From: Jack Hill <jackhill@jackhill.us>
To: Giovanni Biscuolo <g@xelera.eu>
Cc: help-guix@gnu.org
Subject: Re: curl server certificate verification failed for a few sites
Date: Thu, 4 Jun 2020 10:40:55 -0400 (EDT) [thread overview]
Message-ID: <alpine.DEB.2.20.2006041034580.5735@marsh.hcoop.net> (raw)
In-Reply-To: <87sgfbkm7g.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me>
On Thu, 4 Jun 2020, Giovanni Biscuolo wrote:
> Hello Guix,
>
> --8<---------------cut here---------------end--------------->8---
>
> I'm having a strange error with curl from Guix (on a foreign distro):
>
> --8<---------------cut here---------------start------------->8---
> giovanni@roquette: curl -I https://voices.transparency.org
> curl: (60) server certificate verification failed. CAfile: /home/giovanni/.guix-extra-profiles/emacs/emacs/etc/ssl/certs/ca-certificates.crt CRLfile: none
> More details here: https://curl.haxx.se/docs/sslcerts.html
>
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.
> --8<---------------cut here---------------end--------------->8---
Giovanni,
I think that this is due to the recent AdTrust Root CA cert expiration
[0]. The error wget gives is a little bit better, but you know about the
situation to interpret it correctly:
"""
$ wget "https://voices.transparency.org" -O /dev/null
--2020-06-04 10:37:29-- https://voices.transparency.org/
Resolving voices.transparency.org (voices.transparency.org)...
52.4.225.124, 52.4.240.221, 52.1.119.170, ...
Connecting to voices.transparency.org
(voices.transparency.org)|52.4.225.124|:443... connected.
ERROR: The certificate of ‘voices.transparency.org’ is not trusted.
ERROR: The certificate of ‘voices.transparency.org’ has expired.
"""
In my experience, sometimes this cert expiration is easy to miss by site
administrators or others connecting to the site if they have one of the
intermediate certificates in their trust store. Our nss-certs package
tends not to have such intermediates.
Therefore, I think the fix is for voices.transparency.org to update the
certificate chain/bundle that they are sending.
[0] https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT
Best,
Jack
next prev parent reply other threads:[~2020-06-04 14:41 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-04 13:13 curl server certificate verification failed for a few sites Giovanni Biscuolo
2020-06-04 14:40 ` Jack Hill [this message]
2020-06-04 16:14 ` Giovanni Biscuolo
2020-06-04 16:43 ` Tobias Geerinckx-Rice
2020-06-06 9:16 ` Giovanni Biscuolo
2020-06-06 13:44 ` Marius Bakke
2020-06-08 17:52 ` Giovanni Biscuolo
2020-06-06 14:29 ` Tobias Geerinckx-Rice
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.20.2006041034580.5735@marsh.hcoop.net \
--to=jackhill@jackhill.us \
--cc=g@xelera.eu \
--cc=help-guix@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).