Hi all, Opening this JSON in icecat happens without any error, the connection being described as secure: https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N However, doing the same thing with curl errors out: $ curl https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N curl: (60) server certificate verification failed. CAfile: /home/user/.guix-profiles/profile/etc/ssl/certs/ca-certificates.crt CRLfile: none More details here: https://curl.haxx.se/docs/sslcerts.html ca-certificates.crt exists at the CAfile location and CURL_CA_BUNDLE is set properly. Does anyone have an idea what could be going wrong?
[-- Attachment #1: Type: text/plain, Size: 972 bytes --] Hi TK TK <tkprom@protonmail.com> writes: [...] > However, doing the same thing with curl errors out: > > $ curl https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N > > curl: (60) server certificate verification failed. CAfile: /home/user/.guix-profiles/profile/etc/ssl/certs/ca-certificates.crt CRLfile: none > More details here: https://curl.haxx.se/docs/sslcerts.html > > ca-certificates.crt exists at the CAfile location and CURL_CA_BUNDLE is set properly. This is similar to https://lists.gnu.org/archive/html/help-guix/2020-06/msg00025.html and it should be fixed in the latest GnuTLS, which is in Guix since commiy 8951b9496b5c390adb3b3292d234bb8ab9936c40 Anyway I can confirm that I get the same results as you. I'm going to investigare if I can add something useful and open a bug (probably upstream?) happy hacking! Gio' -- Giovanni Biscuolo Xelera IT Infrastructures [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --]
[-- Attachment #1: Type: text/plain, Size: 2377 bytes --] Giovanni Biscuolo <g@xelera.eu> writes: [...] >> $ curl https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N >> >> curl: (60) server certificate verification failed. CAfile: /home/user/.guix-profiles/profile/etc/ssl/certs/ca-certificates.crt CRLfile: none >> More details here: https://curl.haxx.se/docs/sslcerts.html >> >> ca-certificates.crt exists at the CAfile location and CURL_CA_BUNDLE is set properly. > > This is similar to > https://lists.gnu.org/archive/html/help-guix/2020-06/msg00025.html No, this is a different issue: --8<---------------cut here---------------start------------->8--- gnutls-cli actorws.epa.gov Processed 128 CA certificate(s). Resolving 'actorws.epa.gov:443'... Connecting to '134.67.99.60:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=*.epa.gov,OU=OMS/OITO/EHD,O=Environmental Protection Agency,L=Durham,ST=North Carolina,C=US', issuer `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', serial 0x0caca7602da89b50c3820b33518c827a, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-25 00:00:00 UTC', expires `2021-04-19 12:00:00 UTC', pin-sha256="o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk=" Public Key ID: sha1:884a27ada33cc533411036cde08f7c83bee2580e sha256:a39776b6463318d12800bcda3e901de6af928a66b63276db22d13ae02a720c29 Public Key PIN: pin-sha256:o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk= - Certificate[1] info: - subject `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x01fda3eb6eca75c888438b724bcfbc91, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires `2023-03-08 12:00:00 UTC', pin-sha256="5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w=" |<1>| Got OCSP response with an unrelated certificate. - Status: The certificate is NOT trusted. The received OCSP status response is invalid. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. [~]- --8<---------------cut here---------------end--------------->8--- I'm going to open a bug report upstream (gnutls), thanks for your report. Best regards, Gio' -- Giovanni Biscuolo Xelera IT Infrastructures [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --]
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, 13 August 2020 08:55, Giovanni Biscuolo <g@xelera.eu> wrote:
> Giovanni Biscuolo g@xelera.eu writes:
>
> [...]
>
> > > $ curl https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N
> > > curl: (60) server certificate verification failed. CAfile: /home/user/.guix-profiles/profile/etc/ssl/certs/ca-certificates.crt CRLfile: none
> > > More details here: https://curl.haxx.se/docs/sslcerts.html
> > > ca-certificates.crt exists at the CAfile location and CURL_CA_BUNDLE is set properly.
> >
> > This is similar to
> > https://lists.gnu.org/archive/html/help-guix/2020-06/msg00025.html
>
> No, this is a different issue:
>
> --8<---------------cut here---------------start------------->8---
>
> gnutls-cliactorws.epa.gov
>
> Processed 128 CA certificate(s).
> Resolving 'actorws.epa.gov:443'...
> Connecting to '134.67.99.60:443'...
>
> - Certificate type: X.509
>
> - Got a certificate list of 2 certificates.
>
> - Certificate[0] info:
>
> - subject `CN=*.epa.gov,OU=OMS/OITO/EHD,O=Environmental Protection Agency,L=Durham,ST=North Carolina,C=US', issuer`CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', serial 0x0caca7602da89b50c3820b33518c827a, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-25 00:00:00 UTC', expires`2021-04-19 12:00:00 UTC', pin-sha256="o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk="
> Public Key ID:
> sha1:884a27ada33cc533411036cde08f7c83bee2580e
> sha256:a39776b6463318d12800bcda3e901de6af928a66b63276db22d13ae02a720c29
> Public Key PIN:
> pin-sha256:o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk=
>
> - Certificate[1] info:
>
> - subject `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', issuer`CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x01fda3eb6eca75c888438b724bcfbc91, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires`2023-03-08 12:00:00 UTC', pin-sha256="5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w="
> |<1>| Got OCSP response with an unrelated certificate.
>
> - Status: The certificate is NOT trusted. The received OCSP status response is invalid.
> *** PKI verification of server certificate failed...
> *** Fatal error: Error in the certificate.
> [~]-
>
> --8<---------------cut here---------------end--------------->8---
>
>
> I'm going to open a bug report upstream (gnutls), thanks for your
> report.
>
> Best regards, Gio'
>
> ------------------------------------------------------------------------------------------------
>
> Giovanni Biscuolo
>
> Xelera IT Infrastructures
Thanks for confirming this! I pulled the newest Guix and updated gnutls and that did not solve the issue. Please let me know when you post the issue, so I can track it.
[-- Attachment #1: Type: text/plain, Size: 1890 bytes --] Hi Totor, Todor Kondić <tk.code@protonmail.com> writes: [...] >> I'm going to open a bug report upstream (gnutls), thanks for your >> report. This is the bug report https://gitlab.com/gnutls/gnutls/-/issues/1062 I checked other OCSP issues and I did not understand if this is already fixed in latest GnuTLS releases > Thanks for confirming this! (Y) > I pulled the newest Guix and updated gnutls and that did not solve the > issue. Me too, but… I'm not explicitly installing gnutls in my profile (via manifest), I'm just installing curl and in that profile I get: --8<---------------cut here---------------start------------->8--- giovanni@roquette: gnutls-cli --version gnutls-cli 3.6.7 Copyright (C) 2000-2020 Free Software Foundation, and others, all rights reserved. This is free software. It is licensed for use, modification and redistribution under the terms of the GNU General Public License, version 3 or later <http://gnu.org/licenses/gpl.html> Please send bug reports to: <bugs@gnutls.org> --8<---------------cut here---------------end--------------->8--- But: --8<---------------cut here---------------start------------->8--- giovanni@roquette: curl --version curl 7.71.0 (x86_64-unknown-linux-gnu) libcurl/7.71.0 GnuTLS/3.6.14 zlib/1.2.11 libidn2/2.3.0 nghttp2/1.41.0 Release-Date: 2020-06-24 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets --8<---------------cut here---------------end--------------->8--- curl should use gnutls 3.6.14... I should double check my profile update I'll report as soon as I understand what's happening Thanks, Gio' -- Giovanni Biscuolo Xelera IT Infrastructures [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --]