* Certificate problem with curl, though icecat works
@ 2020-08-11 11:31 TK
2020-08-12 17:47 ` Giovanni Biscuolo
0 siblings, 1 reply; 5+ messages in thread
From: TK @ 2020-08-11 11:31 UTC (permalink / raw)
To: help-guix\@gnu.org
Hi all,
Opening this JSON in icecat happens without any error, the connection being described as secure:
https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N
However, doing the same thing with curl errors out:
$ curl https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N
curl: (60) server certificate verification failed. CAfile: /home/user/.guix-profiles/profile/etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: https://curl.haxx.se/docs/sslcerts.html
ca-certificates.crt exists at the CAfile location and CURL_CA_BUNDLE is set properly.
Does anyone have an idea what could be going wrong?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Certificate problem with curl, though icecat works
2020-08-11 11:31 Certificate problem with curl, though icecat works TK
@ 2020-08-12 17:47 ` Giovanni Biscuolo
2020-08-13 6:55 ` Giovanni Biscuolo
0 siblings, 1 reply; 5+ messages in thread
From: Giovanni Biscuolo @ 2020-08-12 17:47 UTC (permalink / raw)
To: TK, help-guix\@gnu.org
[-- Attachment #1: Type: text/plain, Size: 972 bytes --]
Hi TK
TK <tkprom@protonmail.com> writes:
[...]
> However, doing the same thing with curl errors out:
>
> $ curl https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N
>
> curl: (60) server certificate verification failed. CAfile: /home/user/.guix-profiles/profile/etc/ssl/certs/ca-certificates.crt CRLfile: none
> More details here: https://curl.haxx.se/docs/sslcerts.html
>
> ca-certificates.crt exists at the CAfile location and CURL_CA_BUNDLE is set properly.
This is similar to
https://lists.gnu.org/archive/html/help-guix/2020-06/msg00025.html
and it should be fixed in the latest GnuTLS, which is in Guix since
commiy 8951b9496b5c390adb3b3292d234bb8ab9936c40
Anyway I can confirm that I get the same results as you.
I'm going to investigare if I can add something useful and open a bug
(probably upstream?)
happy hacking! Gio'
--
Giovanni Biscuolo
Xelera IT Infrastructures
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Certificate problem with curl, though icecat works
2020-08-12 17:47 ` Giovanni Biscuolo
@ 2020-08-13 6:55 ` Giovanni Biscuolo
2020-08-13 8:58 ` Todor Kondić
0 siblings, 1 reply; 5+ messages in thread
From: Giovanni Biscuolo @ 2020-08-13 6:55 UTC (permalink / raw)
To: TK, help-guix\@gnu.org
[-- Attachment #1: Type: text/plain, Size: 2377 bytes --]
Giovanni Biscuolo <g@xelera.eu> writes:
[...]
>> $ curl https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N
>>
>> curl: (60) server certificate verification failed. CAfile: /home/user/.guix-profiles/profile/etc/ssl/certs/ca-certificates.crt CRLfile: none
>> More details here: https://curl.haxx.se/docs/sslcerts.html
>>
>> ca-certificates.crt exists at the CAfile location and CURL_CA_BUNDLE is set properly.
>
> This is similar to
> https://lists.gnu.org/archive/html/help-guix/2020-06/msg00025.html
No, this is a different issue:
--8<---------------cut here---------------start------------->8---
gnutls-cli actorws.epa.gov
Processed 128 CA certificate(s).
Resolving 'actorws.epa.gov:443'...
Connecting to '134.67.99.60:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `CN=*.epa.gov,OU=OMS/OITO/EHD,O=Environmental Protection Agency,L=Durham,ST=North Carolina,C=US', issuer `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', serial 0x0caca7602da89b50c3820b33518c827a, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-25 00:00:00 UTC', expires `2021-04-19 12:00:00 UTC', pin-sha256="o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk="
Public Key ID:
sha1:884a27ada33cc533411036cde08f7c83bee2580e
sha256:a39776b6463318d12800bcda3e901de6af928a66b63276db22d13ae02a720c29
Public Key PIN:
pin-sha256:o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk=
- Certificate[1] info:
- subject `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x01fda3eb6eca75c888438b724bcfbc91, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires `2023-03-08 12:00:00 UTC', pin-sha256="5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w="
|<1>| Got OCSP response with an unrelated certificate.
- Status: The certificate is NOT trusted. The received OCSP status response is invalid.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
[~]-
--8<---------------cut here---------------end--------------->8---
I'm going to open a bug report upstream (gnutls), thanks for your
report.
Best regards, Gio'
--
Giovanni Biscuolo
Xelera IT Infrastructures
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Certificate problem with curl, though icecat works
2020-08-13 6:55 ` Giovanni Biscuolo
@ 2020-08-13 8:58 ` Todor Kondić
2020-08-13 10:26 ` Giovanni Biscuolo
0 siblings, 1 reply; 5+ messages in thread
From: Todor Kondić @ 2020-08-13 8:58 UTC (permalink / raw)
To: Giovanni Biscuolo; +Cc: help-guix\\@gnu.org
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, 13 August 2020 08:55, Giovanni Biscuolo <g@xelera.eu> wrote:
> Giovanni Biscuolo g@xelera.eu writes:
>
> [...]
