From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 8OWfIAgI2V7RYQAA0tVLHw (envelope-from ) for ; Thu, 04 Jun 2020 14:41:12 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id WBGnHAgI2V45dQAA1q6Kng (envelope-from ) for ; Thu, 04 Jun 2020 14:41:12 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 085B694014C for ; Thu, 4 Jun 2020 14:41:12 +0000 (UTC) Received: from localhost ([::1]:44748 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jgr3P-0002Np-14 for larch@yhetil.org; Thu, 04 Jun 2020 10:41:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40100) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jgr3C-0002Ne-Mx for help-guix@gnu.org; Thu, 04 Jun 2020 10:40:58 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:56792) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jgr3A-0002a1-N0 for help-guix@gnu.org; Thu, 04 Jun 2020 10:40:58 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jgr39-0001PP-H6; Thu, 04 Jun 2020 10:40:55 -0400 Date: Thu, 4 Jun 2020 10:40:55 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: Giovanni Biscuolo Subject: Re: curl server certificate verification failed for a few sites In-Reply-To: <87sgfbkm7g.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me> Message-ID: References: <87sgfbkm7g.fsf@roquette.i-did-not-set--mail-host-address--so-tickle-me> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Received-SPF: pass client-ip=104.248.1.95; envelope-from=jackhill@jackhill.us; helo=minsky.hcoop.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/06/04 10:40:55 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action Content-Type: text/plain; format=flowed; charset=ISO-8859-7 Content-Transfer-Encoding: 8BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: -0.51 X-TUID: xPMWxz37hCcx On Thu, 4 Jun 2020, Giovanni Biscuolo wrote: > Hello Guix, > > --8<---------------cut here---------------end--------------->8--- > > I'm having a strange error with curl from Guix (on a foreign distro): > > --8<---------------cut here---------------start------------->8--- > giovanni@roquette: curl -I https://voices.transparency.org > curl: (60) server certificate verification failed. CAfile: /home/giovanni/.guix-extra-profiles/emacs/emacs/etc/ssl/certs/ca-certificates.crt CRLfile: none > More details here: https://curl.haxx.se/docs/sslcerts.html > > curl failed to verify the legitimacy of the server and therefore could not > establish a secure connection to it. To learn more about this situation and > how to fix it, please visit the web page mentioned above. > --8<---------------cut here---------------end--------------->8--- Giovanni, I think that this is due to the recent AdTrust Root CA cert expiration [0]. The error wget gives is a little bit better, but you know about the situation to interpret it correctly: """ $ wget "https://voices.transparency.org" -O /dev/null --2020-06-04 10:37:29-- https://voices.transparency.org/ Resolving voices.transparency.org (voices.transparency.org)... 52.4.225.124, 52.4.240.221, 52.1.119.170, ... Connecting to voices.transparency.org (voices.transparency.org)|52.4.225.124|:443... connected. ERROR: The certificate of ˇvoices.transparency.org˘ is not trusted. ERROR: The certificate of ˇvoices.transparency.org˘ has expired. """ In my experience, sometimes this cert expiration is easy to miss by site administrators or others connecting to the site if they have one of the intermediate certificates in their trust store. Our nss-certs package tends not to have such intermediates. Therefore, I think the fix is for voices.transparency.org to update the certificate chain/bundle that they are sending. [0] https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT Best, Jack