (Postfix) with ESMTPSA id 563313021B9;
 Thu, 13 Aug 2020 06:55:56 +0000 (UTC)
Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14])
 by bourrache.mug.xelera.it (Postfix) with SMTP id 05A675C163C;
 Thu, 13 Aug 2020 08:55:55 +0200 (CEST)
Received: (nullmailer pid 29583 invoked by uid 1000);
 Thu, 13 Aug 2020 06:55:53 -0000
From: Giovanni Biscuolo <g@xelera.eu>
To: TK <tkprom@protonmail.com>, "help-guix\\@gnu.org" <help-guix@gnu.org>
Subject: Re: Certificate problem with curl, though icecat works
In-Reply-To: <87y2mj69jy.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me>
Organization: Xelera.eu
References: <9kSaR15iLCuEyScHdlJ73XpOm85IcNNLxHb6T9PoWPiW6PTiT9eFfsAIStaIyuxzgpZOpCUfYkLP4Y8PaE3jxcKxOryeTFg5BzplBz1esxQ=@protonmail.com>
 <87y2mj69jy.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me>
Date: Thu, 13 Aug 2020 08:55:52 +0200
Message-ID: <87v9hn591j.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Received-SPF: pass client-ip=46.4.214.66; envelope-from=g@xelera.eu;
 helo=ns13.heimat.it
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/13 02:56:16
X-ACL-Warn: Detected OS   = Linux 3.11 and newer [fuzzy]
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: help-guix@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-guix>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+larch=yhetil.org@gnu.org>
X-Scanner: scn0
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org
X-Spam-Score: -0.61
X-TUID: I+wiHLoUc4uG

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Giovanni Biscuolo <g@xelera.eu> writes:

[...]

>> $ curl https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?i=
dentifier=3DMKXZASYAUGDDCJ-NJAFHUGGSA-N
>>
>> curl: (60) server certificate verification failed. CAfile: /home/user/.g=
uix-profiles/profile/etc/ssl/certs/ca-certificates.crt CRLfile: none
>> More details here: https://curl.haxx.se/docs/sslcerts.html
>>
>> ca-certificates.crt exists at the CAfile location and CURL_CA_BUNDLE is =
set properly.
>
> This is similar to
> https://lists.gnu.org/archive/html/help-guix/2020-06/msg00025.html

No, this is a different issue:

=2D-8<---------------cut here---------------start------------->8---

gnutls-cli actorws.epa.gov

Processed 128 CA certificate(s).
Resolving 'actorws.epa.gov:443'...
Connecting to '134.67.99.60:443'...
=2D Certificate type: X.509
=2D Got a certificate list of 2 certificates.
=2D Certificate[0] info:
 - subject `CN=3D*.epa.gov,OU=3DOMS/OITO/EHD,O=3DEnvironmental Protection A=
gency,L=3DDurham,ST=3DNorth Carolina,C=3DUS', issuer `CN=3DDigiCert SHA2 Se=
cure Server CA,O=3DDigiCert Inc,C=3DUS', serial 0x0caca7602da89b50c3820b335=
18c827a, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-25 =
00:00:00 UTC', expires `2021-04-19 12:00:00 UTC', pin-sha256=3D"o5d2tkYzGNE=
oALzaPpAd5q+Sima2MnbbItE64CpyDCk=3D"
	Public Key ID:
		sha1:884a27ada33cc533411036cde08f7c83bee2580e
		sha256:a39776b6463318d12800bcda3e901de6af928a66b63276db22d13ae02a720c29
	Public Key PIN:
		pin-sha256:o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk=3D

=2D Certificate[1] info:
 - subject `CN=3DDigiCert SHA2 Secure Server CA,O=3DDigiCert Inc,C=3DUS', i=
ssuer `CN=3DDigiCert Global Root CA,OU=3Dwww.digicert.com,O=3DDigiCert Inc,=
C=3DUS', serial 0x01fda3eb6eca75c888438b724bcfbc91, RSA key 2048 bits, sign=
ed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires `2023-03-=
08 12:00:00 UTC', pin-sha256=3D"5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w=
=3D"
|<1>| Got OCSP response with an unrelated certificate.
=2D Status: The certificate is NOT trusted. The received OCSP status respon=
se is invalid.=20
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
[~]-

=2D-8<---------------cut here---------------end--------------->8---

I'm going to open a bug report upstream (gnutls), thanks for your
report.

Best regards, Gio'

=2D-=20
Giovanni Biscuolo

Xelera IT Infrastructures

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERcxjuFJYydVfNLI5030Op87MORIFAl804/kACgkQ030Op87M
ORLFFg//Wlt8teZRHRFKO9bpt+hQY4YBLHBcdI8DBSWNqwkSeyrH5qetLO8T/YzI
QCj9qwnbJkni+JpmJ3p4+WnLJWha20lf80U4ci9S4ScOV6m+TAYoGX5pTsH7/p4A
vOimq3o3/nqp0z5Z4+7ENHaYc23RnoUv87qZ4z+pEHnOM7vwroWcXIwboN2d2083
g5L1RigluNJWi99Eejlw9ULOw77p0gAN12GuiEpOcVCcQfAVAMA6NjQaprtk/zrf
Lb7G/z20sDeT8T82r5frfgvrEAYvjdCDE4fHm5Jw5CS2TIBtl7NiLvPvg0HCaoCn
i4/3iern4IBSayVJ8i3fo8puwt4PS4juoiQfIc0alrNFWKhmb+7zeZvqLaQVSC7L
vUXemSo9V5tzP9xmDWLGvInOYDQ8GyPQPOdPBpD2hhJ5JYsXR80FIzqoFPkt6Ew8
cOliSL3E+NuQBXaCpEbLbKhAyzB1qMfzEXjUaTxp9VpKgccK+XzX9q6WYNpad2yQ
Jahs68H11s+/F9EQ6GXTZVwgIu2x44poFPVJ//gDTMCd5aBPfLJTjdSX5weJuiM+
fEhp4OaI59dLWfVhyjFm8oC3AuLyXcMhLOP+M0K14lxnWP8e9t9CMAJG//PhCnH7
IsC7PSasFlgjTQ6Y/7V7S1nmmFa9cq1anceIlVTuONP6skQtEtQ=
=O96z
-----END PGP SIGNATURE-----
--=-=-=--