From debbugs-submit-bounces@debbugs.gnu.org Mon Dec 21 21:01:49 2020 Received: (at submit) by debbugs.gnu.org; 22 Dec 2020 02:01:49 +0000 Received: from localhost ([127.0.0.1]:48620 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1krWzk-0003er-Ax for submit@debbugs.gnu.org; Mon, 21 Dec 2020 21:01:49 -0500 Received: from lists.gnu.org ([209.51.188.17]:58520) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1krWck-00036l-6K for submit@debbugs.gnu.org; Mon, 21 Dec 2020 20:38:05 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:55162) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1krWcj-0004ci-Ou for bug-coreutils@gnu.org; Mon, 21 Dec 2020 20:38:02 -0500 Received: from mail-pg1-x52e.google.com ([2607:f8b0:4864:20::52e]:33192) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1krWcf-00062E-Qe for bug-coreutils@gnu.org; Mon, 21 Dec 2020 20:37:59 -0500 Received: by mail-pg1-x52e.google.com with SMTP id n25so1878085pgb.0 for ; Mon, 21 Dec 2020 17:37:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=j-james-me.20150623.gappssmtp.com; s=20150623; h=mime-version:content-transfer-encoding:subject:from:to:date :message-id; bh=JOm+IL4v+D9B3F3J8t0jI7FtxJMX+sjOrM+1Xz1hbjo=; b=KSsBoSxpsE4ag/dxu7v39pCoblBcY2LJF0m1G+1zgITlAScSVIGfH/qAcVpvIfc2n7 xfQ0ZRAZBMqnVf9wa8kn4O7omMck/WunO9Fy/EzWGJGhnIS0FKM5U1QV9zfSowhEAiS5 3SvkVOERKPRRwTmrS3v4Y9gaG1cAmWLtukn0UbEzLIx81fSfEcQ+5QfWFWKW64gYK2DI Iwgb3PyQGuA+rRMElyQ98rdshGe+PN1x1qKN1VSz3d3LENrdrE+7rWPBU6Mp974QWpko 5It9owK4wZdWSc2bmaqrLg3i7p7NlqG6odDUrYE0OWfeLUbTWZgU2WZK5wOKzCYNCgKZ 9EeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:content-transfer-encoding:subject :from:to:date:message-id; bh=JOm+IL4v+D9B3F3J8t0jI7FtxJMX+sjOrM+1Xz1hbjo=; b=MtauxmcgWQHRE2DplubgzMZcI9bQAXHQ0LIQT5PYXhei9asc9RIuHmzsI3ZnYwO8jW nbAIAGehM198A2UjMzKx2t2h1Yoisx49UnnU5xw5bh2DIwGxxAhHVSszARgxPbhFU+Ka 8U1ZpsA/vBDkIWEZg9QyrDA9RDMM77lo5RMllDA5f7gejfz53aU5LAaaYtoUo6A5UfSb 2DdrGDh19xRgbGdV/+w1W7ptRiqFGdkGcqcMHYm/Qf0z05F1FxUXNn/pcWcr4s5aFgNq DfBLTvUgLfVubMoa6E3nuOHTZi9sD5SXrwKkY9Jjxay6gvy9tINd3Knq1ao2zvqevZdk YMhA== X-Gm-Message-State: AOAM5327H85JrdP79P9VCwj/EENrfikFs13kwfzjIW+zcyxAV9vkpEHn 9Xs2jFqV0xKCQ8Zv12gT+U66XuA3Y6XV04HL X-Google-Smtp-Source: ABdhPJyGbDKTWbsWlOcLAcvArvYnFZ1kq+ZD0pHfweXlNGIx3BpKX7cAMnyZZSWy3JIguLCS5i2r0w== X-Received: by 2002:a63:74b:: with SMTP id 72mr17657173pgh.4.1608601073657; Mon, 21 Dec 2020 17:37:53 -0800 (PST) Received: from localhost (71-212-96-141.tukw.qwest.net. [71.212.96.141]) by smtp.gmail.com with ESMTPSA id z10sm18287163pfr.204.2020.12.21.17.37.52 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 21 Dec 2020 17:37:53 -0800 (PST) Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Subject: bootstrap fails due to a certificate mismatch From: "j-james" To: Date: Mon, 21 Dec 2020 17:29:35 -0800 Message-Id: Received-SPF: pass client-ip=2607:f8b0:4864:20::52e; envelope-from=jj@j-james.me; helo=mail-pg1-x52e.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Mon, 21 Dec 2020 21:01:46 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) When running ./bootstrap in a freshly-cloned repository, it seems to either= =20 not find some files it wants to or doesn't trust https://translationproject= .org. Connecting to https://translationproject.org in a (non-wget) web browser wo= rks fine. The following is the output of ./bootstrap. ``` ./bootstrap: Bootstrapping from checked-out coreutils sources... ./bootstrap: consider installing git-merge-changelog from gnulib ./bootstrap: getting gnulib files... Submodule 'gnulib' (git://git.sv.gnu.org/gnulib.git) registered for path 'g= nulib' Cloning into '/home/teal/Projects/coreutils/gnulib'... Submodule path 'gnulib': checked out '8183682cc4436bee18007d61bc79938eaf786= 19a' ./bootstrap: getting translations into po/.reference for coreutils... Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt' ERROR: The certificate of 'translationproject.org' is not trusted. ERROR: The certificate of 'translationproject.org' doesn't have a known iss= uer. ``` Do let me know if you need more information, or if this is a duplicate repo= rt. -- j-james From debbugs-submit-bounces@debbugs.gnu.org Sat Feb 13 07:56:41 2021 Received: (at 45358) by debbugs.gnu.org; 13 Feb 2021 12:56:42 +0000 Received: from localhost ([127.0.0.1]:33720 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lAuTZ-0001cu-8Y for submit@debbugs.gnu.org; Sat, 13 Feb 2021 07:56:41 -0500 Received: from mail-yb1-f170.google.com ([209.85.219.170]:35082) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lAuGl-0007eA-18 for 45358@debbugs.gnu.org; Sat, 13 Feb 2021 07:43:29 -0500 Received: by mail-yb1-f170.google.com with SMTP id p186so2350198ybg.2 for <45358@debbugs.gnu.org>; Sat, 13 Feb 2021 04:43:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=g-sokol-info.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=BnKCTpW+KBCArfBMRvj02Qqx+t6MXhu8GVnbQY4Vp7Y=; b=o5A5Uit8kiFcA071dctWsZwa0yd7woHEeVDU+AKv2bStAzxgJDIttACEGtUHDAzLH9 7rsgeHOEPR/vMXMRIek41zWrULRgIPIc+AtChD3WvvfTf7Wx6yyNFBcb/Eikkm3eL3Xc hL8cKWB3MJkTyerP/m8zbVsL4gRXMlR3jB8UrTWEg5L8lDh9WW1G5MyMDKtrLLLYDv9F Ev14Gzw4rnBSJTCDVUGOu+iHR2EaLeSSgmnGl3Fm+mNJC6pXBO09sqdux010emWKBv1A 3wHHPzj9OYxilWqLzVGOObwSKYWA9B0L9HwZeyah+7dyyyOMDCFn9Kjxfu7zlce9YXQ9 6GRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=BnKCTpW+KBCArfBMRvj02Qqx+t6MXhu8GVnbQY4Vp7Y=; b=V8H6ASc4aT2/On479jgC8sP0tNlx1jfar9tec+RsdMKMcPWmGAMfPxrEqOEKHFDtAP E93R9NAgPUGnMlJ/+ilcEm6WFhzYY9oVYxc9BeyR4SGQ8VYnfhbBlQ/bC7TxKfGSrV3P njoCVR7L16igA1VIsdMN4+VBLkhmBD7jdqo4EkMJKtl8UwaQcMvO92ldR6NSZt4Wd9L2 kX9ReV6pjA7hyr3hbdMLCEA1YNOpfd8HTGpKcapYgmObR43OzlnHc3SOF8Gx3QUR3jqA WFa7pTei4dMPkfFIb7bVHcFCg6D9J4RZnEcF/FNB9vXnzaI8uX5xSCzheF5XhVQGS2i2 +PAw== X-Gm-Message-State: AOAM530c1St3l+mkYuxOOcENok7ojncuBdVzOkqnBzG08F7dIefaeXj4 GeL9IE6XUekMoXAo43cXthKCP/1Osid3caVxZwe4ufo4epCzusZU X-Google-Smtp-Source: ABdhPJzgdR+5uV3QwZBFlaw8dOzPaNALPPyoVQF1tjZ+DY9QP1RNDkV49lkxMqA8RLGWCFbHCA5LOD4wYmqkAy66KMs= X-Received: by 2002:a25:5583:: with SMTP id j125mr9452573ybb.307.1613220201077; Sat, 13 Feb 2021 04:43:21 -0800 (PST) MIME-Version: 1.0 From: Grigoriy Sokolik Date: Sat, 13 Feb 2021 14:43:10 +0200 Message-ID: Subject: RE: bug#45358: bootstrap fails due to a certificate mismatch To: 45358@debbugs.gnu.org Content-Type: multipart/alternative; boundary="00000000000007a30105bb37198f" X-Spam-Score: 0.8 (/) X-Debbugs-Envelope-To: 45358 X-Mailman-Approved-At: Sat, 13 Feb 2021 07:56:40 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.2 (/) --00000000000007a30105bb37198f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I have the same issue. Some investigations: 1. I decided to find out the particular command that fails and added more debug print: diff --git a/bootstrap b/bootstrap index 7523f65b4..44c21db23 100755 --- a/bootstrap +++ b/bootstrap @@ -749,6 +749,7 @@ download_po_files() { domain=3D$2 echo "$me: getting translations into $subdir for $domain..." cmd=3D$(printf "$po_download_command_format" "$subdir" "$domain") + echo "$me: going to exec \"$cmd\"..." eval "$cmd" } 2. Tried to run: $ ./bootstrap ./bootstrap: Bootstrapping from checked-out coreutils sources... ./bootstrap: consider installing git-merge-changelog from gnulib ./bootstrap: getting gnulib files... ./bootstrap: getting translations into po/.reference for coreutils... ./bootstrap: going to exec "wget --mirror --level=3D1 -nd -nv -A.po -P 'po/.reference' https://translationproject.org/latest/coreutils/"... ERROR: The certificate of 'translationproject.org' is not trusted. ERROR: The certificate of 'translationproject.org' doesn't have a known issuer. 3. Tried to run the command directly, but without `-nv` flag: $ wget --mirror --level=3D1 -nd -v -A.po -P 'po/.reference' https://translationproject.org/latest/coreutils/ --2021-02-13 14:23:35-- https://translationproject.org/latest/coreutils= / Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt' Resolving translationproject.org (translationproject.org)... 80.69.83.146, 2a01:7c8:c037:6::20 Connecting to translationproject.org (translationproject.org)|80.69.83.146|:443... connected. ERROR: The certificate of =E2=80=98translationproject.org=E2=80=99 is no= t trusted. ERROR: The certificate of =E2=80=98translationproject.org=E2=80=99 doesn= 't have a known issuer. 4. Tried the same with curl: $ curl -v https://translationproject.org/latest/coreutils/ -o /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 80.69.83.146:443... * Connected to translationproject.org (80.69.83.146) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: none } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [93 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [6723 bytes data] * TLSv1.2 (IN), TLS handshake, Server key exchange (12): { [589 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [70 bytes data] * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=3Dstats.vrijschrift.org * start date: Dec 31 10:34:41 2020 GMT * expire date: Mar 31 10:34:41 2021 GMT * subjectAltName: host "translationproject.org" matched cert's "translationproject.org" * issuer: C=3DUS; O=3DLet's Encrypt; CN=3DR3 * SSL certificate verify ok. } [5 bytes data] > GET /latest/coreutils/ HTTP/1.1 > Host: translationproject.org > User-Agent: curl/7.75.0 > Accept: */* > { [5 bytes data] * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Sat, 13 Feb 2021 12:26:00 GMT < Server: Apache/2.4.10 (Debian) < Vary: Accept-Encoding < Transfer-Encoding: chunked < Content-Type: text/html;charset=3DUTF-8 < { [5 bytes data] 100 8881 0 8881 0 0 16980 0 --:--:-- --:--:-- --:--:-- 16980 * Connection #0 to host translationproject.org left intact 5. Trying to export and verify the cert with certtools: $ certtool --verbose --verify-profile=3Dhigh --verify --infile=3D/tmp/ stats.vrijschrift.org Loaded system trust (139 CAs available) Subject: CN=3DR3,O=3DLet's Encrypt,C=3DUS Issuer: CN=3DDST Root CA X3,O=3DDigital Signature Trust Co. Signature algorithm: RSA-SHA256 Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Subject: CN=3DR3,O=3DLet's Encrypt,C=3DUS Issuer: CN=3DDST Root CA X3,O=3DDigital Signature Trust Co. Signature algorithm: RSA-SHA256 Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Subject: CN=3DR3,O=3DLet's Encrypt,C=3DUS Issuer: CN=3DDST Root CA X3,O=3DDigital Signature Trust Co. Checked against: CN=3DDST Root CA X3,O=3DDigital Signature Trust= Co. Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Subject: CN=3Dstats.vrijschrift.org Issuer: CN=3DR3,O=3DLet's Encrypt,C=3DUS Checked against: CN=3DR3,O=3DLet's Encrypt,C=3DUS Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Chain verification output: Verified. The certificate is trusted. Maybe that "Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown." Is the issue? Thanks! Best regards, Grigorii --00000000000007a30105bb37198f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I have the same issue.

