From unknown Mon Aug 18 11:25:47 2025 X-Loop: help-debbugs@gnu.org Subject: bug#30555: elpa.gnu.org certificate order Resent-From: Ian Kelling Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 20 Feb 2018 19:01:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 30555 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: 30555@debbugs.gnu.org Cc: Sam Brightman X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.15191532077611 (code B ref -1); Tue, 20 Feb 2018 19:01:02 +0000 Received: (at submit) by debbugs.gnu.org; 20 Feb 2018 19:00:07 +0000 Received: from localhost ([127.0.0.1]:53197 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eoD91-0001yR-4t for submit@debbugs.gnu.org; Tue, 20 Feb 2018 14:00:06 -0500 Received: from eggs.gnu.org ([208.118.235.92]:50837) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eoD8w-0001xZ-V0 for submit@debbugs.gnu.org; Tue, 20 Feb 2018 13:59:59 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eoD8n-0004I3-QQ for submit@debbugs.gnu.org; Tue, 20 Feb 2018 13:59:53 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:39678) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eoD8n-0004Hu-Me for submit@debbugs.gnu.org; Tue, 20 Feb 2018 13:59:49 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41768) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eoD8m-0002v2-BE for bug-gnu-emacs@gnu.org; Tue, 20 Feb 2018 13:59:49 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eoD8l-0004GM-91 for bug-gnu-emacs@gnu.org; Tue, 20 Feb 2018 13:59:48 -0500 Received: from mail.fsf.org ([208.118.235.13]:52015) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eoD8l-0004GC-55 for bug-gnu-emacs@gnu.org; Tue, 20 Feb 2018 13:59:47 -0500 Received: from li.iankelling.org ([72.14.176.105]:47908 helo=mail.iankelling.org) by mail.fsf.org with esmtpsa (TLS-1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.69) (envelope-from ) id 1eoD8k-0002AY-9E; Tue, 20 Feb 2018 13:59:46 -0500 Received: from iank by mail.iankelling.org with local (Exim 4.86_2) (envelope-from ) id 1eoD8i-0007pM-Oy; Tue, 20 Feb 2018 13:59:44 -0500 User-agent: mu4e 1.0-alpha3; emacs 27.0.50 From: Ian Kelling Date: Tue, 20 Feb 2018 13:59:44 -0500 Message-ID: <87fu5vzdun.fsf@fsf.org> MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by mail.fsf.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) I think I've found the root cause as the apache config is wrong and am going to fix this on the elpa server in the next few minutes, which I would normally not touch. Originall reported to sysadmin@gnu.org by "Sam Brightman, who i've cced I'm writing because I believe the certificate chain for elpa.gnu.org is incorrect. You can see the out-of-order chain warning on: https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org&hideResults=on You can also run e.g. gnutls-cli: $ gnutls-cli elpa.gnu.org |<1>| There was a non-CA certificate in the trusted list: O=Entrust.net,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Certification Authority (2048). Processed 165 CA certificate(s). Resolving 'elpa.gnu.org:443'... Connecting to '208.118.235.89:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `CN=elpa.gnu.org', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x037b6d60120d207d3270b0b184b1585921f0, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-12-02 10:00:36 UTC', expires `2018-03-02 10:00:36 UTC', pin-sha256="m1/quPWpzBTNugV6iU+BLRy/IZIJex8ggZ47SOV4kG0=" Public Key ID: sha1:a055226618cb098619db153e7d847d0f2637b836 sha256:9b5feab8f5a9cc14cdba057a894f812d1cbf2192097b1f20819e3b48e578906d Public Key PIN: pin-sha256:m1/quPWpzBTNugV6iU+BLRy/IZIJex8ggZ47SOV4kG0= Public key's random art: +--[ RSA 2048]----+ |++.o*..oo. | |+=.B o.++ * | |. = o + .* + | | + oE . | | . .S. | | | | | | | | | +-----------------+ - Certificate[1] info: - subject `CN=elpa.gnu.org', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x037b6d60120d207d3270b0b184b1585921f0, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-12-02 10:00:36 UTC', expires `2018-03-02 10:00:36 UTC', pin-sha256="m1/quPWpzBTNugV6iU+BLRy/IZIJex8ggZ47SOV4kG0=" - Certificate[2] info: - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=" - Status: The certificate is trusted. - Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM) - Session ID: 85:4F:3F:0C:1E:14:EE:51:33:81:38:3A:C8:72:FE:2C:72:B5:93:81:C0:8A:69:10:CA:66:CC:EE:44:99:74:D5 - Ephemeral EC Diffie-Hellman parameters - Using