From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 0M2uHLcANV8wIAAA0tVLHw (envelope-from ) for ; Thu, 13 Aug 2020 08:58:31 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id ULPAGLcANV+vfwAA1q6Kng (envelope-from ) for ; Thu, 13 Aug 2020 08:58:31 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6E87594028F for ; Thu, 13 Aug 2020 08:58:30 +0000 (UTC) Received: from localhost ([::1]:46424 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k6948-0008B0-9X for larch@yhetil.org; Thu, 13 Aug 2020 04:58:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57896) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k693z-0008Ad-Ua for help-guix@gnu.org; Thu, 13 Aug 2020 04:58:19 -0400 Received: from mail-40131.protonmail.ch ([185.70.40.131]:23620) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k693w-0003Ha-Q1 for help-guix@gnu.org; Thu, 13 Aug 2020 04:58:19 -0400 Date: Thu, 13 Aug 2020 08:58:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1597309091; bh=QWPYdTq5J9WdO/yOee+n7C0Ma3z/79RO7w6wRZOHbsQ=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=BBgh8bAWisIqeAl+m4K1Lr2gafG6EEtYdms00I33fhou0P4vkGEhvAVppcbk0oCVi VNXuTp0WxNiDgTa6gVRCacZDhHiTxKuybdhohiHPeLx1eCNMeELeo/dtkl0l/X8Dh2 tgILNFJTQ5sEf5S17Y+ihOO0gsQBH46bIOmqTplw= To: Giovanni Biscuolo From: =?utf-8?Q?Todor_Kondi=C4=87?= Cc: "help-guix\\\\@gnu.org" Subject: Re: Certificate problem with curl, though icecat works Message-ID: In-Reply-To: <87v9hn591j.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me> References: <9kSaR15iLCuEyScHdlJ73XpOm85IcNNLxHb6T9PoWPiW6PTiT9eFfsAIStaIyuxzgpZOpCUfYkLP4Y8PaE3jxcKxOryeTFg5BzplBz1esxQ=@protonmail.com> <87y2mj69jy.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me> <87v9hn591j.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=185.70.40.131; envelope-from=tk.code@protonmail.com; helo=mail-40131.protonmail.ch X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/13 04:58:13 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: =?utf-8?Q?Todor_Kondi=C4=87?= Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=protonmail.com header.s=protonmail header.b=BBgh8bAW; dmarc=pass (policy=quarantine) header.from=protonmail.com; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: -1.71 X-TUID: z1mkNnf9U+4B =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me= ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 On Thursday, 13 August 2020 08:55, Giovanni Biscuolo wrote: > Giovanni Biscuolo g@xelera.eu writes: > > [...] > > > > $ curl https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.jso= n?identifier=3DMKXZASYAUGDDCJ-NJAFHUGGSA-N > > > curl: (60) server certificate verification failed. CAfile: /home/user= /.guix-profiles/profile/etc/ssl/certs/ca-certificates.crt CRLfile: none > > > More details here: https://curl.haxx.se/docs/sslcerts.html > > > ca-certificates.crt exists at the CAfile location and CURL_CA_BUNDLE = is set properly. > > > > This is similar to > > https://lists.gnu.org/archive/html/help-guix/2020-06/msg00025.html > > No, this is a different issue: > > --8<---------------cut here---------------start------------->8--- > > gnutls-cliactorws.epa.gov > > Processed 128 CA certificate(s). > Resolving 'actorws.epa.gov:443'... > Connecting to '134.67.99.60:443'... > > - Certificate type: X.509 > > - Got a certificate list of 2 certificates. > > - Certificate[0] info: > > - subject `CN=3D*.epa.gov,OU=3DOMS/OITO/EHD,O=3DEnvironmental Protectio= n Agency,L=3DDurham,ST=3DNorth Carolina,C=3DUS', issuer`CN=3DDigiCert SHA2 = Secure Server CA,O=3DDigiCert Inc,C=3DUS', serial 0x0caca7602da89b50c3820b3= 3518c827a, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-2= 5 00:00:00 UTC', expires`2021-04-19 12:00:00 UTC', pin-sha256=3D"o5d2tkYzGN= EoALzaPpAd5q+Sima2MnbbItE64CpyDCk=3D" > Public Key ID: > sha1:884a27ada33cc533411036cde08f7c83bee2580e > sha256:a39776b6463318d12800bcda3e901de6af928a66b63276db22d13ae02a720c= 29 > Public Key PIN: > pin-sha256:o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk=3D > > - Certificate[1] info: > > - subject `CN=3DDigiCert SHA2 Secure Server CA,O=3DDigiCert Inc,C=3DUS'= , issuer`CN=3DDigiCert Global Root CA,OU=3Dwww.digicert.com,O=3DDigiCert In= c,C=3DUS', serial 0x01fda3eb6eca75c888438b724bcfbc91, RSA key 2048 bits, si= gned using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires`2023-03= -08 12:00:00 UTC', pin-sha256=3D"5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91= w=3D" > |<1>| Got OCSP response with an unrelated certificate. > > - Status: The certificate is NOT trusted. The received OCSP status resp= onse is invalid. > *** PKI verification of server certificate failed... > *** Fatal error: Error in the certificate. > [~]- > > --8<---------------cut here---------------end--------------->8--- > > > I'm going to open a bug report upstream (gnutls), thanks for your > report. > > Best regards, Gio' > > -------------------------------------------------------------------------= ----------------------- > > Giovanni Biscuolo > > Xelera IT Infrastructures Thanks for confirming this! I pulled the newest Guix and updated gnutls and= that did not solve the issue. Please let me know when you post the issue, = so I can track it.