Some investigati= ons:
  1. I decided to find out the particular command that fa= ils and added more debug print:

    diff --git = a/bootstrap b/bootstrap
    index 7523f65b4..44c21db23 100755
    --- a/boots= trap
    +++ b/bootstrap
    @@ -749,6 +749,7 @@ download_po_files() {
    =C2= =A0 =C2=A0domain=3D$2
    =C2=A0 =C2=A0echo "$me: getting translations = into $subdir for $domain..."
    =C2=A0 =C2=A0cmd=3D$(printf "$po_= download_command_format" "$subdir" "$domain")
    += =C2=A0echo "$me: going to exec \"$cmd\"..."
    =C2=A0 = =C2=A0eval "$cmd"
    }

  2. Tried=C2=A0to run:<= br>
    $ ./bootstrap
    ./bootstrap: Bootstrapping from checked-out coreutils sources...
    ./bootstrap: consider installing git-merge-c= hangelog from gnulib
    ./bootstrap: gettin= g gnulib files...
    ./bootstrap: getting t= ranslations into po/.reference for coreutils...
    ./bootstrap: going to exec "wget --mirror --level=3D1 -nd -nv = -A.po -P 'po/.reference' https://translationproject.org/latest/coreutils/&quo= t;...
    ERROR: The certificate of 'translationproject.org' is not trusted.
    ERROR: The certificate of 'translationproject.org' doesn'= ;t have a known issuer.

  3. Tried to run the command directly, but without `-nv` flag:
    <= br>$ wget --mirror --level=3D1 -nd -v -A.po -P = 9;po/.reference' =C2=A0https://translationproject.org/latest/coreutils/
    --202= 1-02-13 14:23:35-- =C2=A0https://translationproject.org/latest/coreutils/
    Loaded C= A certificate '/etc/ssl/certs/ca-certificates.crt'
    Resolving translationproject.org (translationproject.org)... 80.69.83.= 146, 2a01:7c8:c037:6::20
    Connecting to translationproject.org (translationproject.org)|80.69.83.146|:443... connected.
    ERROR: T= he certificate of =E2=80=98transl= ationproject.org=E2=80=99 is not trusted.
    ERROR: The certificate of = =E2=80=98translationproject.org=E2=80=99 doesn't have a known issuer.

  4. Tried t= he same with curl:

    $ curl -v     https://translationproject.o= rg/latest/coreutils/ -o /dev/null
    =C2=A0 % Total =C2=A0 =C2=A0% Rece= ived % Xferd =C2=A0Average Speed =C2=A0 Time =C2=A0 =C2=A0Time =C2=A0 =C2= =A0 Time =C2=A0Current
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Dload = =C2=A0Upload =C2=A0 Total =C2=A0 Spent =C2=A0 =C2=A0Left =C2=A0Speed
    =C2= =A0 0 =C2=A0 =C2=A0 0 =C2=A0 =C2=A00 =C2=A0 =C2=A0 0 =C2=A0 =C2=A00 =C2=A0 = =C2=A0 0 =C2=A0 =C2=A0 =C2=A00 =C2=A0 =C2=A0 =C2=A00 --:--:-- --:--:-- --:-= -:-- =C2=A0 =C2=A0 0* =C2=A0 Trying 80.69.83.146:443...
    * Connected to <= a href=3D"http://translationproject.org">translationproject.org (80.69.= 83.146) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1* successfully set certificate verify locations:
    * =C2=A0CAfile: /etc/= ssl/certs/ca-certificates.crt
    * =C2=A0CApath: none
    } [5 bytes data]* TLSv1.3 (OUT), TLS handshake, Client hello (1):
    } [512 bytes data]* TLSv1.3 (IN), TLS handshake, Server hello (2):
    { [93 bytes data]
    = * TLSv1.2 (IN), TLS handshake, Certificate (11):
    { [6723 bytes data]
    = * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    { [589 bytes da= ta]
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    { [4 bytes d= ata]
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    } [70 = bytes data]
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):<= br>} [1 bytes data]
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    } = [16 bytes data]
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    { [16 b= ytes data]
    * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256<= br>* ALPN, server did not agree to a protocol
    * Server certificate:
    *= =C2=A0subject: CN=3Dstats.vrijsch= rift.org
    * =C2=A0start date: Dec 31 10:34:41 2020 GMT
    * =C2=A0exp= ire date: Mar 31 10:34:41 2021 GMT
    * =C2=A0subjectAltName: host "translationproject.org" ma= tched cert's
    "transla= tionproject.org"
    * =C2=A0issuer: C=3DUS; O=3DLet's Encrypt;= CN=3DR3
    * =C2=A0SSL certificate verify ok.
    } [5 bytes data]
    > = GET /latest/coreutils/ HTTP/1.1
    > Host: translationproject.org
    > User-Agent: curl/7.75.0
    = > Accept: */*
    >
    { [5 bytes data]
    * Mark bundle as not suppo= rting multiuse
    < HTTP/1.1 200 OK
    < Date: Sat, 13 Feb 2021 12:26= :00 GMT
    < Server: Apache/2.4.10 (Debian)
    < Vary: Accept-Encodin= g
    < Transfer-Encoding: chunked
    < Content-Type: text/html;charse= t=3DUTF-8
    <
    { [5 bytes data]
    100 =C2=A08881 =C2=A0 =C2=A00 =C2= =A08881 =C2=A0 =C2=A00 =C2=A0 =C2=A0 0 =C2=A016980 =C2=A0 =C2=A0 =C2=A00 --= :--:-- --:--:-- --:--:-- 16980
    * Connection #0 to host translationproject.org left intact
    <= br>
  5. Trying to export and verify the cert with certtools:

    $ certtool --verbose --verify-profile=3Dhigh --verify= --infile=3D/tmp/stats.vrijschrift= .org
    Loaded system trust (139 CAs av= ailable)
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Sub= ject: CN=3DR3,O=3DLet's Encrypt,C=3DUS
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Issuer: CN=3DDST Root CA X3,O=3DDigital Sign= ature Trust Co.
    =C2=A0 =C2=A0 =C2=A0 =C2= =A0 Signature algorithm: RSA-SHA256
    =C2= =A0 =C2=A0 =C2=A0 =C2=A0 Output: Not verified. The certificate is NOT trust= ed. The certificate issuer is unknown.

    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Subject: CN=3DR3,O=3DLet's Encrypt,C=3DU= S
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Issuer: CN= =3DDST Root CA X3,O=3DDigital Signature Trust Co.
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Signature algorithm: RSA-SHA256
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Output: Not verif= ied. The certificate is NOT trusted. The certificate issuer is unknown.

    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Subject: CN= =3DR3,O=3DLet's Encrypt,C=3DUS
    =C2= =A0 =C2=A0 =C2=A0 =C2=A0 Issuer: CN=3DDST Root CA X3,O=3DDigital Signature = Trust Co.
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Ch= ecked against: CN=3DDST Root CA X3,O=3DDigital Signature Trust Co.=C2=A0 =C2=A0 =C2=A0 =C2=A0 Signature algorithm:= RSA-SHA256
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 = Output: Verified. The certificate is trusted.

    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Subject: CN=3Dstats.vrijschrift.org
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Issuer: CN=3DR3,O=3DLet's Encrypt,C=3DU= S
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Checked ag= ainst: CN=3DR3,O=3DLet's Encrypt,C=3DUS
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Signature algorithm: RSA-SHA256
    <= font face=3D"monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 Output: Verified. The c= ertificate is trusted.

    Chain verific= ation output: Verified. The certificate is trusted.

    Maybe that "Ou= tput: Not verified. The certificate is NOT trusted. The certificate issuer = is unknown." Is the issue?

