From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <help-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id 8OWfIAgI2V7RYQAA0tVLHw
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 04 Jun 2020 14:41:12 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id WBGnHAgI2V45dQAA1q6Kng
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 04 Jun 2020 14:41:12 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 085B694014C
	for <larch@yhetil.org>; Thu,  4 Jun 2020 14:41:12 +0000 (UTC)
Received: from localhost ([::1]:44748 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1jgr3P-0002Np-14
	for larch@yhetil.org; Thu, 04 Jun 2020 10:41:11 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:40100)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jackhill@jackhill.us>)
 id 1jgr3C-0002Ne-Mx
 for help-guix@gnu.org; Thu, 04 Jun 2020 10:40:58 -0400
Received: from minsky.hcoop.net ([104.248.1.95]:56792)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jackhill@jackhill.us>)
 id 1jgr3A-0002a1-N0
 for help-guix@gnu.org; Thu, 04 Jun 2020 10:40:58 -0400
Received: from marsh.hcoop.net ([45.55.52.66])
 by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.89) (envelope-from <jackhill@jackhill.us>)
 id 1jgr39-0001PP-H6; Thu, 04 Jun 2020 10:40:55 -0400
Date: Thu, 4 Jun 2020 10:40:55 -0400 (EDT)
From: Jack Hill <jackhill@jackhill.us>
X-X-Sender: jackhill@marsh.hcoop.net
To: Giovanni Biscuolo <g@xelera.eu>
Subject: Re: curl server certificate verification failed for a few sites
In-Reply-To: <87sgfbkm7g.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me>
Message-ID: <alpine.DEB.2.20.2006041034580.5735@marsh.hcoop.net>
References: <87sgfbkm7g.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Received-SPF: pass client-ip=104.248.1.95; envelope-from=jackhill@jackhill.us;
 helo=minsky.hcoop.net
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/06/04 10:40:55
X-ACL-Warn: Detected OS   = Linux 3.11 and newer
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_PASS=-0.001,
 URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN
X-Spam_action: no action
Content-Type: text/plain; format=flowed; charset=ISO-8859-7
Content-Transfer-Encoding: 8BIT
X-Content-Filtered-By: Mailman/MimeDel 2.1.23
X-BeenThere: help-guix@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-guix>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=subscribe>
Cc: help-guix@gnu.org
Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+larch=yhetil.org@gnu.org>
X-Scanner: scn0
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org
X-Spam-Score: -0.51
X-TUID: xPMWxz37hCcx

On Thu, 4 Jun 2020, Giovanni Biscuolo wrote:

> Hello Guix,
>
> --8<---------------cut here---------------end--------------->8---
>
> I'm having a strange error with curl from Guix (on a foreign distro):
>
> --8<---------------cut here---------------start------------->8---
> giovanni@roquette: curl -I https://voices.transparency.org
> curl: (60) server certificate verification failed. CAfile: /home/giovanni/.guix-extra-profiles/emacs/emacs/etc/ssl/certs/ca-certificates.crt CRLfile: none
> More details here: https://curl.haxx.se/docs/sslcerts.html
>
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.
> --8<---------------cut here---------------end--------------->8---

Giovanni,

I think that this is due to the recent AdTrust Root CA cert expiration 
[0]. The error wget gives is a little bit better, but you know about the 
situation to interpret it correctly:

"""
$ wget "https://voices.transparency.org" -O /dev/null
--2020-06-04 10:37:29--  https://voices.transparency.org/
Resolving voices.transparency.org (voices.transparency.org)... 
52.4.225.124, 52.4.240.221, 52.1.119.170, ...
Connecting to voices.transparency.org 
(voices.transparency.org)|52.4.225.124|:443... connected.
ERROR: The certificate of ˇvoices.transparency.org˘ is not trusted.
ERROR: The certificate of ˇvoices.transparency.org˘ has expired.
"""

In my experience, sometimes this cert expiration is easy to miss by site 
administrators or others connecting to the site if they have one of the 
intermediate certificates in their trust store. Our nss-certs package 
tends not to have such intermediates.

Therefore, I think the fix is for voices.transparency.org to update the 
certificate chain/bundle that they are sending.

[0] https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT

Best,
Jack