>
> > > $ curl https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N
> > > curl: (60) server certificate verification failed. CAfile: /home/user/.guix-profiles/profile/etc/ssl/certs/ca-certificates.crt CRLfile: none
> > > More details here: https://curl.haxx.se/docs/sslcerts.html
> > > ca-certificates.crt exists at the CAfile location and CURL_CA_BUNDLE is set properly.
> >
> > This is similar to
> > https://lists.gnu.org/archive/html/help-guix/2020-06/msg00025.html
>
> No, this is a different issue:
>
> --8<---------------cut here---------------start------------->8---
>
> gnutls-cliactorws.epa.gov
>
> Processed 128 CA certificate(s).
> Resolving 'actorws.epa.gov:443'...
> Connecting to '134.67.99.60:443'...
>
> - Certificate type: X.509
>
> - Got a certificate list of 2 certificates.
>
> - Certificate[0] info:
>
> - subject `CN=*.epa.gov,OU=OMS/OITO/EHD,O=Environmental Protection Agency,L=Durham,ST=North Carolina,C=US', issuer`CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', serial 0x0caca7602da89b50c3820b33518c827a, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-25 00:00:00 UTC', expires`2021-04-19 12:00:00 UTC', pin-sha256="o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk="
> Public Key ID:
> sha1:884a27ada33cc533411036cde08f7c83bee2580e
> sha256:a39776b6463318d12800bcda3e901de6af928a66b63276db22d13ae02a720c29
> Public Key PIN:
> pin-sha256:o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk=
>
> - Certificate[1] info:
>
> - subject `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', issuer`CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x01fda3eb6eca75c888438b724bcfbc91, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires`2023-03-08 12:00:00 UTC', pin-sha256="5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w="
> |<1>| Got OCSP response with an unrelated certificate.
>
> - Status: The certificate is NOT trusted. The received OCSP status response is invalid.
> *** PKI verification of server certificate failed...
> *** Fatal error: Error in the certificate.
> [~]-
>
> --8<---------------cut here---------------end--------------->8---
>
>
> I'm going to open a bug report upstream (gnutls), thanks for your
> report.
>
> Best regards, Gio'
>
> ------------------------------------------------------------------------------------------------
>
> Giovanni Biscuolo
>
> Xelera IT Infrastructures
Thanks for confirming this! I pulled the newest Guix and updated gnutls and that did not solve the issue. Please let me know when you post the issue, so I can track it.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Certificate problem with curl, though icecat works
2020-08-13 8:58 ` Todor Kondić
@ 2020-08-13 10:26 ` Giovanni Biscuolo
0 siblings, 0 replies; 5+ messages in thread
From: Giovanni Biscuolo @ 2020-08-13 10:26 UTC (permalink / raw)
To: Todor Kondić; +Cc: help-guix\\@gnu.org
[-- Attachment #1: Type: text/plain, Size: 1890 bytes --]
Hi Totor,
Todor Kondić <tk.code@protonmail.com> writes:
[...]
>> I'm going to open a bug report upstream (gnutls), thanks for your
>> report.
This is the bug report https://gitlab.com/gnutls/gnutls/-/issues/1062
I checked other OCSP issues and I did not understand if this is already
fixed in latest GnuTLS releases
> Thanks for confirming this!
(Y)
> I pulled the newest Guix and updated gnutls and that did not solve the
> issue.
Me too, but…
I'm not explicitly installing gnutls in my profile (via manifest), I'm just installing
curl and in that profile I get:
--8<---------------cut here---------------start------------->8---
giovanni@roquette: gnutls-cli --version
gnutls-cli 3.6.7
Copyright (C) 2000-2020 Free Software Foundation, and others, all rights reserved.
This is free software. It is licensed for use, modification and
redistribution under the terms of the GNU General Public License,
version 3 or later <http://gnu.org/licenses/gpl.html>
Please send bug reports to: <bugs@gnutls.org>
--8<---------------cut here---------------end--------------->8---
But:
--8<---------------cut here---------------start------------->8---
giovanni@roquette: curl --version
curl 7.71.0 (x86_64-unknown-linux-gnu) libcurl/7.71.0 GnuTLS/3.6.14 zlib/1.2.11 libidn2/2.3.0 nghttp2/1.41.0
Release-Date: 2020-06-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets
--8<---------------cut here---------------end--------------->8---
curl should use gnutls 3.6.14... I should double check my profile update
I'll report as soon as I understand what's happening
Thanks, Gio'
--
Giovanni Biscuolo
Xelera IT Infrastructures
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-08-13 10:27 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-08-11 11:31 Certificate problem with curl, though icecat works TK
2020-08-12 17:47 ` Giovanni Biscuolo
2020-08-13 6:55 ` Giovanni Biscuolo
2020-08-13 8:58 ` Todor Kondić
2020-08-13 10:26 ` Giovanni Biscuolo
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.