<= div>
Thanks!
Best regards,
= Grigorii
--00000000000007a30105bb37198f-- From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 15 10:06:21 2021 Received: (at 45358) by debbugs.gnu.org; 15 Feb 2021 15:06:21 +0000 Received: from localhost ([127.0.0.1]:38472 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lBfS5-0002ne-KI for submit@debbugs.gnu.org; Mon, 15 Feb 2021 10:06:20 -0500 Received: from mail-yb1-f179.google.com ([209.85.219.179]:39466) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lBbja-0002sO-8P for 45358@debbugs.gnu.org; Mon, 15 Feb 2021 06:08:06 -0500 Received: by mail-yb1-f179.google.com with SMTP id k4so6777367ybp.6 for <45358@debbugs.gnu.org>; Mon, 15 Feb 2021 03:08:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=g-sokol-info.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=Pa2dzSG3d62pi8whxc4GnF4dD7ySxN8FEFELaZEbZko=; b=eCKHfGXU42Xx7BE2SfNakuGkWc0W2cGjba4wnjaalJB0mzrXotkByAfXUpnqZpvCNW wQpjmfs0zGxabI03nMjOe5LUEkPBGgyS100xXMm4jxj6TkfiJT25v67pcVnycmA/e9fv jeVViRwUJ0ylggApJeREb0ExVabIxQuy7Q0B4gOWILXBOnGpsOeMpiHXBJEOl6hfnBJi J3G5ACct7CW5H/sm1nHPlqpPOuLZ+RSOwStRt28qM3D3jOOJ0Hex4coyfkuMbn9hzLvH v8AaNYQygGSAiBeR54VYpD1YOmc4z1Gsshn80He3+nFk5RAvW5WH85weFMyqGqh1ZwoV Xtgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Pa2dzSG3d62pi8whxc4GnF4dD7ySxN8FEFELaZEbZko=; b=rf0EQ95n9R+P795NJgMPjhTEqgzAZkArSY4kkDA4UnSw2TFKU5pfGBXxsVWJZ0cefd ngIKLMyVo9MKku+jBLG4OdyY6iO/4oVD4qZbY9891HZttZgqT1R7nlMEyqIbEzhpVkXJ LifNR4128qr08FSMNMlxPV/6lUerqoH2E2VPvSdKI2/iY49P5wtnLxkUB308EIiOwdX6 Ewj0rRoRZWVqEyFJc5rj5hYsBvrs3GvDo4mTExMINwXPnPWVe9F7FIIFwaRe3ZYYl/2A YRdAOJxY8AhoEgc8Q1j4kWFRrhoCfSGPhqJ+qROSbz6VGdgVwmaO405QvOoHc74cd3n8 S4pA== X-Gm-Message-State: AOAM530EmFNhekdqJUlawNNRL2v0AAn+kOESuk2a4jQrFWmzsDOYgcCl 5aqW3Jv2C97MokYcZ1dhavy49HLrc6+MwhGkSG2PzckjRxwigw== X-Google-Smtp-Source: ABdhPJyN5HsqFoJTQ4+UKvDYPBAJn+LxF88+fVc2OsNi7eBydL514qQi3ok5J9n+W8wC6kRvNhK9xEqH3kAfDCpjV+k= X-Received: by 2002:a25:a044:: with SMTP id x62mr2111866ybh.153.1613387280553; Mon, 15 Feb 2021 03:08:00 -0800 (PST) MIME-Version: 1.0 From: Grigoriy Sokolik Date: Mon, 15 Feb 2021 13:07:49 +0200 Message-ID: Subject: RE: bug#45358: bootstrap fails due to a certificate mismatch To: 45358@debbugs.gnu.org Content-Type: multipart/alternative; boundary="000000000000be1bd305bb5dffc3" X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: 45358 X-Mailman-Approved-At: Mon, 15 Feb 2021 10:06:17 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) --000000000000be1bd305bb5dffc3 Content-Type: text/plain; charset="UTF-8" The temporary workaround could be, at least to skip the certificate validation: ``` $ git --no-pager diff diff --git a/bootstrap b/bootstrap index 7523f65b4..dcb8aa388 100755 --- a/bootstrap +++ b/bootstrap @@ -180,7 +180,7 @@ bootstrap_epilogue() { :; } # specified directory. Fill in the first %s with the destination # directory and the second with the domain name. po_download_command_format=\ -"wget --mirror --level=1 -nd -nv -A.po -P '%s' \ +"wget --mirror --level=1 -nd --no-check-certificate -nv -A.po -P '%s' \ https://translationproject.org/latest/%s/" # Prefer a non-empty tarname (4th argument of AC_INIT if given), else ``` But be careful, this is really bad advice: fetching anything without consistency ad authority validation is really insecure! Thanks! Best regards, Grigorii --000000000000be1bd305bb5dffc3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
The temporary=C2=A0workaround could be, at least to skip t= he certificate validation:

```
$ git --no-page= r diff
diff --git a/bootstrap b/bootstrap
index 7523f65b4..dcb8aa388= 100755
--- a/bootstrap
+++ b/bootstrap
@@ -180,7 +180,7 @@ bootst= rap_epilogue() { :; }
=C2=A0# specified directory.=C2=A0 Fill in the fir= st %s with the destination
=C2=A0# directory and the second with the dom= ain name.
=C2=A0po_download_command_format=3D\
-"wget --mirror -= -level=3D1 -nd -nv -A.po -P '%s' \
+"wget --mirror --level= =3D1 -nd --no-check-certificate -nv -A.po -P '%s' \
=C2=A0 https://translationproject= .org/latest/%s/"
=C2=A0
=C2=A0# Prefer a non-empty tarname (= 4th argument of AC_INIT if given), else
```

But be careful, this is really bad advice: fetching anything withou= t consistency ad authority validation is really insecure!

Thanks!
Best regards,
<= div>Grigorii
--000000000000be1bd305bb5dffc3-- From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 16 12:29:01 2021 Received: (at 45358) by debbugs.gnu.org; 16 Feb 2021 17:29:01 +0000 Received: from localhost ([127.0.0.1]:41466 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lC49l-0007S2-9H for submit@debbugs.gnu.org; Tue, 16 Feb 2021 12:29:01 -0500 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:38972) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lC49j-0007Ro-Lh for 45358@debbugs.gnu.org; Tue, 16 Feb 2021 12:29:00 -0500 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 2385A1600A7; Tue, 16 Feb 2021 09:28:54 -0800 (PST) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id H3VzQ0uKGr1L; Tue, 16 Feb 2021 09:28:52 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 1DBA31600B7; Tue, 16 Feb 2021 09:28:52 -0800 (PST) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id kZT7uN0I3CZX; Tue, 16 Feb 2021 09:28:52 -0800 (PST) Received: from [192.168.1.9] (cpe-23-243-218-95.socal.res.rr.com [23.243.218.95]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id EDD971600A7; Tue, 16 Feb 2021 09:28:51 -0800 (PST) Subject: Re: bug#45358: bootstrap fails due to a certificate mismatch To: Grigoriy Sokolik , 45358@debbugs.gnu.org References: From: Paul Eggert Organization: UCLA Computer Science Department Message-ID: <0a50bc2c-426f-d3a5-e68d-928c0638682a@cs.ucla.edu> Date: Tue, 16 Feb 2021 09:28:51 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 45358 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On 2/15/21 3:07 AM, Grigoriy Sokolik wrote: > But be careful, this is really bad advice: fetching anything without > consistency ad authority validation is really insecure! Yes, we should instead fix the underlying problem whatever it is (not sure what it is since that wasn't reported). From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 17 04:38:31 2021 Received: (at 45358) by debbugs.gnu.org; 17 Feb 2021 09:38:31 +0000 Received: from localhost ([127.0.0.1]:42500 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lCJHz-0008Pr-58 for submit@debbugs.gnu.org; Wed, 17 Feb 2021 04:38:31 -0500 Received: from mail-yb1-f171.google.com ([209.85.219.171]:41118) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lCJHx-0008Pb-6m for 45358@debbugs.gnu.org; Wed, 17 Feb 2021 04:38:29 -0500 Received: by mail-yb1-f171.google.com with SMTP id m9so11084556ybk.8 for <45358@debbugs.gnu.org>; Wed, 17 Feb 2021 01:38:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=g-sokol-info.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4f5H9UugGQTvsa+a2qODc2N9mxhhf7yFJ53Z4cDzSLs=; b=Hn+Ajp9hq6KtGrzKNZw+q40GUpKNp9eChPdpmZUwlswZ/4HmvibHqw/W8y+ioztu3i DUKODUOY7XbbaTHAkyUlmW/lBQRxzh/oFu21IxHT1Rw6BUHSNJZikF4EDcy+YPBWrA+0 WT9dGmTcQL+ZXddK7VWiIJ5lNmekry0RsG+0S9efFoVuW55bt7MQpBHvOTyh255m8M5/ h1dlgrB/cpS3k6C6waSdKyuB190h90mneBvMtbgY47B3iJJbJU7Sgrlk1+qTeR8EzCWz Pf8gbSnF6NzDjctgJOKXosxluSMle7CFJUpcNYawWvVeTkShtdIthp3J4Pwjw9YSN9Uw /qvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4f5H9UugGQTvsa+a2qODc2N9mxhhf7yFJ53Z4cDzSLs=; b=PsET1YjPJDvBZ7fXpeNI3LxA4zdS9CVz86hT5zRRGvWHu171OXU1na9+vZYl47sVOk XKoERMwlxriP/peJsBzh8F2nAJzcb/MqPI/KJ4s7fHJ5hjxutizgVrsiplKQQHqnBmZQ w0hffzjZ5phxBR/1RYu66TrC++hM47T6JDv/OdQahalYbWoYu/TJ93gr/eScQsrqjmvx jEbmSHRfBAFUmErVwmK2Pmk6Y4FYppAmOKKdCfrQDobwg+5jHyCOkoLFYTlFdgl3UlBJ x9rYPWBoEErgWGu9C/pE48oIBZZbq6M8rpRp1W7exYh6+rxheFchOGtE38KxTcO2zw7+ P4hw== X-Gm-Message-State: AOAM533DVRTDKbyUgIbb9yqEkN/iQ3Osd/v2lx5+aqYkmfgwpHRcVDnR MlrtXnBsgOyI/AiNFy/oWasA9sJJmPHopvkjQ+k= X-Google-Smtp-Source: ABdhPJwzpwhnuMP/COHnxBrQbuBB10CM0arX/HLkse/TqnSh6ANP5sPcNFP9DDQIkcerTJOZ0+7vjBSO3DaFenkwQOg= X-Received: by 2002:a25:b099:: with SMTP id f25mr39058964ybj.143.1613554703538; Wed, 17 Feb 2021 01:38:23 -0800 (PST) MIME-Version: 1.0 References: <0a50bc2c-426f-d3a5-e68d-928c0638682a@cs.ucla.edu> In-Reply-To: <0a50bc2c-426f-d3a5-e68d-928c0638682a@cs.ucla.edu> From: Grigoriy Sokolik Date: Wed, 17 Feb 2021 11:38:12 +0200 Message-ID: Subject: Re: bug#45358: bootstrap fails due to a certificate mismatch To: Paul Eggert Content-Type: multipart/alternative; boundary="000000000000ee1dca05bb84fa87" X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: 45358 Cc: 45358@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) --000000000000ee1dca05bb84fa87 Content-Type: text/plain; charset="UTF-8" The thing is that translationproject returns the wrong certificate. Thanks! Best regards, Grigorii On Tue, 16 Feb 2021 at 19:28, Paul Eggert wrote: > On 2/15/21 3:07 AM, Grigoriy Sokolik wrote: > > > But be careful, this is really bad advice: fetching anything without > > consistency ad authority validation is really insecure! > > Yes, we should instead fix the underlying problem whatever it is (not > sure what it is since that wasn't reported). > --000000000000ee1dca05bb84fa87 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
The thing is that=C2=A0translationproject=C2=A0returns the= wrong certificate.=C2=A0

Thanks!
Best regards,<= /div>
Grigorii


On Tue, 16 Feb 20= 21 at 19:28, Paul Eggert <eggert@cs.ucla.edu> wrote:
On 2/15/21 3:07 AM, Grigoriy Sokolik wrote:
> But be careful, this is really bad advice: fetching anything without > consistency ad authority validation is really insecure!

