* Certificate problem with curl, though icecat works @ 2020-08-11 11:31 TK 2020-08-12 17:47 ` Giovanni Biscuolo 0 siblings, 1 reply; 5+ messages in thread From: TK @ 2020-08-11 11:31 UTC (permalink / raw) To: help-guix\@gnu.org Hi all, Opening this JSON in icecat happens without any error, the connection being described as secure: https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N However, doing the same thing with curl errors out: $ curl https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N curl: (60) server certificate verification failed. CAfile: /home/user/.guix-profiles/profile/etc/ssl/certs/ca-certificates.crt CRLfile: none More details here: https://curl.haxx.se/docs/sslcerts.html ca-certificates.crt exists at the CAfile location and CURL_CA_BUNDLE is set properly. Does anyone have an idea what could be going wrong? ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Certificate problem with curl, though icecat works 2020-08-11 11:31 Certificate problem with curl, though icecat works TK @ 2020-08-12 17:47 ` Giovanni Biscuolo 2020-08-13 6:55 ` Giovanni Biscuolo 0 siblings, 1 reply; 5+ messages in thread From: Giovanni Biscuolo @ 2020-08-12 17:47 UTC (permalink / raw) To: TK, help-guix\@gnu.org [-- Attachment #1: Type: text/plain, Size: 972 bytes --] Hi TK TK <tkprom@protonmail.com> writes: [...] > However, doing the same thing with curl errors out: > > $ curl https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N > > curl: (60) server certificate verification failed. CAfile: /home/user/.guix-profiles/profile/etc/ssl/certs/ca-certificates.crt CRLfile: none > More details here: https://curl.haxx.se/docs/sslcerts.html > > ca-certificates.crt exists at the CAfile location and CURL_CA_BUNDLE is set properly. This is similar to https://lists.gnu.org/archive/html/help-guix/2020-06/msg00025.html and it should be fixed in the latest GnuTLS, which is in Guix since commiy 8951b9496b5c390adb3b3292d234bb8ab9936c40 Anyway I can confirm that I get the same results as you. I'm going to investigare if I can add something useful and open a bug (probably upstream?) happy hacking! Gio' -- Giovanni Biscuolo Xelera IT Infrastructures [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Certificate problem with curl, though icecat works 2020-08-12 17:47 ` Giovanni Biscuolo @ 2020-08-13 6:55 ` Giovanni Biscuolo 2020-08-13 8:58 ` Todor Kondić 0 siblings, 1 reply; 5+ messages in thread From: Giovanni Biscuolo @ 2020-08-13 6:55 UTC (permalink / raw) To: TK, help-guix\@gnu.org [-- Attachment #1: Type: text/plain, Size: 2377 bytes --] Giovanni Biscuolo <g@xelera.eu> writes: [...] >> $ curl https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N >> >> curl: (60) server certificate verification failed. CAfile: /home/user/.guix-profiles/profile/etc/ssl/certs/ca-certificates.crt CRLfile: none >> More details here: https://curl.haxx.se/docs/sslcerts.html >> >> ca-certificates.crt exists at the CAfile location and CURL_CA_BUNDLE is set properly. > > This is similar to > https://lists.gnu.org/archive/html/help-guix/2020-06/msg00025.html No, this is a different issue: --8<---------------cut here---------------start------------->8--- gnutls-cli actorws.epa.gov Processed 128 CA certificate(s). Resolving 'actorws.epa.gov:443'... Connecting to '134.67.99.60:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=*.epa.gov,OU=OMS/OITO/EHD,O=Environmental Protection Agency,L=Durham,ST=North Carolina,C=US', issuer `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', serial 0x0caca7602da89b50c3820b33518c827a, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-25 00:00:00 UTC', expires `2021-04-19 12:00:00 UTC', pin-sha256="o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk=" Public Key ID: sha1:884a27ada33cc533411036cde08f7c83bee2580e sha256:a39776b6463318d12800bcda3e901de6af928a66b63276db22d13ae02a720c29 Public Key PIN: pin-sha256:o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk= - Certificate[1] info: - subject `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x01fda3eb6eca75c888438b724bcfbc91, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires `2023-03-08 12:00:00 UTC', pin-sha256="5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w=" |<1>| Got OCSP response with an unrelated certificate. - Status: The certificate is NOT trusted. The received OCSP status response is invalid. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. [~]- --8<---------------cut here---------------end--------------->8--- I'm going to open a bug report upstream (gnutls), thanks for your report. Best regards, Gio' -- Giovanni Biscuolo Xelera IT Infrastructures [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Certificate problem with curl, though icecat works 2020-08-13 6:55 ` Giovanni Biscuolo @ 2020-08-13 8:58 ` Todor Kondić 2020-08-13 10:26 ` Giovanni Biscuolo 0 siblings, 1 reply; 5+ messages in thread From: Todor Kondić @ 2020-08-13 8:58 UTC (permalink / raw) To: Giovanni Biscuolo; +Cc: help-guix\\@gnu.org ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, 13 August 2020 08:55, Giovanni Biscuolo <g@xelera.eu> wrote: > Giovanni Biscuolo g@xelera.eu writes: > > [...] > > > > $ curl https://actorws.epa.gov/actorws/chemIdentifier/v01/resolve.json?identifier=MKXZASYAUGDDCJ-NJAFHUGGSA-N > > > curl: (60) server certificate verification failed. CAfile: /home/user/.guix-profiles/profile/etc/ssl/certs/ca-certificates.crt CRLfile: none > > > More details here: https://curl.haxx.se/docs/sslcerts.html > > > ca-certificates.crt exists at the CAfile location and CURL_CA_BUNDLE is set properly. > > > > This is similar to > > https://lists.gnu.org/archive/html/help-guix/2020-06/msg00025.html > > No, this is a different issue: > > --8<---------------cut here---------------start------------->8--- > > gnutls-cliactorws.epa.gov > > Processed 128 CA certificate(s). > Resolving 'actorws.epa.gov:443'... > Connecting to '134.67.99.60:443'... > > - Certificate type: X.509 > > - Got a certificate list of 2 certificates. > > - Certificate[0] info: > > - subject `CN=*.epa.gov,OU=OMS/OITO/EHD,O=Environmental Protection Agency,L=Durham,ST=North Carolina,C=US', issuer`CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', serial 0x0caca7602da89b50c3820b33518c827a, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-25 00:00:00 UTC', expires`2021-04-19 12:00:00 UTC', pin-sha256="o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk=" > Public Key ID: > sha1:884a27ada33cc533411036cde08f7c83bee2580e > sha256:a39776b6463318d12800bcda3e901de6af928a66b63276db22d13ae02a720c29 > Public Key PIN: > pin-sha256:o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk= > > - Certificate[1] info: > > - subject `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', issuer`CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x01fda3eb6eca75c888438b724bcfbc91, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires`2023-03-08 12:00:00 UTC', pin-sha256="5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w=" > |<1>| Got OCSP response with an unrelated certificate. > > - Status: The certificate is NOT trusted. The received OCSP status response is invalid. > *** PKI verification of server certificate failed... > *** Fatal error: Error in the certificate. > [~]- > > --8<---------------cut here---------------end--------------->8--- > > > I'm going to open a bug report upstream (gnutls), thanks for your > report. > > Best regards, Gio' > > ------------------------------------------------------------------------------------------------ > > Giovanni Biscuolo > > Xelera IT Infrastructures Thanks for confirming this! I pulled the newest Guix and updated gnutls and that did not solve the issue. Please let me know when you post the issue, so I can track it. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Certificate problem with curl, though icecat works 2020-08-13 8:58 ` Todor Kondić @ 2020-08-13 10:26 ` Giovanni Biscuolo 0 siblings, 0 replies; 5+ messages in thread From: Giovanni Biscuolo @ 2020-08-13 10:26 UTC (permalink / raw) To: Todor Kondić; +Cc: help-guix\\@gnu.org [-- Attachment #1: Type: text/plain, Size: 1890 bytes --] Hi Totor, Todor Kondić <tk.code@protonmail.com> writes: [...] >> I'm going to open a bug report upstream (gnutls), thanks for your >> report. This is the bug report https://gitlab.com/gnutls/gnutls/-/issues/1062 I checked other OCSP issues and I did not understand if this is already fixed in latest GnuTLS releases > Thanks for confirming this! (Y) > I pulled the newest Guix and updated gnutls and that did not solve the > issue. Me too, but… I'm not explicitly installing gnutls in my profile (via manifest), I'm just installing curl and in that profile I get: --8<---------------cut here---------------start------------->8--- giovanni@roquette: gnutls-cli --version gnutls-cli 3.6.7 Copyright (C) 2000-2020 Free Software Foundation, and others, all rights reserved. This is free software. It is licensed for use, modification and redistribution under the terms of the GNU General Public License, version 3 or later <http://gnu.org/licenses/gpl.html> Please send bug reports to: <bugs@gnutls.org> --8<---------------cut here---------------end--------------->8--- But: --8<---------------cut here---------------start------------->8--- giovanni@roquette: curl --version curl 7.71.0 (x86_64-unknown-linux-gnu) libcurl/7.71.0 GnuTLS/3.6.14 zlib/1.2.11 libidn2/2.3.0 nghttp2/1.41.0 Release-Date: 2020-06-24 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets --8<---------------cut here---------------end--------------->8--- curl should use gnutls 3.6.14... I should double check my profile update I'll report as soon as I understand what's happening Thanks, Gio' -- Giovanni Biscuolo Xelera IT Infrastructures [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-08-13 10:27 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-08-11 11:31 Certificate problem with curl, though icecat works TK 2020-08-12 17:47 ` Giovanni Biscuolo 2020-08-13 6:55 ` Giovanni Biscuolo 2020-08-13 8:58 ` Todor Kondić 2020-08-13 10:26 ` Giovanni Biscuolo
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.