curve: SECP256R1 - Curve size: 256 bits - Version: TLS1.2 - Key Exchange: ECDHE-RSA - Server Signature: RSA-SHA256 - Cipher: AES-256-GCM - MAC: AEAD - Compression: NULL - Options: safe renegotiation, - Handshake was completed - Simple Client Mode: Whilst some TLS libraries will re-order/de-duplicate in this situation, at least GnuTLS prior to version 3 does not. This is a very common version for LTS distribution releases, including Travis CI. Stock Emacs with GnuTLS (<3) support cannot verify the certificate of its own package repository as a result of this. end quote. -- Ian Kelling | Senior Systems Administrator, Free Software Foundation GPG Key: B125 F60B 7B28 7FF6 A2B7 DF8F 170A F0E2 9542 95DF https://fsf.org | https://gnu.org From unknown Mon Aug 18 11:25:47 2025 X-Loop: help-debbugs@gnu.org Subject: bug#30555: fixed on the server References: <87fu5vzdun.fsf@fsf.org> In-Reply-To: <87fu5vzdun.fsf@fsf.org> Resent-From: Ian Kelling Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 20 Feb 2018 19:17:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 30555 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: To: 30555@debbugs.gnu.org Received: via spool by 30555-submit@debbugs.gnu.org id=B30555.15191542149151 (code B ref 30555); Tue, 20 Feb 2018 19:17:02 +0000 Received: (at 30555) by debbugs.gnu.org; 20 Feb 2018 19:16:54 +0000 Received: from localhost ([127.0.0.1]:53207 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eoDPK-0002NX-I8 for submit@debbugs.gnu.org; Tue, 20 Feb 2018 14:16:54 -0500 Received: from mail.fsf.org ([208.118.235.13]:38960) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eoDPI-0002NP-U4 for 30555@debbugs.gnu.org; Tue, 20 Feb 2018 14:16:53 -0500 Received: from li.iankelling.org ([72.14.176.105]:48588 helo=mail.iankelling.org) by mail.fsf.org with esmtpsa (TLS-1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.69) (envelope-from ) id 1eoDPI-0003sj-8F for 30555@debbugs.gnu.org; Tue, 20 Feb 2018 14:16:52 -0500 Received: from iank by mail.iankelling.org with local (Exim 4.86_2) (envelope-from ) id 1eoDPH-0000R3-0e for 30555@debbugs.gnu.org; Tue, 20 Feb 2018 14:16:51 -0500 User-agent: mu4e 1.0-alpha3; emacs 27.0.50 From: Ian Kelling Date: Tue, 20 Feb 2018 14:16:51 -0500 Message-ID: <87eflfzd24.fsf@fsf.org> MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by mail.fsf.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) I believe I've this is fixed on the server by the following patch in /etc/apache2, and reloading apache. Feel free to close this bug --- /tmp/default-ssl.conf 2018-02-20 14:05:35.276409315 -0500 +++ ./sites-available/default-ssl.conf 2018-02-20 14:09:48.680260877 -0500 @@ -45,7 +45,7 @@ SSLProtocol ALL -SSLv2 -SSLv3 - SSLCertificateFile /etc/letsencrypt/live/elpa.gnu.org/cert.pem + SSLCertificateFile /etc/letsencrypt/live/elpa.gnu.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/elpa.gnu.org/privkey.pem @@ -56,7 +56,7 @@ # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. - SSLCertificateChainFile /etc/letsencrypt/live/elpa.gnu.org/fullchain.pem + # SSLCertificateChainFile /etc/letsencrypt/live/elpa.gnu.org/fullchain.pem # Certificate Authority (CA): # Set the CA certificate verification path where to find CA From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 20 14:18:23 2018 Received: (at control) by debbugs.gnu.org; 20 Feb 2018 19:18:23 +0000 Received: from localhost ([127.0.0.1]:53212 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eoDQk-0002Q3-Sj for submit@debbugs.gnu.org; Tue, 20 Feb 2018 14:18:23 -0500 Received: from eggs.gnu.org ([208.118.235.92]:55510) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eoDQj-0002Po-5n for control@debbugs.gnu.org; Tue, 20 Feb 2018 14:18:21 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eoDQd-0005Wf-8r for control@debbugs.gnu.org; Tue, 20 Feb 2018 14:18:15 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60071) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eoDQd-0005WX-4J for control@debbugs.gnu.org; Tue, 20 Feb 2018 14:18:15 -0500 Received: from rgm by fencepost.gnu.org with local (Exim 4.82) (envelope-from ) id 1eoDQc-0004mo-QE for control@debbugs.gnu.org; Tue, 20 Feb 2018 14:18:14 -0500 Subject: control message for bug 30555 To: X-Mailer: mail (GNU Mailutils 2.99.98) Message-Id: From: Glenn Morris Date: Tue, 20 Feb 2018 14:18:14 -0500 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) close 30555