Yes, we should instead fix the underlying problem whatever it is (not
sure what it is since that wasn't reported).
--000000000000ee1dca05bb84fa87-- From debbugs-submit-bounces@debbugs.gnu.org Fri Feb 19 14:05:40 2021 Received: (at 45358) by debbugs.gnu.org; 19 Feb 2021 19:05:40 +0000 Received: from localhost ([127.0.0.1]:50383 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lDB5v-0003c6-RC for submit@debbugs.gnu.org; Fri, 19 Feb 2021 14:05:40 -0500 Received: from cpsmtpb-ews01.kpnxchange.com ([213.75.39.4]:57528) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lDB5t-0003bs-8D for 45358@debbugs.gnu.org; Fri, 19 Feb 2021 14:05:39 -0500 Received: from cpsps-ews27.kpnxchange.com ([10.94.84.193]) by cpsmtpb-ews01.kpnxchange.com with Microsoft SMTPSVC(8.5.9600.16384); Fri, 19 Feb 2021 20:05:30 +0100 X-Brand: +YTO/YbK+g== X-KPN-SpamVerdict: e1=0;e2=0;e3=0;e4=;e6=(e1=10;e3=10;e2=11;e4=10;e6=1 0);EVW:White;BM:NotScanned;FinalVerdict:Clean X-CMAE-Analysis: v=2.4 cv=Mv4xV0We c=1 sm=1 tr=0 ts=60300bfa cx=a_idp_e a=dZ5u/0G9QtS9WKCcNUBnHQ==:117 a=X0PnwcQ2/mKcBfosUKIoXQ==:17 a=ZPPnv1nnAAAA:8 a=UhJ12kwm0HYA:10 a=IkcTkHD0fZMA:10 a=qa6Q16uM49sA:10 a=mDV3o1hIAAAA:8 a=PgeLO-2Dkjo29WDETD4A:9 a=QEXdDO2ut3YA:10 a=Fa6fxOqnmhaLeQZz8CEF:22 a=_FVE-zBwftR9WsbkzFJk:22 X-CM-AcctID: kpn@feedback.cloudmark.com Received: from smtp.kpnmail.nl ([195.121.84.13]) by cpsps-ews27.kpnxchange.com over TLS secured channel with Microsoft SMTPSVC(8.5.9600.16384); Fri, 19 Feb 2021 20:05:30 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kpnmail.nl; s=kpnmail01; h=content-type:mime-version:date:message-id:from:to:subject; bh=tYwRZZfMDDnhq3NkkUmJ7MbaVVAPH+136obLzTtx4VA=; b=mV5kOXLKbg/l9Lnz3HXIYxjyIWByDPa8HnwOezSqdBm9zsjDKdUPP306EDKexGI0ZSzJWaj3oTm4T 2MzI/pnE75caZ1wL7Vlysbyz0RBwfFVMnt1RMRMmCehKj/k2BNw1gZ+w3b9Zfu2WaJtnNQdKNE5ipR 4zaateVOD0d/BdQA= X-KPN-VerifiedSender: No X-CMASSUN: 33|JzEr5zkBvaKEwVrD/5do4f62EGbxN3S4cD57IHMrkpgLxY03wHN3PVzuGQUHLnK VShBR5nCXtZa3sfYO4H7niQ== X-Originating-IP: 77.173.60.12 Received: from [192.168.2.25] (77-173-60-12.fixed.kpn.net [77.173.60.12]) by smtp.kpnmail.nl (Halon) with ESMTPSA id 6ed2a89f-72e5-11eb-8206-005056998788; Fri, 19 Feb 2021 20:05:30 +0100 (CET) Subject: Re: Wrong CA certificate on translationproject.org To: Nekolyanich References: <4b260b40-e875-8f12-b6d8-3761c6766d0a@nekolyanich.com> From: Benno Schulenberg Message-ID: Date: Fri, 19 Feb 2021 20:05:29 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <4b260b40-e875-8f12-b6d8-3761c6766d0a@nekolyanich.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable X-OriginalArrivalTime: 19 Feb 2021 19:05:30.0108 (UTC) FILETIME=[30C973C0:01D706F2] X-RcptDomain: debbugs.gnu.org X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: 45358 Cc: 45358@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) Op 17-02-2021 om 10:28 schreef Nekolyanich: > I find this https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D45358 recen= tly. Cannot reproduce. Downloading any project's PO files with wget works fine here -- no complaints about certificates. Why does your wget complain when curl and Firefox have no problem? > Your site(translationproject.org) provides >=20 > Subject: C=3DUS,O=3DLet's Encrypt,CN=3DR3 > Issuer: O=3DDigital Signature Trust Co.,CN=3DDST Root CA X3 > Serial: 85078157426496920958827089468591623647 >=20 > as CA certificate. > But your EndEntity certificate signed with >=20 > Subject: C=3DUS,O=3DLet's Encrypt,CN=3DR3 > Issuer: C=3DUS,O=3DInternet Security Research Group,CN=3DISRG Root X1 > Serial: 192961496339968674994309121183282847578 >=20 > You can find this certificate on LetsEncrypt site. I have no idea what to do about this. Any guidance? Benno From debbugs-submit-bounces@debbugs.gnu.org Fri Feb 19 15:01:04 2021 Received: (at 45358) by debbugs.gnu.org; 19 Feb 2021 20:01:04 +0000 Received: from localhost ([127.0.0.1]:50442 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lDBxX-0004yl-Ra for submit@debbugs.gnu.org; Fri, 19 Feb 2021 15:01:04 -0500 Received: from mail-yb1-f174.google.com ([209.85.219.174]:39443) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lDBxT-0004y6-Ok for 45358@debbugs.gnu.org; Fri, 19 Feb 2021 15:01:02 -0500 Received: by mail-yb1-f174.google.com with SMTP id u3so6667051ybk.6 for <45358@debbugs.gnu.org>; Fri, 19 Feb 2021 12:00:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=g-sokol-info.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+8JPaJBZLPFpiEFER8TXAdN8JOKkF543DTBqTpXiuIY=; b=JzgjG1rt/Rf+QmeqKbEFkBT7mLCcdSofzU4ZpFIuqPCv1lP+u0HGAxuHCl6NBczYQZ FlvAf68vCZl/T9AcRUt1ry4PwLFQP46ZfI4i0x1km2Ry5zp2gi02XYDDWanQH4D9P6+/ U/4XR9Wrvq1vT5WAPi5m1ccTwqefANOfu7RlBYCao/8mTgwQhp7MrUlxhCkVkOJUs9Pp 7MIWMi2IfixdCJM2zDJD5ObkQG1qWXJXpuHfqkB5Xo9pa54fbnfBpF4agxlBViNfYwDr y5C+qvMwIx4e5VwrvZ+pSkWJLu1HWFFpMv56gHGoqFV2hYeLxExZmtAfbdDnS+h7Q6dg PkMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+8JPaJBZLPFpiEFER8TXAdN8JOKkF543DTBqTpXiuIY=; b=NcxuzuwtFJ+X87SKbOx0gNH20xp1AcsHu2biiTqW2mhOjBsVWIq6anYnIJNd3D0AeP Ulbmmus/5HEvbhCTQyd9CaV8hfw+8W+dDcSNSUtRDSNSV8pfBy4pXoAPgmRyOF60eDZZ Uum/OQMdQYwL7wYYxOxKUBvFAx2Zo5OrcXuzkh+DWmY804FqI+3FlvXFx58gJsHfeEyc yzKY0JaSCR6TMxCpH5oyJcfHIu3wA+Xm3bahUscKiLpSbhpTyfpWj+MpehiI6vbN0Elt HdGSb6uV1Zt5rLPdoEyH6fJMvKcRHbdvOUlBmdZ24FZUb14810tYYjcsr/50fmLDwD4b Z2aQ== X-Gm-Message-State: AOAM533l/VaDZtQuenBuaRy83567VkFHje9CDP8PHCth3pdEcyiqq9aP ZNfVETOd66XLRm9u15+KOILM/495RnvoKmgQSMg/ramdlpc= X-Google-Smtp-Source: ABdhPJxqsbMAToJR+9SEwejNwAhPi8Vg8+UsNx70tNga8Fi84cxEwwlcqPyR/igDF2q1xxk3hjJxOsBc228/dVFwOyg= X-Received: by 2002:a25:d943:: with SMTP id q64mr4603877ybg.508.1613764854048; Fri, 19 Feb 2021 12:00:54 -0800 (PST) MIME-Version: 1.0 References: <4b260b40-e875-8f12-b6d8-3761c6766d0a@nekolyanich.com> In-Reply-To: From: Grigoriy Sokolik Date: Fri, 19 Feb 2021 22:00:43 +0200 Message-ID: Subject: Re: bug#45358: Wrong CA certificate on translationproject.org To: Benno Schulenberg Content-Type: multipart/alternative; boundary="000000000000e06c0405bbb5e849" X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: 45358 Cc: 45358@debbugs.gnu.org, Nekolyanich X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) --000000000000e06c0405bbb5e849 Content-Type: text/plain; charset="UTF-8" Because wget uses gnutls for verification, curl -- openssl and browsers -- their own implementations. Thanks! Best regards, Grigorii On Fri, 19 Feb 2021 at 21:06, Benno Schulenberg < coordinator@translationproject.org> wrote: > > Op 17-02-2021 om 10:28 schreef Nekolyanich: > > I find this https://debbugs.gnu.org/cgi/bugreport.cgi?bug=45358 > recently. > > Cannot reproduce. Downloading any project's PO files with wget works > fine here -- no complaints about certificates. > > Why does your wget complain when curl and Firefox have no problem? > > > Your site(translationproject.org) provides > > > > Subject: C=US,O=Let's Encrypt,CN=R3 > > Issuer: O=Digital Signature Trust Co.,CN=DST Root CA X3 > > Serial: 85078157426496920958827089468591623647 > > > > as CA certificate. > > But your EndEntity certificate signed with > > > > Subject: C=US,O=Let's Encrypt,CN=R3 > > Issuer: C=US,O=Internet Security Research Group,CN=ISRG Root X1 > > Serial: 192961496339968674994309121183282847578 > > > > You can find this certificate on LetsEncrypt site. > > I have no idea what to do about this. Any guidance? > > Benno > > > > > --000000000000e06c0405bbb5e849 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Because wget uses gnutls for verification, curl -- openssl= and browsers -- their own implementations.

<= div dir=3D"ltr">
Thanks!
Best regards,
Grigorii


On Fri, 19 Feb 2021 at 21:06, Benno Schulenbe= rg <coordinator@tr= anslationproject.org> wrote:

Op 17-02-2021 om 10:28 schreef Nekolyanich:
> I find this https://debbugs.gnu.org/cgi/= bugreport.cgi?bug=3D45358 recently.

Cannot reproduce.=C2=A0 Downloading any project's PO files with wget wo= rks
fine here -- no complaints about certificates.

Why does your wget complain when curl and Firefox have no problem?

> Your site(translationproject.org) provides
>
> Subject: C=3DUS,O=3DLet's Encrypt,CN=3DR3
> Issuer: O=3DDigital Signature Trust Co.,CN=3DDST Root CA X3
> Serial: 85078157426496920958827089468591623647
>
> as CA certificate.
> But your EndEntity certificate signed with
>
> Subject: C=3DUS,O=3DLet's Encrypt,CN=3DR3
> Issuer: C=3DUS,O=3DInternet Security Research Group,CN=3DISRG Root X1<= br> > Serial: 192961496339968674994309121183282847578
>
> You can find this certificate on LetsEncrypt site.

I have no idea what to do about this.=C2=A0 Any guidance?

Benno




--000000000000e06c0405bbb5e849-- From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 09 00:55:07 2021 Received: (at 45358) by debbugs.gnu.org; 9 Mar 2021 05:55:08 +0000 Received: from localhost ([127.0.0.1]:45410 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJVKl-00036W-Fa for submit@debbugs.gnu.org; Tue, 09 Mar 2021 00:55:07 -0500 Received: from havoc.proulx.com ([96.88.95.61]:46972) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJVKj-00035T-Mc; Tue, 09 Mar 2021 00:55:06 -0500 Received: from joseki.proulx.com (localhost [127.0.0.1]) by havoc.proulx.com (Postfix) with ESMTP id 1ADE82F3; Mon, 8 Mar 2021 22:55:00 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proulx.com; s=dkim2048; t=1615269300; bh=espFNrIW8+l+FmImQ706DNnhLKy70OTt+qhC5SFQeMs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=JA4W4SZXU4m5szkSRDycFb8Vz3zUdz/JNgFFRFyARqnmryj/OOA+ClpJRYqTlQaMO xpojE97Y80GKl04w1wLZxc7LO8d2jUt5H9oruurNAj/1I+UGu/DY6wGkKSI4culblv iHPU/f35DrWZ1wu+BcHpvpHnkgqirTlOPABpdhMZ9SSWRq0ckNDEPGK8FAF68Mfd/Q 0OYsHXnDYE6+l7SHDffY06Vf7waGDP2FiRgX5o0RxUTlwLrR3acaS3dBX0kjrzCOSj eLdE4QbJKXkydMabeIl5pBYggHS5YMtMwVVbI+CsNxsVAn+8geIO1PGo9791ZXlP/7 wHmaqLW7UEI9g== Received: from hysteria.proulx.com (hysteria.proulx.com [192.168.230.119]) by joseki.proulx.com (Postfix) with ESMTP id DF6252117E; Mon, 8 Mar 2021 22:54:59 -0700 (MST) Received: by hysteria.proulx.com (Postfix, from userid 1000) id C96AB2DCA0; Mon, 8 Mar 2021 22:54:59 -0700 (MST) Date: Mon, 8 Mar 2021 22:54:59 -0700 From: Bob Proulx To: Grigoriy Sokolik Subject: Re: bug#45358: bootstrap fails due to a certificate mismatch Message-ID: <20210308222541460482867@bob.proulx.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 45358 Cc: 45358@debbugs.gnu.org, 45358-submitter@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Is this problem still a problem? Perhaps it has been fixed in the time this has been under discussion? Because it looks okay to me. Grigoriy Sokolik wrote: > $ curl -v https://translationproject.org/latest/coreutils/ -o /dev/null ... > * Connected to translationproject.org (80.69.83.146) port 443 (#0) ... > * successfully set certificate verify locations: > * CAfile: /etc/ssl/certs/ca-certificates.crt > * CApath: none I suspect this last line to be the root cause of the problem. There is no CApath and therefore no root anchoring certificates trusted. Without that I don't see how any certificates can be trusted. I do the same test here and see this. $ curl -v https://translationproject.org/latest/coreutils/ -o /dev/null ... * Connected to translationproject.org (80.69.83.146) port 443 (#0) ... * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs Note the inclusion of the trusted root path. * Server certificate: * subject: CN=stats.vrijschrift.org * start date: Mar 1 10:34:36 2021 GMT * expire date: May 30 10:34:36 2021 GMT * subjectAltName: host "translationproject.org" matched cert's * "translationproject.org" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok. Note that the certificate validates as okay. Also if I simply ask openssl to validate: $ openssl s_client -connect translationproject.org:443 -CApath /etc/ssl/certs -showcerts /dev/null ... Verify return code: 0 (ok) If I download all of the certificates and validate using certtool, since you mentioned certtool I will use your example: $ openssl s_client -connect translationproject.org:443 -CApath /etc/ssl/certs -showcerts /dev/null | sed -n '/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/p' > /tmp/translationproject.org.certs $ certtool --verbose --verify-profile=high --verify --infile=/tmp/translationproject.org.certs Loaded system trust (127 CAs available) Subject: CN=R3,O=Let's Encrypt,C=US Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. Checked against: CN=DST Root CA X3,O=Digital Signature Trust Co. Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Subject: CN=stats.vrijschrift.org Issuer: CN=R3,O=Let's Encrypt,C=US Checked against: CN=R3,O=Let's Encrypt,C=US Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Chain verification output: Verified. The certificate is trusted. Then it again validates okay. I note that the certificate is current as of now and just recently renewed. It's fresh. $ openssl s_client -connect translationproject.org:443 -CApath /etc/ssl/certs -showcerts /dev/null | sed -n '/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/p;/^-----END CERTIFICATE-----/q' | openssl x509 -noout -dates notBefore=Mar 1 10:34:36 2021 GMT notAfter=May 30 10:34:36 2021 GMT Therefore I think everything is okay as far as I can tell from the above. Perhaps something about the site has changed to resolve a problem since then? Perhaps an intermediate certificate was added? Bob From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 09 04:28:37 2021 Received: (at 45358) by debbugs.gnu.org; 9 Mar 2021 09:28:37 +0000 Received: from localhost ([127.0.0.1]:45625 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJYfM-0002ib-R1 for submit@debbugs.gnu.org; Tue, 09 Mar 2021 04:28:37 -0500 Received: from mail-yb1-f182.google.com ([209.85.219.182]:35238) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJYfK-0002iL-T8; Tue, 09 Mar 2021 04:28:35 -0500 Received: by mail-yb1-f182.google.com with SMTP id p186so13282908ybg.2; Tue, 09 Mar 2021 01:28:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=g-sokol-info.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ew6zUnIgp5ECHQwgvhz6Z8y81Q5E7WtyHVRfl8i0b/Q=; b=R7l+CIsPeuiVg8tE4kB9sV/C9S2HmQdQWlRCiV7PTEC9l5LdfViHUWGq7cEBdm0l7e 5KgN6PjCfJGEEch4lZ5dDZ3MPZwIdh7p5jOr+i6uWIOA1pYNqywlodHhTwypwaSlJ5Fu gAhTHOhRqT/M4+0B0rq8zclQhdbMV4FqM+shX+9+FaK8UZlamsnC7FSjw+b74XmjCtWJ oseAwVRVi/Sep3NvQtdVhhKpSiBBKHk6HluTN5zlNy/Hl6GEWlla3Z1cAPWLkS4etj13 W7jul53nfqYtjX8JxWFKGtlMB0/YBhoEgfDyejl11KsInemIahbxSGsJARxZuVHVG4LQ 1BDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ew6zUnIgp5ECHQwgvhz6Z8y81Q5E7WtyHVRfl8i0b/Q=; b=BQnx6ecA6+E2EJTGUB8QYZvWTjvV0kp4L7FRU6bUyWEsGwwB2zjziJCvvLUxHiKru0 eyTBJtTzzHyf8cDfVNnFTMJjduWUY305HUoXJK+iABXkJ1c4+U7mCR0QWvntGuWwIPoU az28hrC/6A86T3Rt7n2eL7+IgMNoqT7wJLGLBaZVgFKrstOmnpA4nWeV6j7x0y5iekYj FD3Bv5orrZKO3X1tDiSN+wZMKeyfsJVS34V5MlgBPZxk4moBssjhBamo8vhk0iUe/PlM czHR4qa8Z3pWHGwt+bTPt7fe/BR56krtTigBW4kkBmV/yUtgxLF4qtTz7bTMlDDbEhx3 /vvw== X-Gm-Message-State: AOAM5335BkDVLWpIj4FtLQ+PxWqRgF0AwHgjVya3tofUb95dnKnHDPxj or0k0FcOwx/dZ+Q+ch+lYzyDRIj5iYdAOKrBnXWp/+0S6i1ASQ== X-Google-Smtp-Source: ABdhPJxDxaFSrCxD+cGL3ODZQHmUCKTzDJIdsXrm/Ibq4Zba/AwtNm50SF5KuSD18bFvkgPcRJQUHTr7OyydUJysX+I= X-Received: by 2002:a25:a044:: with SMTP id x62mr37792317ybh.153.1615282109010; Tue, 09 Mar 2021 01:28:29 -0800 (PST) MIME-Version: 1.0 References: <20210308222541460482867@bob.proulx.com> In-Reply-To: <20210308222541460482867@bob.proulx.com> From: Grigoriy Sokolik Date: Tue, 9 Mar 2021 11:28:18 +0200 Message-ID: Subject: Re: bug#45358: bootstrap fails due to a certificate mismatch To: Bob Proulx Content-Type: multipart/alternative; boundary="00000000000051d7ef05bd172c91" X-Spam-Score: 0.8 (/) X-Debbugs-Envelope-To: 45358 Cc: 45358@debbugs.gnu.org, 45358-submitter@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.2 (/) --00000000000051d7ef05bd172c91 Content-Type: text/plain; charset="UTF-8" I've rechecked: ``` $ gnutls-cli translationproject.org Processed 139 CA certificate(s). Resolving 'translationproject.org:443'... Connecting to '80.69.83.146:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `CN=stats.vrijschrift.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x043ecc3aacb8c85e4b142ad6a502a8e749c7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-03-01 10:34:36 UTC', expires `2021-05-30 10:34:36 UTC', pin-sha256="rsabKAqi6gmbwfkm2Kj69kMk9vceM1pOrIsSWJ29axA=" Public Key ID: sha1:351b768332605268f158f75cc602b700c8950d71 sha256:aec69b280aa2ea099bc1f926d8a8faf64324f6f71e335a4eac8b12589dbd6b10 Public Key PIN: pin-sha256:rsabKAqi6gmbwfkm2Kj69kMk9vceM1pOrIsSWJ29axA= - Certificate[1] info: - subject `CN=stats.vrijschrift.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x043ecc3aacb8c85e4b142ad6a502a8e749c7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-03-01 10:34:36 UTC', expires `2021-05-30 10:34:36 UTC', pin-sha256="rsabKAqi6gmbwfkm2Kj69kMk9vceM1pOrIsSWJ29axA=" - Certificate[2] info: - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x400175048314a4c8218c84a90c16cddf, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-10-07 19:21:40 UTC', expires `2021-09-29 19:21:40 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=" - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. ``` ``` $ openssl s_client -connect translationproject.org:443 -CApath /etc/ssl/certs -showcerts /dev/null | sed -n '/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/p' > /tmp/translationproject.org.certs $ certtool --verbose --verify-profile=high --verify --infile=/tmp/translationproject.org.certs Loaded system trust (139 CAs available) Subject: CN=stats.vrijschrift.org Issuer: CN=R3,O=Let's Encrypt,C=US Signature algorithm: RSA-SHA256 Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Subject: CN=stats.vrijschrift.org Issuer: CN=R3,O=Let's Encrypt,C=US Signature algorithm: RSA-SHA256 Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Subject: CN=stats.vrijschrift.org Issuer: CN=R3,O=Let's Encrypt,C=US Signature algorithm: RSA-SHA256 Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Chain verification output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. ``` Thanks! Best regards, Grigorii On Tue, 9 Mar 2021 at 07:55, Bob Proulx wrote: > Is this problem still a problem? Perhaps it has been fixed in the > time this has been under discussion? Because it looks okay to me. > > Grigoriy Sokolik wrote: > > $ curl -v https://translationproject.org/latest/coreutils/ -o > /dev/null > ... > > * Connected to translationproject.org (80.69.83.146) port 443 (#0) > ... > > * successfully set certificate verify locations: > > * CAfile: /etc/ssl/certs/ca-certificates.crt > > * CApath: none > > I suspect this last line to be the root cause of the problem. There > is no CApath and therefore no root anchoring certificates trusted. > Without that I don't see how any certificates can be trusted. > > I do the same test here and see this. > > $ curl -v https://translationproject.org/latest/coreutils/ -o > /dev/null > ... > * Connected to translationproject.org (80.69.83.146) port 443 (#0) > ... > * successfully set certificate verify locations: > * CAfile: /etc/ssl/certs/ca-certificates.crt > * CApath: /etc/ssl/certs > > Note the inclusion of the trusted root path. > > * Server certificate: > * subject: CN=stats.vrijschrift.org > * start date: Mar 1 10:34:36 2021 GMT > * expire date: May 30 10:34:36 2021 GMT > * subjectAltName: host "translationproject.org" matched cert's > * "translationproject.org" > * issuer: C=US; O=Let's Encrypt; CN=R3 > * SSL certificate verify ok. > > Note that the certificate validates as okay. > > Also if I simply ask openssl to validate: > > $ openssl s_client -connect translationproject.org:443 -CApath > /etc/ssl/certs -showcerts /dev/null > ... > Verify return code: 0 (ok) > > If I download all of the certificates and validate using certtool, > since you mentioned certtool I will use your example: > > $ openssl s_client -connect translationproject.org:443 -CApath > /etc/ssl/certs -showcerts /dev/null | sed -n '/^-----BEGIN > CERTIFICATE-----/,/^-----END CERTIFICATE-----/p' > /tmp/ > translationproject.org.certs > $ certtool --verbose --verify-profile=high --verify > --infile=/tmp/translationproject.org.certs > Loaded system trust (127 CAs available) > Subject: CN=R3,O=Let's Encrypt,C=US > Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. > Checked against: CN=DST Root CA X3,O=Digital Signature Trust Co. > Signature algorithm: RSA-SHA256 > Output: Verified. The certificate is trusted. > > Subject: CN=stats.vrijschrift.org > Issuer: CN=R3,O=Let's Encrypt,C=US > Checked against: CN=R3,O=Let's Encrypt,C=US > Signature algorithm: RSA-SHA256 > Output: Verified. The certificate is trusted. > > Chain verification output: Verified. The certificate is trusted. > > Then it again validates okay. > > I note that the certificate is current as of now and just recently > renewed. It's fresh. > > $ openssl s_client -connect translationproject.org:443 -CApath > /etc/ssl/certs -showcerts /dev/null | sed -n '/^-----BEGIN > CERTIFICATE-----/,/^-----END CERTIFICATE-----/p;/^-----END > CERTIFICATE-----/q' | openssl x509 -noout -dates > notBefore=Mar 1 10:34:36 2021 GMT > notAfter=May 30 10:34:36 2021 GMT > > Therefore I think everything is okay as far as I can tell from the > above. Perhaps something about the site has changed to resolve a > problem since then? Perhaps an intermediate certificate was added? > > Bob > --00000000000051d7ef05bd172c91 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I've rechecked:

```
=C2= =A0 =C2=A0 $ gnutls-cli translati= onproject.org =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
=C2=A0 =C2=A0 Processed= 139 CA certificate(s).
=C2=A0 =C2=A0 Resolving 'translationproject.= org:443'...
=C2=A0 =C2=A0 Connecting to '80.69.83.146:443'..= .
=C2=A0 =C2=A0 - Certificate type: X.509
=C2=A0 =C2=A0 - Got a certi= ficate list of 3 certificates.
=C2=A0 =C2=A0 - Certificate[0] info:
= =C2=A0 =C2=A0 - subject `CN=3Dstat= s.vrijschrift.org', issuer `CN=3DR3,O=3DLet's Encrypt,C=3DUS= 9;, serial 0x043ecc3aacb8c85e4b142ad6a502a8e749c7, RSA key 4096 bits, signe= d using RSA-SHA256, activated `2021-03-01 10:34:36 UTC', expires `2021-= 05-30 10:34:36 UTC', pin-sha256=3D"rsabKAqi6gmbwfkm2Kj69kMk9vceM1p= OrIsSWJ29axA=3D"
=C2=A0 =C2=A0 Public Key ID:
=C2=A0 =C2=A0 sha1= :351b768332605268f158f75cc602b700c8950d71
=C2=A0 =C2=A0 sha256:aec69b280= aa2ea099bc1f926d8a8faf64324f6f71e335a4eac8b12589dbd6b10
=C2=A0 =C2=A0 Pu= blic Key PIN:
=C2=A0 =C2=A0 pin-sha256:rsabKAqi6gmbwfkm2Kj69kMk9vceM1pOr= IsSWJ29axA=3D

=C2=A0 =C2=A0 - Certificate[1] info:
=C2=A0 =C2=A0 = - subject `CN=3Dstats.vrijschrift.= org', issuer `CN=3DR3,O=3DLet's Encrypt,C=3DUS', serial 0x0= 43ecc3aacb8c85e4b142ad6a502a8e749c7, RSA key 4096 bits, signed using RSA-SH= A256, activated `2021-03-01 10:34:36 UTC', expires `2021-05-30 10:34:36= UTC', pin-sha256=3D"rsabKAqi6gmbwfkm2Kj69kMk9vceM1pOrIsSWJ29axA= =3D"
=C2=A0 =C2=A0 - Certificate[2] info:
=C2=A0 =C2=A0 - subjec= t `CN=3DR3,O=3DLet's Encrypt,C=3DUS', issuer `CN=3DDST Root CA X3,O= =3DDigital Signature Trust Co.', serial 0x400175048314a4c8218c84a90c16c= ddf, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-10-07 19:2= 1:40 UTC', expires `2021-09-29 19:21:40 UTC', pin-sha256=3D"jQ= JTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=3D"
=C2=A0 =C2=A0 - Statu= s: The certificate is NOT trusted. The certificate issuer is unknown.
= =C2=A0 =C2=A0 *** PKI verification of server certificate failed...
=C2= =A0 =C2=A0 *** Fatal error: Error in the certificate.
```

=
```
=C2=A0 =C2=A0 $ openssl s_client -connect translationproject.org:443 -CApath /etc/= ssl/certs -showcerts </dev/null 2>/dev/null =C2=A0| sed -n '/^---= --BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/p' > /tmp/tran= slationproject.org.certs
=C2=A0 =C2=A0 $ certtool --verbose --verify-pr= ofile=3Dhigh --verify --infile=3D/tmp/translationproject.org.certs
=C2= =A0 =C2=A0 Loaded system trust (139 CAs available)
=C2=A0 =C2=A0 Subject= : CN=3Dstats.vrijschrift.org=C2=A0 =C2=A0 Issuer: CN=3DR3,O=3DLet's Encrypt,C=3DUS
=C2=A0 =C2= =A0 Signature algorithm: RSA-SHA256
=C2=A0 =C2=A0 Output: Not verified. = The certificate is NOT trusted. The certificate issuer is unknown.
=C2= =A0 =C2=A0=C2=A0
=C2=A0 =C2=A0 Subject: CN=3Dstats.vrijschrift.org
=C2=A0 =C2=A0 Issuer: CN=3DR3,O= =3DLet's Encrypt,C=3DUS
=C2=A0 =C2=A0 Signature algorithm: RSA-SHA25= 6
=C2=A0 =C2=A0 Output: Not verified. The certificate is NOT trusted. Th= e certificate issuer is unknown.

=C2=A0 =C2=A0 Subject: CN=3Dstats.vrijschrift.org
=C2=A0 =C2= =A0 Issuer: CN=3DR3,O=3DLet's Encrypt,C=3DUS
=C2=A0 =C2=A0 Signature= algorithm: RSA-SHA256
=C2=A0 =C2=A0 Output: Not verified. The certifica= te is NOT trusted. The certificate issuer is unknown.

=C2=A0 =C2=A0= Chain verification output: Not verified. The certificate is NOT trusted. T= he certificate issuer is unknown.

```=

Thanks!
Best regards,
Grigorii


On Tue, 9 Mar 2021 at 07:55, Bob Proulx = <bob@proulx.com> wrote:
Is this problem still a= problem?=C2=A0 Perhaps it has been fixed in the
time this has been under discussion?=C2=A0 Because it looks okay to me.

Grigoriy Sokolik wrote:
>=C2=A0 =C2=A0 $ curl -v https://translationproje= ct.org/latest/coreutils/ -o /dev/null
...
>=C2=A0 =C2=A0 * Connected to translationproject.org (80.69.83.1= 46) port 443 (#0)
...
>=C2=A0 =C2=A0 * successfully set certificate verify locations:
>=C2=A0 =C2=A0 *=C2=A0 CAfile: /etc/ssl/certs/ca-certificates.crt
>=C2=A0 =C2=A0 *=C2=A0 CApath: none

I suspect this last line to be the root cause of the problem.=C2=A0 There is no CApath and therefore no root anchoring certificates trusted.
Without that I don't see how any certificates can be trusted.

I do the same test here and see this.

=C2=A0 =C2=A0 $ curl -v https://translationproject.o= rg/latest/coreutils/ -o /dev/null
=C2=A0 =C2=A0 ...
=C2=A0 =C2=A0 * Connected to translationproject.org (80.69.83.146)= port 443 (#0)
=C2=A0 =C2=A0 ...
=C2=A0 =C2=A0 * successfully set certificate verify locations:
=C2=A0 =C2=A0 *=C2=A0 CAfile: /etc/ssl/certs/ca-certificates.crt
=C2=A0 =C2=A0 *=C2=A0 CApath: /etc/ssl/certs

Note the inclusion of the trusted root path.

=C2=A0 =C2=A0 * Server certificate:
=C2=A0 =C2=A0 *=C2=A0 subject: CN=3Dstats.vrijschrift.org
=C2=A0 =C2=A0 *=C2=A0 start date: Mar=C2=A0 1 10:34:36 2021 GMT
=C2=A0 =C2=A0 *=C2=A0 expire date: May 30 10:34:36 2021 GMT
=C2=A0 =C2=A0 *=C2=A0 subjectAltName: host "translationproject.org= " matched cert's
=C2=A0 =C2=A0 *=C2=A0 "translationproject.org"
=C2=A0 =C2=A0 *=C2=A0 issuer: C=3DUS; O=3DLet's Encrypt; CN=3DR3
=C2=A0 =C2=A0 *=C2=A0 SSL certificate verify ok.

Note that the certificate validates as okay.

Also if I simply ask openssl to validate:

=C2=A0 =C2=A0 $ openssl s_client -connect translationproject.org:44= 3 -CApath /etc/ssl/certs -showcerts </dev/null 2>/dev/null
=C2=A0 =C2=A0 ...
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Verify return code: 0 (ok)

If I download all of the certificates and validate using certtool,
since you mentioned certtool I will use your example:

=C2=A0 =C2=A0 $ openssl s_client -connect translationproject.org:44= 3 -CApath /etc/ssl/certs -showcerts </dev/null 2>/dev/null=C2=A0 = | sed -n '/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/p&= #39; > /tmp/= translationproject.org.certs
=C2=A0 =C2=A0 $ certtool --verbose --verify-profile=3Dhigh --verify --infil= e=3D/tmp/translationproject.org.certs
=C2=A0 =C2=A0 Loaded system trust (127 CAs available)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Subject: CN=3DR3,O=3DLet's Encrypt,C=3DUS =C2=A0 =C2=A0 =C2=A0 =C2=A0 Issuer: CN=3DDST Root CA X3,O=3DDigital Signatu= re Trust Co.
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Checked against: CN=3DDST Root CA X3,O=3DDigita= l Signature Trust Co.
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Signature algorithm: RSA-SHA256
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Output: Verified. The certificate is trusted. <= br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Subject: CN=3Dstats.vrijschrift.org
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Issuer: CN=3DR3,O=3DLet's Encrypt,C=3DUS =C2=A0 =C2=A0 =C2=A0 =C2=A0 Checked against: CN=3DR3,O=3DLet's Encrypt,= C=3DUS
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Signature algorithm: RSA-SHA256
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Output: Verified. The certificate is trusted. <= br>
=C2=A0 =C2=A0 Chain verification output: Verified. The certificate is trust= ed.

Then it again validates okay.

I note that the certificate is current as of now and just recently
renewed.=C2=A0 It's fresh.

=C2=A0 =C2=A0 $ openssl s_client -connect translationproject.org:44= 3 -CApath /etc/ssl/certs -showcerts </dev/null 2>/dev/null | sed = -n '/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/p;/^----= -END CERTIFICATE-----/q' | openssl x509 -noout -dates
=C2=A0 =C2=A0 notBefore=3DMar=C2=A0 1 10:34:36 2021 GMT
=C2=A0 =C2=A0 notAfter=3DMay 30 10:34:36 2021 GMT

Therefore I think everything is okay as far as I can tell from the
above.=C2=A0 Perhaps something about the site has changed to resolve a
problem since then?=C2=A0 Perhaps an intermediate certificate was added?
Bob
--00000000000051d7ef05bd172c91-- From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 09 05:36:04 2021 Received: (at 45358) by debbugs.gnu.org; 9 Mar 2021 10:36:04 +0000 Received: from localhost ([127.0.0.1]:45711 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJZie-0004Mc-EF for submit@debbugs.gnu.org; Tue, 09 Mar 2021 05:36:04 -0500 Received: from mailgw1.uni-kl.de ([131.246.120.220]:55860) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJZib-0004M7-Ea; Tue, 09 Mar 2021 05:36:02 -0500 Received: from sushi.unix-ag.uni-kl.de (sushi.unix-ag.uni-kl.de [IPv6:2001:638:208:ef34:0:ff:fe00:65]) by mailgw1.uni-kl.de (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id 129AZxBv080092 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 9 Mar 2021 11:35:59 +0100 Received: from sushi.unix-ag.uni-kl.de (ip6-localhost [IPv6:::1]) by sushi.unix-ag.uni-kl.de (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id 129AZxpM001640 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 9 Mar 2021 11:35:59 +0100 Received: (from auerswal@localhost) by sushi.unix-ag.uni-kl.de (8.14.4/8.14.4/Submit) id 129AZwKw001637; Tue, 9 Mar 2021 11:35:58 +0100 Date: Tue, 9 Mar 2021 11:35:58 +0100 From: Erik Auerswald To: Grigoriy Sokolik Subject: Re: bug#45358: bootstrap fails due to a certificate mismatch Message-ID: <20210309103558.GA26987@unix-ag.uni-kl.de> References: <20210308222541460482867@bob.proulx.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, hits=-0.999, tests=ALL_TRUSTED=-1,URIBL_BLOCKED=0.001 X-Spam-Score: (-0.999) X-Spam-Flag: NO X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 45358 Cc: 45358@debbugs.gnu.org, 45358-submitter@debbugs.gnu.org, Bob Proulx X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, On Tue, Mar 09, 2021 at 11:28:18AM +0200, Grigoriy Sokolik wrote: > I've rechecked: I cannot reproduce the problem, the certificate is trusted by my system: # via IPv4 $ gnutls-cli --verbose translationproject.org [...]issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.'[...] On my Ubuntu 18.04 system, I find it via symlink from /etc/ssl/certs: $ ls /etc/ssl/certs/DST_Root_CA_X3.pem -l lrwxrwxrwx 1 root root 53 Mai 28 2018 /etc/ssl/certs/DST_Root_CA_X3.pem -> /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt $ certtool --certificate-info < /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt | grep Subject: Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. HTH, Erik -- [A]pplied cryptography mostly sucks. -- Green's law of applied cryptography From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 09 13:30:11 2021 Received: (at 45358-done) by debbugs.gnu.org; 9 Mar 2021 18:30:11 +0000 Received: from localhost ([127.0.0.1]:47909 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJh7S-0008Dj-W0 for submit@debbugs.gnu.org; Tue, 09 Mar 2021 13:30:11 -0500 Received: from havoc.proulx.com ([96.88.95.61]:40726) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJh7Q-0008CO-Md; Tue, 09 Mar 2021 13:30:09 -0500 Received: from joseki.proulx.com (localhost [127.0.0.1]) by havoc.proulx.com (Postfix) with ESMTP id 7220F498; Tue, 9 Mar 2021 11:30:02 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proulx.com; s=dkim2048; t=1615314602; bh=IdvFBZ1gDnW/x6sst/BIXBto+AkERu0VTcQKQa+lf4s=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=DpMOmGVAGYHXamsCvnM8net7KbBO6n5jBC0ma1XlYTahMPnvzlxB6oJQY5KGCYT07 RiByJS5bUoVGjzRdiQbY50ysJVapEh24RamO7LP3g5qa1HCdUBOZAJUWQ83a+apEXn Cbx2bLKCzUE/wOPhRhWnQG7z8w3amqne+veg2+Yfqx3oY6nWT6NM41LN0vosv4FzUx q2tybut53+LmMmFnQMdfQAOqfTMNA3OFTL1Ib/hf1lDf3IArdMufBr/9+/YyFnMS3s oJ9NLbs6L7fz8vTfjShTb1Ygm9pJiM0p/J6AgwKQN9L2l0loBtmi68Kac0vqvCRLrG BOQCVIZQqX1qA== Received: from hysteria.proulx.com (hysteria.proulx.com [192.168.230.119]) by joseki.proulx.com (Postfix) with ESMTP id 34EAC21144; Tue, 9 Mar 2021 11:30:02 -0700 (MST) Received: by hysteria.proulx.com (Postfix, from userid 1000) id 2B0DC2DC9F; Tue, 9 Mar 2021 11:30:02 -0700 (MST) Date: Tue, 9 Mar 2021 11:30:02 -0700 From: Bob Proulx To: Erik Auerswald Subject: Re: bug#45358: bootstrap fails due to a certificate mismatch Message-ID: <20210309112031844276337@bob.proulx.com> References: <20210308222541460482867@bob.proulx.com> <20210309103558.GA26987@unix-ag.uni-kl.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210309103558.GA26987@unix-ag.uni-kl.de> X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 45358-done Cc: 45358-done@debbugs.gnu.org, 45358-submitter@debbugs.gnu.org, Grigoriy Sokolik X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Erik Auerswald wrote: > Grigoriy Sokolik wrote: > > I've rechecked: > > I cannot reproduce the problem, the certificate is trusted by my system: > > # via IPv4 > $ gnutls-cli --verbose translationproject.org Connecting to '80.69.83.146:443'... > - Status: The certificate is trusted. > # via IPv6 > $ gnutls-cli --verbose translationproject.org Connecting to '2a01:7c8:c037:6::20:443'... > - Status: The certificate is trusted. I have the same results here. Everything looks okay in the inspection of it. > It seems to me as if your system does not trust the used root CA. > > > [...]issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.'[...] > > On my Ubuntu 18.04 system, I find it via symlink from /etc/ssl/certs: > > $ ls /etc/ssl/certs/DST_Root_CA_X3.pem -l > lrwxrwxrwx 1 root root 53 Mai 28 2018 /etc/ssl/certs/DST_Root_CA_X3.pem -> /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt > $ certtool --certificate-info < /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt | grep Subject: > Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. Again same here on my Debian system. The root certificate store for the trust anchor is in the ca-certificates package. Looking at my oldest system I see this is distributed as package version 20200601~deb9u1 and includes the above file. $ apt-cache policy ca-certificates ca-certificates: Installed: 20200601~deb9u1 Candidate: 20200601~deb9u1 Version table: *** 20200601~deb9u1 500 500 http://ftp.us.debian.org/debian stretch/main amd64 Packages 500 http://ftp.us.debian.org/debian stretch-updates/main amd64 Packages 100 /var/lib/dpkg/status Verifying that the equivalent of ca-certificates is installed on your system should provide for it. As this seems not to be a bug in Coreutils I am marking the bug as closed with this mail. However more discussion is always welcome. Bob From debbugs-submit-bounces@debbugs.gnu.org Wed Mar 10 09:10:51 2021 Received: (at 45358-done) by debbugs.gnu.org; 10 Mar 2021 14:10:52 +0000 Received: from localhost ([127.0.0.1]:49289 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJzY3-00060k-Hf for submit@debbugs.gnu.org; Wed, 10 Mar 2021 09:10:51 -0500 Received: from mail-yb1-f182.google.com ([209.85.219.182]:36109) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJzY1-00060T-RH; Wed, 10 Mar 2021 09:10:50 -0500 Received: by mail-yb1-f182.google.com with SMTP id b10so17990928ybn.3; Wed, 10 Mar 2021 06:10:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=g-sokol-info.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rChVLi46Z/ywdCH6G1ryYYXkqzsu8Cp4o6YhC6xQDVU=; b=frOFME5G7AISLbi3/PJ1ysflu60VJ7kmSZ6FnaaQFfVtfqygtvUmk4S5b7OMZLlpdW NwPByw5Cx2GCsFny/iNggnka94vwL0Ip5eFeJqccbpS6s3SGRVD/6vEpv1b0vQLUm6FJ xcDJsNcxppsFRqZQIiJZUYyeXz76KFF+hI1Adlq8uf2Z+7gNi6azyur+BfbuwJYIX8wE NwtA5ZNbQeuP8VIDIyGFsAhV+PRPczxXMsG232xX3TzMfxSd+FLDUEGKIWorlggvsIrP 7eqERe8LE9Gp/gbVey3ytUPoxeefGB8P9Dnes2a0634NQr/PcDvDHbMlgxcIMGSm9V+e aEQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rChVLi46Z/ywdCH6G1ryYYXkqzsu8Cp4o6YhC6xQDVU=; b=ahA5c64b0v+DathoqV83Y+SLkUso0FFLdYG5/T/4dSt7cYBiagyKKYPuL0VbT5DuPZ xAHCq2veJXVCl3CpML8MXbpRouQUFH1PzWhVrnFKlp+EYXkRDWWZO9NUOM6xbwdgwYvz FXGPEE+3H7JJCjGop4pP5rO7NWxB0li2wXI22BDICa3yP2gNDcsbJLCucGdMrwWaaEOk fsrZCcp09QJ2OIhubV6gWz8hLZeQig/I665pKXtixu5ZDpRXzFw7uSrd9eK1Y3bm0bi3 J4WRRO9FNjj/FFHfwMBsULfiiwHG89TO98VvrqcaC24jarjmZm/Inkm66a8If5BJAi35 svvg== X-Gm-Message-State: AOAM530dGvBa6PtRcaANLjILFK6p0K+60b/D6w3CYSo+fNM+AwOU08EH f9H0R5HhRAk/SUQ5qzvgyLhV1/02FZqMRUb4e7w= X-Google-Smtp-Source: ABdhPJxeQ8qQ0tN/+mtmafqs+8MFVM/lVuNbW1lp/GDvVyfaF5O6j/moIgIVhcmoEknp+mcV4eBwkIR/eDZ/15OqzCk= X-Received: by 2002:a25:a044:: with SMTP id x62mr4105056ybh.153.1615385444131; Wed, 10 Mar 2021 06:10:44 -0800 (PST) MIME-Version: 1.0 References: <20210308222541460482867@bob.proulx.com> <20210309103558.GA26987@unix-ag.uni-kl.de> <20210309112031844276337@bob.proulx.com> In-Reply-To: <20210309112031844276337@bob.proulx.com> From: Grigoriy Sokolik Date: Wed, 10 Mar 2021 16:10:33 +0200 Message-ID: Subject: Re: bug#45358: bootstrap fails due to a certificate mismatch To: Bob Proulx Content-Type: multipart/alternative; boundary="00000000000092afa805bd2f3bd5" X-Spam-Score: 0.8 (/) X-Debbugs-Envelope-To: 45358-done Cc: Erik Auerswald , 45358-done@debbugs.gnu.org, 45358-submitter@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.2 (/) --00000000000092afa805bd2f3bd5 Content-Type: text/plain; charset="UTF-8" That's fixed for me now with the new version of GnuTLS 3.7.1 Thanks! Best regards, Grigorii On Tue, 9 Mar 2021 at 20:30, Bob Proulx wrote: > Erik Auerswald wrote: > > Grigoriy Sokolik wrote: > > > I've rechecked: > > > > I cannot reproduce the problem, the certificate is trusted by my system: > > > > # via IPv4 > > $ gnutls-cli --verbose translationproject.org 'Connecting|Status' > > Connecting to '80.69.83.146:443'... > > - Status: The certificate is trusted. > > # via IPv6 > > $ gnutls-cli --verbose translationproject.org 'Connecting|Status' > > Connecting to '2a01:7c8:c037:6::20:443'... > > - Status: The certificate is trusted. > > I have the same results here. Everything looks okay in the inspection > of it. > > > It seems to me as if your system does not trust the used root CA. > > > > > [...]issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.'[...] > > > > On my Ubuntu 18.04 system, I find it via symlink from /etc/ssl/certs: > > > > $ ls /etc/ssl/certs/DST_Root_CA_X3.pem -l > > lrwxrwxrwx 1 root root 53 Mai 28 2018 > /etc/ssl/certs/DST_Root_CA_X3.pem -> > /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt > > $ certtool --certificate-info < > /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt | grep Subject: > > Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. > > Again same here on my Debian system. The root certificate store for > the trust anchor is in the ca-certificates package. > > Looking at my oldest system I see this is distributed as package > version 20200601~deb9u1 and includes the above file. > > $ apt-cache policy ca-certificates > ca-certificates: > Installed: 20200601~deb9u1 > Candidate: 20200601~deb9u1 > Version table: > *** 20200601~deb9u1 500 > 500 http://ftp.us.debian.org/debian stretch/main amd64 > Packages > 500 http://ftp.us.debian.org/debian stretch-updates/main > amd64 Packages > 100 /var/lib/dpkg/status > > Verifying that the equivalent of ca-certificates is installed on your > system should provide for it. > > As this seems not to be a bug in Coreutils I am marking the bug as > closed with this mail. However more discussion is always welcome. > > Bob > --00000000000092afa805bd2f3bd5 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
That's fixed for me now with the new version of GnuTLS= 3.7.1

Thanks!
Best= regards,
Grigorii

<= br>
On Tue,= 9 Mar 2021 at 20:30, Bob Proulx <bob@= proulx.com> wrote:
Erik Auerswald wrote:
> Grigoriy Sokolik wrote:
> > I've rechecked:
>
> I cannot reproduce the problem, the certificate is trusted by my syste= m:
>
>=C2=A0 =C2=A0 =C2=A0# via IPv4
>=C2=A0 =C2=A0 =C2=A0$ gnutls-cli --verbose translationproject.org </dev/null=C2=A0 | grep -E 'Connecting|Status'
>=C2=A0 =C2=A0 =C2=A0Connecting to '80.69.83.146:443'...
>=C2=A0 =C2=A0 =C2=A0- Status: The certificate is trusted.
>=C2=A0 =C2=A0 =C2=A0# via IPv6
>=C2=A0 =C2=A0 =C2=A0$ gnutls-cli --verbose translationproject.org </dev/null=C2=A0 | grep -E 'Connecting|Status'
>=C2=A0 =C2=A0 =C2=A0Connecting to '2a01:7c8:c037:6::20:443'...<= br> >=C2=A0 =C2=A0 =C2=A0- Status: The certificate is trusted.

I have the same results here.=C2=A0 Everything looks okay in the inspection=
of it.

> It seems to me as if your system does not trust the used root CA.
>
> >=C2=A0 =C2=A0 =C2=A0[...]issuer `CN=3DDST Root CA X3,O=3DDigital S= ignature Trust Co.'[...]
>
> On my Ubuntu 18.04 system, I find it via symlink from /etc/ssl/certs:<= br> >
>=C2=A0 =C2=A0 =C2=A0$ ls /etc/ssl/certs/DST_Root_CA_X3.pem -l
>=C2=A0 =C2=A0 =C2=A0lrwxrwxrwx 1 root root 53 Mai 28=C2=A0 2018 /etc/ss= l/certs/DST_Root_CA_X3.pem -> /usr/share/ca-certificates/mozilla/DST_Roo= t_CA_X3.crt
>=C2=A0 =C2=A0 =C2=A0$ certtool --certificate-info < /usr/share/ca-ce= rtificates/mozilla/DST_Root_CA_X3.crt | grep Subject:
>=C2=A0 =C2=A0 =C2=A0 =C2=A0Subject: CN=3DDST Root CA X3,O=3DDigital Sig= nature Trust Co.

Again same here on my Debian system.=C2=A0 The root certificate store for the trust anchor is in the ca-certificates package.

Looking at my oldest system I see this is distributed as package
version 20200601~deb9u1 and includes the above file.

=C2=A0 =C2=A0 $ apt-cache policy ca-certificates
=C2=A0 =C2=A0 ca-certificates:
=C2=A0 =C2=A0 =C2=A0 Installed: 20200601~deb9u1
=C2=A0 =C2=A0 =C2=A0 Candidate: 20200601~deb9u1
=C2=A0 =C2=A0 =C2=A0 Version table:
=C2=A0 =C2=A0 =C2=A0*** 20200601~deb9u1 500
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 500 http://ftp.us.debian.or= g/debian stretch/main amd64 Packages
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 500 http://ftp.us.debian.or= g/debian stretch-updates/main amd64 Packages
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 100 /var/lib/dpkg/status

Verifying that the equivalent of ca-certificates is installed on your
system should provide for it.

As this seems not to be a bug in Coreutils I am marking the bug as
closed with this mail.=C2=A0 However more discussion is always welcome.

Bob
--00000000000092afa805bd2f3bd5-- From unknown Mon Aug 18 09:02:29 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 08 Apr 2021 11:24:09 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator