From unknown Mon Aug 18 04:42:31 2025 X-Loop: help-debbugs@gnu.org Subject: bug#45358: bootstrap fails due to a certificate mismatch Resent-From: "j-james" Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Tue, 22 Dec 2020 02:02:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 45358 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 45358@debbugs.gnu.org X-Debbugs-Original-To: Received: via spool by submit@debbugs.gnu.org id=B.160860250914070 (code B ref -1); Tue, 22 Dec 2020 02:02:01 +0000 Received: (at submit) by debbugs.gnu.org; 22 Dec 2020 02:01:49 +0000 Received: from localhost ([127.0.0.1]:48620 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1krWzk-0003er-Ax for submit@debbugs.gnu.org; Mon, 21 Dec 2020 21:01:49 -0500 Received: from lists.gnu.org ([209.51.188.17]:58520) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1krWck-00036l-6K for submit@debbugs.gnu.org; Mon, 21 Dec 2020 20:38:05 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:55162) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1krWcj-0004ci-Ou for bug-coreutils@gnu.org; Mon, 21 Dec 2020 20:38:02 -0500 Received: from mail-pg1-x52e.google.com ([2607:f8b0:4864:20::52e]:33192) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1krWcf-00062E-Qe for bug-coreutils@gnu.org; Mon, 21 Dec 2020 20:37:59 -0500 Received: by mail-pg1-x52e.google.com with SMTP id n25so1878085pgb.0 for ; Mon, 21 Dec 2020 17:37:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=j-james-me.20150623.gappssmtp.com; s=20150623; h=mime-version:content-transfer-encoding:subject:from:to:date :message-id; bh=JOm+IL4v+D9B3F3J8t0jI7FtxJMX+sjOrM+1Xz1hbjo=; b=KSsBoSxpsE4ag/dxu7v39pCoblBcY2LJF0m1G+1zgITlAScSVIGfH/qAcVpvIfc2n7 xfQ0ZRAZBMqnVf9wa8kn4O7omMck/WunO9Fy/EzWGJGhnIS0FKM5U1QV9zfSowhEAiS5 3SvkVOERKPRRwTmrS3v4Y9gaG1cAmWLtukn0UbEzLIx81fSfEcQ+5QfWFWKW64gYK2DI Iwgb3PyQGuA+rRMElyQ98rdshGe+PN1x1qKN1VSz3d3LENrdrE+7rWPBU6Mp974QWpko 5It9owK4wZdWSc2bmaqrLg3i7p7NlqG6odDUrYE0OWfeLUbTWZgU2WZK5wOKzCYNCgKZ 9EeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:content-transfer-encoding:subject :from:to:date:message-id; bh=JOm+IL4v+D9B3F3J8t0jI7FtxJMX+sjOrM+1Xz1hbjo=; b=MtauxmcgWQHRE2DplubgzMZcI9bQAXHQ0LIQT5PYXhei9asc9RIuHmzsI3ZnYwO8jW nbAIAGehM198A2UjMzKx2t2h1Yoisx49UnnU5xw5bh2DIwGxxAhHVSszARgxPbhFU+Ka 8U1ZpsA/vBDkIWEZg9QyrDA9RDMM77lo5RMllDA5f7gejfz53aU5LAaaYtoUo6A5UfSb 2DdrGDh19xRgbGdV/+w1W7ptRiqFGdkGcqcMHYm/Qf0z05F1FxUXNn/pcWcr4s5aFgNq DfBLTvUgLfVubMoa6E3nuOHTZi9sD5SXrwKkY9Jjxay6gvy9tINd3Knq1ao2zvqevZdk YMhA== X-Gm-Message-State: AOAM5327H85JrdP79P9VCwj/EENrfikFs13kwfzjIW+zcyxAV9vkpEHn 9Xs2jFqV0xKCQ8Zv12gT+U66XuA3Y6XV04HL X-Google-Smtp-Source: ABdhPJyGbDKTWbsWlOcLAcvArvYnFZ1kq+ZD0pHfweXlNGIx3BpKX7cAMnyZZSWy3JIguLCS5i2r0w== X-Received: by 2002:a63:74b:: with SMTP id 72mr17657173pgh.4.1608601073657; Mon, 21 Dec 2020 17:37:53 -0800 (PST) Received: from localhost (71-212-96-141.tukw.qwest.net. [71.212.96.141]) by smtp.gmail.com with ESMTPSA id z10sm18287163pfr.204.2020.12.21.17.37.52 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 21 Dec 2020 17:37:53 -0800 (PST) Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 From: "j-james" Date: Mon, 21 Dec 2020 17:29:35 -0800 Message-Id: Received-SPF: pass client-ip=2607:f8b0:4864:20::52e; envelope-from=jj@j-james.me; helo=mail-pg1-x52e.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Mailman-Approved-At: Mon, 21 Dec 2020 21:01:46 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) When running ./bootstrap in a freshly-cloned repository, it seems to either= =20 not find some files it wants to or doesn't trust https://translationproject= .org. Connecting to https://translationproject.org in a (non-wget) web browser wo= rks fine. The following is the output of ./bootstrap. ``` ./bootstrap: Bootstrapping from checked-out coreutils sources... ./bootstrap: consider installing git-merge-changelog from gnulib ./bootstrap: getting gnulib files... Submodule 'gnulib' (git://git.sv.gnu.org/gnulib.git) registered for path 'g= nulib' Cloning into '/home/teal/Projects/coreutils/gnulib'... Submodule path 'gnulib': checked out '8183682cc4436bee18007d61bc79938eaf786= 19a' ./bootstrap: getting translations into po/.reference for coreutils... Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt' ERROR: The certificate of 'translationproject.org' is not trusted. ERROR: The certificate of 'translationproject.org' doesn't have a known iss= uer. ``` Do let me know if you need more information, or if this is a duplicate repo= rt. -- j-james From unknown Mon Aug 18 04:42:31 2025 X-Loop: help-debbugs@gnu.org Subject: bug#45358: bootstrap fails due to a certificate mismatch References: In-Reply-To: Resent-From: Grigoriy Sokolik Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Sat, 13 Feb 2021 12:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45358 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 45358@debbugs.gnu.org Received: via spool by 45358-submit@debbugs.gnu.org id=B45358.16132210026261 (code B ref 45358); Sat, 13 Feb 2021 12:57:02 +0000 Received: (at 45358) by debbugs.gnu.org; 13 Feb 2021 12:56:42 +0000 Received: from localhost ([127.0.0.1]:33720 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lAuTZ-0001cu-8Y for submit@debbugs.gnu.org; Sat, 13 Feb 2021 07:56:41 -0500 Received: from mail-yb1-f170.google.com ([209.85.219.170]:35082) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lAuGl-0007eA-18 for 45358@debbugs.gnu.org; Sat, 13 Feb 2021 07:43:29 -0500 Received: by mail-yb1-f170.google.com with SMTP id p186so2350198ybg.2 for <45358@debbugs.gnu.org>; Sat, 13 Feb 2021 04:43:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=g-sokol-info.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=BnKCTpW+KBCArfBMRvj02Qqx+t6MXhu8GVnbQY4Vp7Y=; b=o5A5Uit8kiFcA071dctWsZwa0yd7woHEeVDU+AKv2bStAzxgJDIttACEGtUHDAzLH9 7rsgeHOEPR/vMXMRIek41zWrULRgIPIc+AtChD3WvvfTf7Wx6yyNFBcb/Eikkm3eL3Xc hL8cKWB3MJkTyerP/m8zbVsL4gRXMlR3jB8UrTWEg5L8lDh9WW1G5MyMDKtrLLLYDv9F Ev14Gzw4rnBSJTCDVUGOu+iHR2EaLeSSgmnGl3Fm+mNJC6pXBO09sqdux010emWKBv1A 3wHHPzj9OYxilWqLzVGOObwSKYWA9B0L9HwZeyah+7dyyyOMDCFn9Kjxfu7zlce9YXQ9 6GRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=BnKCTpW+KBCArfBMRvj02Qqx+t6MXhu8GVnbQY4Vp7Y=; b=V8H6ASc4aT2/On479jgC8sP0tNlx1jfar9tec+RsdMKMcPWmGAMfPxrEqOEKHFDtAP E93R9NAgPUGnMlJ/+ilcEm6WFhzYY9oVYxc9BeyR4SGQ8VYnfhbBlQ/bC7TxKfGSrV3P njoCVR7L16igA1VIsdMN4+VBLkhmBD7jdqo4EkMJKtl8UwaQcMvO92ldR6NSZt4Wd9L2 kX9ReV6pjA7hyr3hbdMLCEA1YNOpfd8HTGpKcapYgmObR43OzlnHc3SOF8Gx3QUR3jqA WFa7pTei4dMPkfFIb7bVHcFCg6D9J4RZnEcF/FNB9vXnzaI8uX5xSCzheF5XhVQGS2i2 +PAw== X-Gm-Message-State: AOAM530c1St3l+mkYuxOOcENok7ojncuBdVzOkqnBzG08F7dIefaeXj4 GeL9IE6XUekMoXAo43cXthKCP/1Osid3caVxZwe4ufo4epCzusZU X-Google-Smtp-Source: ABdhPJzgdR+5uV3QwZBFlaw8dOzPaNALPPyoVQF1tjZ+DY9QP1RNDkV49lkxMqA8RLGWCFbHCA5LOD4wYmqkAy66KMs= X-Received: by 2002:a25:5583:: with SMTP id j125mr9452573ybb.307.1613220201077; Sat, 13 Feb 2021 04:43:21 -0800 (PST) MIME-Version: 1.0 From: Grigoriy Sokolik Date: Sat, 13 Feb 2021 14:43:10 +0200 Message-ID: Content-Type: multipart/alternative; boundary="00000000000007a30105bb37198f" X-Spam-Score: 0.8 (/) X-Mailman-Approved-At: Sat, 13 Feb 2021 07:56:40 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.2 (/) --00000000000007a30105bb37198f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I have the same issue. Some investigations: 1. I decided to find out the particular command that fails and added more debug print: diff --git a/bootstrap b/bootstrap index 7523f65b4..44c21db23 100755 --- a/bootstrap +++ b/bootstrap @@ -749,6 +749,7 @@ download_po_files() { domain=3D$2 echo "$me: getting translations into $subdir for $domain..." cmd=3D$(printf "$po_download_command_format" "$subdir" "$domain") + echo "$me: going to exec \"$cmd\"..." eval "$cmd" } 2. Tried to run: $ ./bootstrap ./bootstrap: Bootstrapping from checked-out coreutils sources... ./bootstrap: consider installing git-merge-changelog from gnulib ./bootstrap: getting gnulib files... ./bootstrap: getting translations into po/.reference for coreutils... ./bootstrap: going to exec "wget --mirror --level=3D1 -nd -nv -A.po -P 'po/.reference' https://translationproject.org/latest/coreutils/"... ERROR: The certificate of 'translationproject.org' is not trusted. ERROR: The certificate of 'translationproject.org' doesn't have a known issuer. 3. Tried to run the command directly, but without `-nv` flag: $ wget --mirror --level=3D1 -nd -v -A.po -P 'po/.reference' https://translationproject.org/latest/coreutils/ --2021-02-13 14:23:35-- https://translationproject.org/latest/coreutils= / Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt' Resolving translationproject.org (translationproject.org)... 80.69.83.146, 2a01:7c8:c037:6::20 Connecting to translationproject.org (translationproject.org)|80.69.83.146|:443... connected. ERROR: The certificate of =E2=80=98translationproject.org=E2=80=99 is no= t trusted. ERROR: The certificate of =E2=80=98translationproject.org=E2=80=99 doesn= 't have a known issuer. 4. Tried the same with curl: $ curl -v https://translationproject.org/latest/coreutils/ -o /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 80.69.83.146:443... * Connected to translationproject.org (80.69.83.146) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: none } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [93 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [6723 bytes data] * TLSv1.2 (IN), TLS handshake, Server key exchange (12): { [589 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [70 bytes data] * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=3Dstats.vrijschrift.org * start date: Dec 31 10:34:41 2020 GMT * expire date: Mar 31 10:34:41 2021 GMT * subjectAltName: host "translationproject.org" matched cert's "translationproject.org" * issuer: C=3DUS; O=3DLet's Encrypt; CN=3DR3 * SSL certificate verify ok. } [5 bytes data] > GET /latest/coreutils/ HTTP/1.1 > Host: translationproject.org > User-Agent: curl/7.75.0 > Accept: */* > { [5 bytes data] * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Sat, 13 Feb 2021 12:26:00 GMT < Server: Apache/2.4.10 (Debian) < Vary: Accept-Encoding < Transfer-Encoding: chunked < Content-Type: text/html;charset=3DUTF-8 < { [5 bytes data] 100 8881 0 8881 0 0 16980 0 --:--:-- --:--:-- --:--:-- 16980 * Connection #0 to host translationproject.org left intact 5. Trying to export and verify the cert with certtools: $ certtool --verbose --verify-profile=3Dhigh --verify --infile=3D/tmp/ stats.vrijschrift.org Loaded system trust (139 CAs available) Subject: CN=3DR3,O=3DLet's Encrypt,C=3DUS Issuer: CN=3DDST Root CA X3,O=3DDigital Signature Trust Co. Signature algorithm: RSA-SHA256 Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Subject: CN=3DR3,O=3DLet's Encrypt,C=3DUS Issuer: CN=3DDST Root CA X3,O=3DDigital Signature Trust Co. Signature algorithm: RSA-SHA256 Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Subject: CN=3DR3,O=3DLet's Encrypt,C=3DUS Issuer: CN=3DDST Root CA X3,O=3DDigital Signature Trust Co. Checked against: CN=3DDST Root CA X3,O=3DDigital Signature Trust= Co. Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Subject: CN=3Dstats.vrijschrift.org Issuer: CN=3DR3,O=3DLet's Encrypt,C=3DUS Checked against: CN=3DR3,O=3DLet's Encrypt,C=3DUS Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Chain verification output: Verified. The certificate is trusted. Maybe that "Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown." Is the issue? Thanks! Best regards, Grigorii --00000000000007a30105bb37198f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I have the same issue.

Some investigati= ons:
  1. I decided to find out the particular command that fa= ils and added more debug print:

    diff --git = a/bootstrap b/bootstrap
    index 7523f65b4..44c21db23 100755
    --- a/boots= trap
    +++ b/bootstrap
    @@ -749,6 +749,7 @@ download_po_files() {
    =C2= =A0 =C2=A0domain=3D$2
    =C2=A0 =C2=A0echo "$me: getting translations = into $subdir for $domain..."
    =C2=A0 =C2=A0cmd=3D$(printf "$po_= download_command_format" "$subdir" "$domain")
    += =C2=A0echo "$me: going to exec \"$cmd\"..."
    =C2=A0 = =C2=A0eval "$cmd"
    }

  2. Tried=C2=A0to run:<= br>
    $ ./bootstrap
    ./bootstrap: Bootstrapping from checked-out coreutils sources...
    ./bootstrap: consider installing git-merge-c= hangelog from gnulib
    ./bootstrap: gettin= g gnulib files...
    ./bootstrap: getting t= ranslations into po/.reference for coreutils...
    ./bootstrap: going to exec "wget --mirror --level=3D1 -nd -nv = -A.po -P 'po/.reference' https://translationproject.org/latest/coreutils/&quo= t;...
    ERROR: The certificate of 'translationproject.org' is not trusted.
    ERROR: The certificate of 'translationproject.org' doesn'= ;t have a known issuer.

  3. Tried to run the command directly, but without `-nv` flag:
    <= br>$ wget --mirror --level=3D1 -nd -v -A.po -P = 9;po/.reference' =C2=A0https://translationproject.org/latest/coreutils/
    --202= 1-02-13 14:23:35-- =C2=A0https://translationproject.org/latest/coreutils/
    Loaded C= A certificate '/etc/ssl/certs/ca-certificates.crt'
    Resolving translationproject.org (translationproject.org)... 80.69.83.= 146, 2a01:7c8:c037:6::20
    Connecting to translationproject.org (translationproject.org)|80.69.83.146|:443... connected.
    ERROR: T= he certificate of =E2=80=98transl= ationproject.org=E2=80=99 is not trusted.
    ERROR: The certificate of = =E2=80=98translationproject.org=E2=80=99 doesn't have a known issuer.

  4. Tried t= he same with curl:

    $ curl -v     https://translationproject.o= rg/latest/coreutils/ -o /dev/null
    =C2=A0 % Total =C2=A0 =C2=A0% Rece= ived % Xferd =C2=A0Average Speed =C2=A0 Time =C2=A0 =C2=A0Time =C2=A0 =C2= =A0 Time =C2=A0Current
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Dload = =C2=A0Upload =C2=A0 Total =C2=A0 Spent =C2=A0 =C2=A0Left =C2=A0Speed
    =C2= =A0 0 =C2=A0 =C2=A0 0 =C2=A0 =C2=A00 =C2=A0 =C2=A0 0 =C2=A0 =C2=A00 =C2=A0 = =C2=A0 0 =C2=A0 =C2=A0 =C2=A00 =C2=A0 =C2=A0 =C2=A00 --:--:-- --:--:-- --:-= -:-- =C2=A0 =C2=A0 0* =C2=A0 Trying 80.69.83.146:443...
    * Connected to <= a href=3D"http://translationproject.org">translationproject.org (80.69.= 83.146) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1* successfully set certificate verify locations:
    * =C2=A0CAfile: /etc/= ssl/certs/ca-certificates.crt
    * =C2=A0CApath: none
    } [5 bytes data]* TLSv1.3 (OUT), TLS handshake, Client hello (1):
    } [512 bytes data]* TLSv1.3 (IN), TLS handshake, Server hello (2):
    { [93 bytes data]
    = * TLSv1.2 (IN), TLS handshake, Certificate (11):
    { [6723 bytes data]
    = * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    { [589 bytes da= ta]
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    { [4 bytes d= ata]
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    } [70 = bytes data]
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):<= br>} [1 bytes data]
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    } = [16 bytes data]
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    { [16 b= ytes data]
    * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256<= br>* ALPN, server did not agree to a protocol
    * Server certificate:
    *= =C2=A0subject: CN=3Dstats.vrijsch= rift.org
    * =C2=A0start date: Dec 31 10:34:41 2020 GMT
    * =C2=A0exp= ire date: Mar 31 10:34:41 2021 GMT
    * =C2=A0subjectAltName: host "translationproject.org" ma= tched cert's
    "transla= tionproject.org"
    * =C2=A0issuer: C=3DUS; O=3DLet's Encrypt;= CN=3DR3
    * =C2=A0SSL certificate verify ok.
    } [5 bytes data]
    > = GET /latest/coreutils/ HTTP/1.1
    > Host: translationproject.org
    > User-Agent: curl/7.75.0
    = > Accept: */*
    >
    { [5 bytes data]
    * Mark bundle as not suppo= rting multiuse
    < HTTP/1.1 200 OK
    < Date: Sat, 13 Feb 2021 12:26= :00 GMT
    < Server: Apache/2.4.10 (Debian)
    < Vary: Accept-Encodin= g
    < Transfer-Encoding: chunked
    < Content-Type: text/html;charse= t=3DUTF-8
    <
    { [5 bytes data]
    100 =C2=A08881 =C2=A0 =C2=A00 =C2= =A08881 =C2=A0 =C2=A00 =C2=A0 =C2=A0 0 =C2=A016980 =C2=A0 =C2=A0 =C2=A00 --= :--:-- --:--:-- --:--:-- 16980
    * Connection #0 to host translationproject.org left intact
    <= br>
  5. Trying to export and verify the cert with certtools:

    $ certtool --verbose --verify-profile=3Dhigh --verify= --infile=3D/tmp/stats.vrijschrift= .org
    Loaded system trust (139 CAs av= ailable)
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Sub= ject: CN=3DR3,O=3DLet's Encrypt,C=3DUS
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Issuer: CN=3DDST Root CA X3,O=3DDigital Sign= ature Trust Co.
    =C2=A0 =C2=A0 =C2=A0 =C2= =A0 Signature algorithm: RSA-SHA256
    =C2= =A0 =C2=A0 =C2=A0 =C2=A0 Output: Not verified. The certificate is NOT trust= ed. The certificate issuer is unknown.

    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Subject: CN=3DR3,O=3DLet's Encrypt,C=3DU= S
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Issuer: CN= =3DDST Root CA X3,O=3DDigital Signature Trust Co.
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Signature algorithm: RSA-SHA256
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Output: Not verif= ied. The certificate is NOT trusted. The certificate issuer is unknown.

    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Subject: CN= =3DR3,O=3DLet's Encrypt,C=3DUS
    =C2= =A0 =C2=A0 =C2=A0 =C2=A0 Issuer: CN=3DDST Root CA X3,O=3DDigital Signature = Trust Co.
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Ch= ecked against: CN=3DDST Root CA X3,O=3DDigital Signature Trust Co.=C2=A0 =C2=A0 =C2=A0 =C2=A0 Signature algorithm:= RSA-SHA256
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 = Output: Verified. The certificate is trusted.

    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Subject: CN=3Dstats.vrijschrift.org
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Issuer: CN=3DR3,O=3DLet's Encrypt,C=3DU= S
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Checked ag= ainst: CN=3DR3,O=3DLet's Encrypt,C=3DUS
    =C2=A0 =C2=A0 =C2=A0 =C2=A0 Signature algorithm: RSA-SHA256
    <= font face=3D"monospace">=C2=A0 =C2=A0 =C2=A0 =C2=A0 Output: Verified. The c= ertificate is trusted.

    Chain verific= ation output: Verified. The certificate is trusted.

    Maybe that "Ou= tput: Not verified. The certificate is NOT trusted. The certificate issuer = is unknown." Is the issue?

<= div>
Thanks!
Best regards,
= Grigorii
--00000000000007a30105bb37198f-- From unknown Mon Aug 18 04:42:31 2025 X-Loop: help-debbugs@gnu.org Subject: bug#45358: bootstrap fails due to a certificate mismatch References: In-Reply-To: Resent-From: Grigoriy Sokolik Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Mon, 15 Feb 2021 15:07:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45358 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 45358@debbugs.gnu.org Received: via spool by 45358-submit@debbugs.gnu.org id=B45358.161340158110776 (code B ref 45358); Mon, 15 Feb 2021 15:07:02 +0000 Received: (at 45358) by debbugs.gnu.org; 15 Feb 2021 15:06:21 +0000 Received: from localhost ([127.0.0.1]:38472 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lBfS5-0002ne-KI for submit@debbugs.gnu.org; Mon, 15 Feb 2021 10:06:20 -0500 Received: from mail-yb1-f179.google.com ([209.85.219.179]:39466) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lBbja-0002sO-8P for 45358@debbugs.gnu.org; Mon, 15 Feb 2021 06:08:06 -0500 Received: by mail-yb1-f179.google.com with SMTP id k4so6777367ybp.6 for <45358@debbugs.gnu.org>; Mon, 15 Feb 2021 03:08:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=g-sokol-info.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=Pa2dzSG3d62pi8whxc4GnF4dD7ySxN8FEFELaZEbZko=; b=eCKHfGXU42Xx7BE2SfNakuGkWc0W2cGjba4wnjaalJB0mzrXotkByAfXUpnqZpvCNW wQpjmfs0zGxabI03nMjOe5LUEkPBGgyS100xXMm4jxj6TkfiJT25v67pcVnycmA/e9fv jeVViRwUJ0ylggApJeREb0ExVabIxQuy7Q0B4gOWILXBOnGpsOeMpiHXBJEOl6hfnBJi J3G5ACct7CW5H/sm1nHPlqpPOuLZ+RSOwStRt28qM3D3jOOJ0Hex4coyfkuMbn9hzLvH v8AaNYQygGSAiBeR54VYpD1YOmc4z1Gsshn80He3+nFk5RAvW5WH85weFMyqGqh1ZwoV Xtgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Pa2dzSG3d62pi8whxc4GnF4dD7ySxN8FEFELaZEbZko=; b=rf0EQ95n9R+P795NJgMPjhTEqgzAZkArSY4kkDA4UnSw2TFKU5pfGBXxsVWJZ0cefd ngIKLMyVo9MKku+jBLG4OdyY6iO/4oVD4qZbY9891HZttZgqT1R7nlMEyqIbEzhpVkXJ LifNR4128qr08FSMNMlxPV/6lUerqoH2E2VPvSdKI2/iY49P5wtnLxkUB308EIiOwdX6 Ewj0rRoRZWVqEyFJc5rj5hYsBvrs3GvDo4mTExMINwXPnPWVe9F7FIIFwaRe3ZYYl/2A YRdAOJxY8AhoEgc8Q1j4kWFRrhoCfSGPhqJ+qROSbz6VGdgVwmaO405QvOoHc74cd3n8 S4pA== X-Gm-Message-State: AOAM530EmFNhekdqJUlawNNRL2v0AAn+kOESuk2a4jQrFWmzsDOYgcCl 5aqW3Jv2C97MokYcZ1dhavy49HLrc6+MwhGkSG2PzckjRxwigw== X-Google-Smtp-Source: ABdhPJyN5HsqFoJTQ4+UKvDYPBAJn+LxF88+fVc2OsNi7eBydL514qQi3ok5J9n+W8wC6kRvNhK9xEqH3kAfDCpjV+k= X-Received: by 2002:a25:a044:: with SMTP id x62mr2111866ybh.153.1613387280553; Mon, 15 Feb 2021 03:08:00 -0800 (PST) MIME-Version: 1.0 From: Grigoriy Sokolik Date: Mon, 15 Feb 2021 13:07:49 +0200 Message-ID: Content-Type: multipart/alternative; boundary="000000000000be1bd305bb5dffc3" X-Spam-Score: 0.7 (/) X-Mailman-Approved-At: Mon, 15 Feb 2021 10:06:17 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) --000000000000be1bd305bb5dffc3 Content-Type: text/plain; charset="UTF-8" The temporary workaround could be, at least to skip the certificate validation: ``` $ git --no-pager diff diff --git a/bootstrap b/bootstrap index 7523f65b4..dcb8aa388 100755 --- a/bootstrap +++ b/bootstrap @@ -180,7 +180,7 @@ bootstrap_epilogue() { :; } # specified directory. Fill in the first %s with the destination # directory and the second with the domain name. po_download_command_format=\ -"wget --mirror --level=1 -nd -nv -A.po -P '%s' \ +"wget --mirror --level=1 -nd --no-check-certificate -nv -A.po -P '%s' \ https://translationproject.org/latest/%s/" # Prefer a non-empty tarname (4th argument of AC_INIT if given), else ``` But be careful, this is really bad advice: fetching anything without consistency ad authority validation is really insecure! Thanks! Best regards, Grigorii --000000000000be1bd305bb5dffc3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
The temporary=C2=A0workaround could be, at least to skip t= he certificate validation:

```
$ git --no-page= r diff
diff --git a/bootstrap b/bootstrap
index 7523f65b4..dcb8aa388= 100755
--- a/bootstrap
+++ b/bootstrap
@@ -180,7 +180,7 @@ bootst= rap_epilogue() { :; }
=C2=A0# specified directory.=C2=A0 Fill in the fir= st %s with the destination
=C2=A0# directory and the second with the dom= ain name.
=C2=A0po_download_command_format=3D\
-"wget --mirror -= -level=3D1 -nd -nv -A.po -P '%s' \
+"wget --mirror --level= =3D1 -nd --no-check-certificate -nv -A.po -P '%s' \
=C2=A0 https://translationproject= .org/latest/%s/"
=C2=A0
=C2=A0# Prefer a non-empty tarname (= 4th argument of AC_INIT if given), else
```

But be careful, this is really bad advice: fetching anything withou= t consistency ad authority validation is really insecure!

Thanks!
Best regards,
<= div>Grigorii
--000000000000be1bd305bb5dffc3-- From unknown Mon Aug 18 04:42:31 2025 X-Loop: help-debbugs@gnu.org Subject: bug#45358: bootstrap fails due to a certificate mismatch Resent-From: Paul Eggert Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Tue, 16 Feb 2021 17:29:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45358 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Grigoriy Sokolik , 45358@debbugs.gnu.org Received: via spool by 45358-submit@debbugs.gnu.org id=B45358.161349654128650 (code B ref 45358); Tue, 16 Feb 2021 17:29:02 +0000 Received: (at 45358) by debbugs.gnu.org; 16 Feb 2021 17:29:01 +0000 Received: from localhost ([127.0.0.1]:41466 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lC49l-0007S2-9H for submit@debbugs.gnu.org; Tue, 16 Feb 2021 12:29:01 -0500 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:38972) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lC49j-0007Ro-Lh for 45358@debbugs.gnu.org; Tue, 16 Feb 2021 12:29:00 -0500 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 2385A1600A7; Tue, 16 Feb 2021 09:28:54 -0800 (PST) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id H3VzQ0uKGr1L; Tue, 16 Feb 2021 09:28:52 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 1DBA31600B7; Tue, 16 Feb 2021 09:28:52 -0800 (PST) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id kZT7uN0I3CZX; Tue, 16 Feb 2021 09:28:52 -0800 (PST) Received: from [192.168.1.9] (cpe-23-243-218-95.socal.res.rr.com [23.243.218.95]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id EDD971600A7; Tue, 16 Feb 2021 09:28:51 -0800 (PST) References: From: Paul Eggert Organization: UCLA Computer Science Department Message-ID: <0a50bc2c-426f-d3a5-e68d-928c0638682a@cs.ucla.edu> Date: Tue, 16 Feb 2021 09:28:51 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On 2/15/21 3:07 AM, Grigoriy Sokolik wrote: > But be careful, this is really bad advice: fetching anything without > consistency ad authority validation is really insecure! Yes, we should instead fix the underlying problem whatever it is (not sure what it is since that wasn't reported). From unknown Mon Aug 18 04:42:31 2025 X-Loop: help-debbugs@gnu.org Subject: bug#45358: bootstrap fails due to a certificate mismatch Resent-From: Grigoriy Sokolik Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Wed, 17 Feb 2021 09:39:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45358 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Paul Eggert Cc: 45358@debbugs.gnu.org Received: via spool by 45358-submit@debbugs.gnu.org id=B45358.161355471132359 (code B ref 45358); Wed, 17 Feb 2021 09:39:01 +0000 Received: (at 45358) by debbugs.gnu.org; 17 Feb 2021 09:38:31 +0000 Received: from localhost ([127.0.0.1]:42500 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lCJHz-0008Pr-58 for submit@debbugs.gnu.org; Wed, 17 Feb 2021 04:38:31 -0500 Received: from mail-yb1-f171.google.com ([209.85.219.171]:41118) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lCJHx-0008Pb-6m for 45358@debbugs.gnu.org; Wed, 17 Feb 2021 04:38:29 -0500 Received: by mail-yb1-f171.google.com with SMTP id m9so11084556ybk.8 for <45358@debbugs.gnu.org>; Wed, 17 Feb 2021 01:38:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=g-sokol-info.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4f5H9UugGQTvsa+a2qODc2N9mxhhf7yFJ53Z4cDzSLs=; b=Hn+Ajp9hq6KtGrzKNZw+q40GUpKNp9eChPdpmZUwlswZ/4HmvibHqw/W8y+ioztu3i DUKODUOY7XbbaTHAkyUlmW/lBQRxzh/oFu21IxHT1Rw6BUHSNJZikF4EDcy+YPBWrA+0 WT9dGmTcQL+ZXddK7VWiIJ5lNmekry0RsG+0S9efFoVuW55bt7MQpBHvOTyh255m8M5/ h1dlgrB/cpS3k6C6waSdKyuB190h90mneBvMtbgY47B3iJJbJU7Sgrlk1+qTeR8EzCWz Pf8gbSnF6NzDjctgJOKXosxluSMle7CFJUpcNYawWvVeTkShtdIthp3J4Pwjw9YSN9Uw /qvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4f5H9UugGQTvsa+a2qODc2N9mxhhf7yFJ53Z4cDzSLs=; b=PsET1YjPJDvBZ7fXpeNI3LxA4zdS9CVz86hT5zRRGvWHu171OXU1na9+vZYl47sVOk XKoERMwlxriP/peJsBzh8F2nAJzcb/MqPI/KJ4s7fHJ5hjxutizgVrsiplKQQHqnBmZQ w0hffzjZ5phxBR/1RYu66TrC++hM47T6JDv/OdQahalYbWoYu/TJ93gr/eScQsrqjmvx jEbmSHRfBAFUmErVwmK2Pmk6Y4FYppAmOKKdCfrQDobwg+5jHyCOkoLFYTlFdgl3UlBJ x9rYPWBoEErgWGu9C/pE48oIBZZbq6M8rpRp1W7exYh6+rxheFchOGtE38KxTcO2zw7+ P4hw== X-Gm-Message-State: AOAM533DVRTDKbyUgIbb9yqEkN/iQ3Osd/v2lx5+aqYkmfgwpHRcVDnR MlrtXnBsgOyI/AiNFy/oWasA9sJJmPHopvkjQ+k= X-Google-Smtp-Source: ABdhPJwzpwhnuMP/COHnxBrQbuBB10CM0arX/HLkse/TqnSh6ANP5sPcNFP9DDQIkcerTJOZ0+7vjBSO3DaFenkwQOg= X-Received: by 2002:a25:b099:: with SMTP id f25mr39058964ybj.143.1613554703538; Wed, 17 Feb 2021 01:38:23 -0800 (PST) MIME-Version: 1.0 References: <0a50bc2c-426f-d3a5-e68d-928c0638682a@cs.ucla.edu> In-Reply-To: <0a50bc2c-426f-d3a5-e68d-928c0638682a@cs.ucla.edu> From: Grigoriy Sokolik Date: Wed, 17 Feb 2021 11:38:12 +0200 Message-ID: Content-Type: multipart/alternative; boundary="000000000000ee1dca05bb84fa87" X-Spam-Score: 0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) --000000000000ee1dca05bb84fa87 Content-Type: text/plain; charset="UTF-8" The thing is that translationproject returns the wrong certificate. Thanks! Best regards, Grigorii On Tue, 16 Feb 2021 at 19:28, Paul Eggert wrote: > On 2/15/21 3:07 AM, Grigoriy Sokolik wrote: > > > But be careful, this is really bad advice: fetching anything without > > consistency ad authority validation is really insecure! > > Yes, we should instead fix the underlying problem whatever it is (not > sure what it is since that wasn't reported). > --000000000000ee1dca05bb84fa87 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
The thing is that=C2=A0translationproject=C2=A0returns the= wrong certificate.=C2=A0

Thanks!
Best regards,<= /div>
Grigorii


On Tue, 16 Feb 20= 21 at 19:28, Paul Eggert <eggert@cs.ucla.edu> wrote:
On 2/15/21 3:07 AM, Grigoriy Sokolik wrote:
> But be careful, this is really bad advice: fetching anything without > consistency ad authority validation is really insecure!

Yes, we should instead fix the underlying problem whatever it is (not
sure what it is since that wasn't reported).
--000000000000ee1dca05bb84fa87-- From unknown Mon Aug 18 04:42:31 2025 X-Loop: help-debbugs@gnu.org Subject: bug#45358: Wrong CA certificate on translationproject.org Resent-From: Benno Schulenberg Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Fri, 19 Feb 2021 19:06:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45358 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Nekolyanich Cc: 45358@debbugs.gnu.org Received: via spool by 45358-submit@debbugs.gnu.org id=B45358.161376154013898 (code B ref 45358); Fri, 19 Feb 2021 19:06:02 +0000 Received: (at 45358) by debbugs.gnu.org; 19 Feb 2021 19:05:40 +0000 Received: from localhost ([127.0.0.1]:50383 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lDB5v-0003c6-RC for submit@debbugs.gnu.org; Fri, 19 Feb 2021 14:05:40 -0500 Received: from cpsmtpb-ews01.kpnxchange.com ([213.75.39.4]:57528) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lDB5t-0003bs-8D for 45358@debbugs.gnu.org; Fri, 19 Feb 2021 14:05:39 -0500 Received: from cpsps-ews27.kpnxchange.com ([10.94.84.193]) by cpsmtpb-ews01.kpnxchange.com with Microsoft SMTPSVC(8.5.9600.16384); Fri, 19 Feb 2021 20:05:30 +0100 X-Brand: +YTO/YbK+g== X-KPN-SpamVerdict: e1=0;e2=0;e3=0;e4=;e6=(e1=10;e3=10;e2=11;e4=10;e6=1 0);EVW:White;BM:NotScanned;FinalVerdict:Clean X-CMAE-Analysis: v=2.4 cv=Mv4xV0We c=1 sm=1 tr=0 ts=60300bfa cx=a_idp_e a=dZ5u/0G9QtS9WKCcNUBnHQ==:117 a=X0PnwcQ2/mKcBfosUKIoXQ==:17 a=ZPPnv1nnAAAA:8 a=UhJ12kwm0HYA:10 a=IkcTkHD0fZMA:10 a=qa6Q16uM49sA:10 a=mDV3o1hIAAAA:8 a=PgeLO-2Dkjo29WDETD4A:9 a=QEXdDO2ut3YA:10 a=Fa6fxOqnmhaLeQZz8CEF:22 a=_FVE-zBwftR9WsbkzFJk:22 X-CM-AcctID: kpn@feedback.cloudmark.com Received: from smtp.kpnmail.nl ([195.121.84.13]) by cpsps-ews27.kpnxchange.com over TLS secured channel with Microsoft SMTPSVC(8.5.9600.16384); Fri, 19 Feb 2021 20:05:30 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kpnmail.nl; s=kpnmail01; h=content-type:mime-version:date:message-id:from:to:subject; bh=tYwRZZfMDDnhq3NkkUmJ7MbaVVAPH+136obLzTtx4VA=; b=mV5kOXLKbg/l9Lnz3HXIYxjyIWByDPa8HnwOezSqdBm9zsjDKdUPP306EDKexGI0ZSzJWaj3oTm4T 2MzI/pnE75caZ1wL7Vlysbyz0RBwfFVMnt1RMRMmCehKj/k2BNw1gZ+w3b9Zfu2WaJtnNQdKNE5ipR 4zaateVOD0d/BdQA= X-KPN-VerifiedSender: No X-CMASSUN: 33|JzEr5zkBvaKEwVrD/5do4f62EGbxN3S4cD57IHMrkpgLxY03wHN3PVzuGQUHLnK VShBR5nCXtZa3sfYO4H7niQ== X-Originating-IP: 77.173.60.12 Received: from [192.168.2.25] (77-173-60-12.fixed.kpn.net [77.173.60.12]) by smtp.kpnmail.nl (Halon) with ESMTPSA id 6ed2a89f-72e5-11eb-8206-005056998788; Fri, 19 Feb 2021 20:05:30 +0100 (CET) References: <4b260b40-e875-8f12-b6d8-3761c6766d0a@nekolyanich.com> From: Benno Schulenberg Message-ID: Date: Fri, 19 Feb 2021 20:05:29 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <4b260b40-e875-8f12-b6d8-3761c6766d0a@nekolyanich.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable X-OriginalArrivalTime: 19 Feb 2021 19:05:30.0108 (UTC) FILETIME=[30C973C0:01D706F2] X-RcptDomain: debbugs.gnu.org X-Spam-Score: 0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) Op 17-02-2021 om 10:28 schreef Nekolyanich: > I find this https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D45358 recen= tly. Cannot reproduce. Downloading any project's PO files with wget works fine here -- no complaints about certificates. Why does your wget complain when curl and Firefox have no problem? > Your site(translationproject.org) provides >=20 > Subject: C=3DUS,O=3DLet's Encrypt,CN=3DR3 > Issuer: O=3DDigital Signature Trust Co.,CN=3DDST Root CA X3 > Serial: 85078157426496920958827089468591623647 >=20 > as CA certificate. > But your EndEntity certificate signed with >=20 > Subject: C=3DUS,O=3DLet's Encrypt,CN=3DR3 > Issuer: C=3DUS,O=3DInternet Security Research Group,CN=3DISRG Root X1 > Serial: 192961496339968674994309121183282847578 >=20 > You can find this certificate on LetsEncrypt site. I have no idea what to do about this. Any guidance? Benno From unknown Mon Aug 18 04:42:31 2025 X-Loop: help-debbugs@gnu.org Subject: bug#45358: Wrong CA certificate on translationproject.org Resent-From: Grigoriy Sokolik Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Fri, 19 Feb 2021 20:02:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45358 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Benno Schulenberg Cc: 45358@debbugs.gnu.org, Nekolyanich Received: via spool by 45358-submit@debbugs.gnu.org id=B45358.161376486419147 (code B ref 45358); Fri, 19 Feb 2021 20:02:01 +0000 Received: (at 45358) by debbugs.gnu.org; 19 Feb 2021 20:01:04 +0000 Received: from localhost ([127.0.0.1]:50442 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lDBxX-0004yl-Ra for submit@debbugs.gnu.org; Fri, 19 Feb 2021 15:01:04 -0500 Received: from mail-yb1-f174.google.com ([209.85.219.174]:39443) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lDBxT-0004y6-Ok for 45358@debbugs.gnu.org; Fri, 19 Feb 2021 15:01:02 -0500 Received: by mail-yb1-f174.google.com with SMTP id u3so6667051ybk.6 for <45358@debbugs.gnu.org>; Fri, 19 Feb 2021 12:00:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=g-sokol-info.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+8JPaJBZLPFpiEFER8TXAdN8JOKkF543DTBqTpXiuIY=; b=JzgjG1rt/Rf+QmeqKbEFkBT7mLCcdSofzU4ZpFIuqPCv1lP+u0HGAxuHCl6NBczYQZ FlvAf68vCZl/T9AcRUt1ry4PwLFQP46ZfI4i0x1km2Ry5zp2gi02XYDDWanQH4D9P6+/ U/4XR9Wrvq1vT5WAPi5m1ccTwqefANOfu7RlBYCao/8mTgwQhp7MrUlxhCkVkOJUs9Pp 7MIWMi2IfixdCJM2zDJD5ObkQG1qWXJXpuHfqkB5Xo9pa54fbnfBpF4agxlBViNfYwDr y5C+qvMwIx4e5VwrvZ+pSkWJLu1HWFFpMv56gHGoqFV2hYeLxExZmtAfbdDnS+h7Q6dg PkMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+8JPaJBZLPFpiEFER8TXAdN8JOKkF543DTBqTpXiuIY=; b=NcxuzuwtFJ+X87SKbOx0gNH20xp1AcsHu2biiTqW2mhOjBsVWIq6anYnIJNd3D0AeP Ulbmmus/5HEvbhCTQyd9CaV8hfw+8W+dDcSNSUtRDSNSV8pfBy4pXoAPgmRyOF60eDZZ Uum/OQMdQYwL7wYYxOxKUBvFAx2Zo5OrcXuzkh+DWmY804FqI+3FlvXFx58gJsHfeEyc yzKY0JaSCR6TMxCpH5oyJcfHIu3wA+Xm3bahUscKiLpSbhpTyfpWj+MpehiI6vbN0Elt HdGSb6uV1Zt5rLPdoEyH6fJMvKcRHbdvOUlBmdZ24FZUb14810tYYjcsr/50fmLDwD4b Z2aQ== X-Gm-Message-State: AOAM533l/VaDZtQuenBuaRy83567VkFHje9CDP8PHCth3pdEcyiqq9aP ZNfVETOd66XLRm9u15+KOILM/495RnvoKmgQSMg/ramdlpc= X-Google-Smtp-Source: ABdhPJxqsbMAToJR+9SEwejNwAhPi8Vg8+UsNx70tNga8Fi84cxEwwlcqPyR/igDF2q1xxk3hjJxOsBc228/dVFwOyg= X-Received: by 2002:a25:d943:: with SMTP id q64mr4603877ybg.508.1613764854048; Fri, 19 Feb 2021 12:00:54 -0800 (PST) MIME-Version: 1.0 References: <4b260b40-e875-8f12-b6d8-3761c6766d0a@nekolyanich.com> In-Reply-To: From: Grigoriy Sokolik Date: Fri, 19 Feb 2021 22:00:43 +0200 Message-ID: Content-Type: multipart/alternative; boundary="000000000000e06c0405bbb5e849" X-Spam-Score: 0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) --000000000000e06c0405bbb5e849 Content-Type: text/plain; charset="UTF-8" Because wget uses gnutls for verification, curl -- openssl and browsers -- their own implementations. Thanks! Best regards, Grigorii On Fri, 19 Feb 2021 at 21:06, Benno Schulenberg < coordinator@translationproject.org> wrote: > > Op 17-02-2021 om 10:28 schreef Nekolyanich: > > I find this https://debbugs.gnu.org/cgi/bugreport.cgi?bug=45358 > recently. > > Cannot reproduce. Downloading any project's PO files with wget works > fine here -- no complaints about certificates. > > Why does your wget complain when curl and Firefox have no problem? > > > Your site(translationproject.org) provides > > > > Subject: C=US,O=Let's Encrypt,CN=R3 > > Issuer: O=Digital Signature Trust Co.,CN=DST Root CA X3 > > Serial: 85078157426496920958827089468591623647 > > > > as CA certificate. > > But your EndEntity certificate signed with > > > > Subject: C=US,O=Let's Encrypt,CN=R3 > > Issuer: C=US,O=Internet Security Research Group,CN=ISRG Root X1 > > Serial: 192961496339968674994309121183282847578 > > > > You can find this certificate on LetsEncrypt site. > > I have no idea what to do about this. Any guidance? > > Benno > > > > > --000000000000e06c0405bbb5e849 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Because wget uses gnutls for verification, curl -- openssl= and browsers -- their own implementations.

<= div dir=3D"ltr">
Thanks!
Best regards,
Grigorii


On Fri, 19 Feb 2021 at 21:06, Benno Schulenbe= rg <coordinator@tr= anslationproject.org> wrote:

Op 17-02-2021 om 10:28 schreef Nekolyanich:
> I find this https://debbugs.gnu.org/cgi/= bugreport.cgi?bug=3D45358 recently.

Cannot reproduce.=C2=A0 Downloading any project's PO files with wget wo= rks
fine here -- no complaints about certificates.

Why does your wget complain when curl and Firefox have no problem?

> Your site(translationproject.org) provides
>
> Subject: C=3DUS,O=3DLet's Encrypt,CN=3DR3
> Issuer: O=3DDigital Signature Trust Co.,CN=3DDST Root CA X3
> Serial: 85078157426496920958827089468591623647
>
> as CA certificate.
> But your EndEntity certificate signed with
>
> Subject: C=3DUS,O=3DLet's Encrypt,CN=3DR3
> Issuer: C=3DUS,O=3DInternet Security Research Group,CN=3DISRG Root X1<= br> > Serial: 192961496339968674994309121183282847578
>
> You can find this certificate on LetsEncrypt site.

I have no idea what to do about this.=C2=A0 Any guidance?

Benno




--000000000000e06c0405bbb5e849-- From unknown Mon Aug 18 04:42:31 2025 X-Loop: help-debbugs@gnu.org Subject: bug#45358: bootstrap fails due to a certificate mismatch Resent-From: Bob Proulx Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Tue, 09 Mar 2021 05:56:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45358 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Grigoriy Sokolik Cc: 45358@debbugs.gnu.org, 45358-submitter@debbugs.gnu.org Received: via spool by 45358-submit@debbugs.gnu.org id=B45358.161526930811945 (code B ref 45358); Tue, 09 Mar 2021 05:56:02 +0000 Received: (at 45358) by debbugs.gnu.org; 9 Mar 2021 05:55:08 +0000 Received: from localhost ([127.0.0.1]:45410 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJVKl-00036W-Fa for submit@debbugs.gnu.org; Tue, 09 Mar 2021 00:55:07 -0500 Received: from havoc.proulx.com ([96.88.95.61]:46972) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJVKj-00035T-Mc; Tue, 09 Mar 2021 00:55:06 -0500 Received: from joseki.proulx.com (localhost [127.0.0.1]) by havoc.proulx.com (Postfix) with ESMTP id 1ADE82F3; Mon, 8 Mar 2021 22:55:00 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proulx.com; s=dkim2048; t=1615269300; bh=espFNrIW8+l+FmImQ706DNnhLKy70OTt+qhC5SFQeMs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=JA4W4SZXU4m5szkSRDycFb8Vz3zUdz/JNgFFRFyARqnmryj/OOA+ClpJRYqTlQaMO xpojE97Y80GKl04w1wLZxc7LO8d2jUt5H9oruurNAj/1I+UGu/DY6wGkKSI4culblv iHPU/f35DrWZ1wu+BcHpvpHnkgqirTlOPABpdhMZ9SSWRq0ckNDEPGK8FAF68Mfd/Q 0OYsHXnDYE6+l7SHDffY06Vf7waGDP2FiRgX5o0RxUTlwLrR3acaS3dBX0kjrzCOSj eLdE4QbJKXkydMabeIl5pBYggHS5YMtMwVVbI+CsNxsVAn+8geIO1PGo9791ZXlP/7 wHmaqLW7UEI9g== Received: from hysteria.proulx.com (hysteria.proulx.com [192.168.230.119]) by joseki.proulx.com (Postfix) with ESMTP id DF6252117E; Mon, 8 Mar 2021 22:54:59 -0700 (MST) Received: by hysteria.proulx.com (Postfix, from userid 1000) id C96AB2DCA0; Mon, 8 Mar 2021 22:54:59 -0700 (MST) Date: Mon, 8 Mar 2021 22:54:59 -0700 From: Bob Proulx Message-ID: <20210308222541460482867@bob.proulx.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Is this problem still a problem? Perhaps it has been fixed in the time this has been under discussion? Because it looks okay to me. Grigoriy Sokolik wrote: > $ curl -v https://translationproject.org/latest/coreutils/ -o /dev/null ... > * Connected to translationproject.org (80.69.83.146) port 443 (#0) ... > * successfully set certificate verify locations: > * CAfile: /etc/ssl/certs/ca-certificates.crt > * CApath: none I suspect this last line to be the root cause of the problem. There is no CApath and therefore no root anchoring certificates trusted. Without that I don't see how any certificates can be trusted. I do the same test here and see this. $ curl -v https://translationproject.org/latest/coreutils/ -o /dev/null ... * Connected to translationproject.org (80.69.83.146) port 443 (#0) ... * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs Note the inclusion of the trusted root path. * Server certificate: * subject: CN=stats.vrijschrift.org * start date: Mar 1 10:34:36 2021 GMT * expire date: May 30 10:34:36 2021 GMT * subjectAltName: host "translationproject.org" matched cert's * "translationproject.org" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok. Note that the certificate validates as okay. Also if I simply ask openssl to validate: $ openssl s_client -connect translationproject.org:443 -CApath /etc/ssl/certs -showcerts /dev/null ... Verify return code: 0 (ok) If I download all of the certificates and validate using certtool, since you mentioned certtool I will use your example: $ openssl s_client -connect translationproject.org:443 -CApath /etc/ssl/certs -showcerts /dev/null | sed -n '/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/p' > /tmp/translationproject.org.certs $ certtool --verbose --verify-profile=high --verify --infile=/tmp/translationproject.org.certs Loaded system trust (127 CAs available) Subject: CN=R3,O=Let's Encrypt,C=US Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. Checked against: CN=DST Root CA X3,O=Digital Signature Trust Co. Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Subject: CN=stats.vrijschrift.org Issuer: CN=R3,O=Let's Encrypt,C=US Checked against: CN=R3,O=Let's Encrypt,C=US Signature algorithm: RSA-SHA256 Output: Verified. The certificate is trusted. Chain verification output: Verified. The certificate is trusted. Then it again validates okay. I note that the certificate is current as of now and just recently renewed. It's fresh. $ openssl s_client -connect translationproject.org:443 -CApath /etc/ssl/certs -showcerts /dev/null | sed -n '/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/p;/^-----END CERTIFICATE-----/q' | openssl x509 -noout -dates notBefore=Mar 1 10:34:36 2021 GMT notAfter=May 30 10:34:36 2021 GMT Therefore I think everything is okay as far as I can tell from the above. Perhaps something about the site has changed to resolve a problem since then? Perhaps an intermediate certificate was added? Bob From unknown Mon Aug 18 04:42:31 2025 X-Loop: help-debbugs@gnu.org Subject: bug#45358: bootstrap fails due to a certificate mismatch Resent-From: Grigoriy Sokolik Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Tue, 09 Mar 2021 09:29:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45358 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Bob Proulx Cc: 45358@debbugs.gnu.org, 45358-submitter@debbugs.gnu.org Received: via spool by 45358-submit@debbugs.gnu.org id=B45358.161528211710458 (code B ref 45358); Tue, 09 Mar 2021 09:29:02 +0000 Received: (at 45358) by debbugs.gnu.org; 9 Mar 2021 09:28:37 +0000 Received: from localhost ([127.0.0.1]:45625 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJYfM-0002ib-R1 for submit@debbugs.gnu.org; Tue, 09 Mar 2021 04:28:37 -0500 Received: from mail-yb1-f182.google.com ([209.85.219.182]:35238) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJYfK-0002iL-T8; Tue, 09 Mar 2021 04:28:35 -0500 Received: by mail-yb1-f182.google.com with SMTP id p186so13282908ybg.2; Tue, 09 Mar 2021 01:28:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=g-sokol-info.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ew6zUnIgp5ECHQwgvhz6Z8y81Q5E7WtyHVRfl8i0b/Q=; b=R7l+CIsPeuiVg8tE4kB9sV/C9S2HmQdQWlRCiV7PTEC9l5LdfViHUWGq7cEBdm0l7e 5KgN6PjCfJGEEch4lZ5dDZ3MPZwIdh7p5jOr+i6uWIOA1pYNqywlodHhTwypwaSlJ5Fu gAhTHOhRqT/M4+0B0rq8zclQhdbMV4FqM+shX+9+FaK8UZlamsnC7FSjw+b74XmjCtWJ oseAwVRVi/Sep3NvQtdVhhKpSiBBKHk6HluTN5zlNy/Hl6GEWlla3Z1cAPWLkS4etj13 W7jul53nfqYtjX8JxWFKGtlMB0/YBhoEgfDyejl11KsInemIahbxSGsJARxZuVHVG4LQ 1BDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ew6zUnIgp5ECHQwgvhz6Z8y81Q5E7WtyHVRfl8i0b/Q=; b=BQnx6ecA6+E2EJTGUB8QYZvWTjvV0kp4L7FRU6bUyWEsGwwB2zjziJCvvLUxHiKru0 eyTBJtTzzHyf8cDfVNnFTMJjduWUY305HUoXJK+iABXkJ1c4+U7mCR0QWvntGuWwIPoU az28hrC/6A86T3Rt7n2eL7+IgMNoqT7wJLGLBaZVgFKrstOmnpA4nWeV6j7x0y5iekYj FD3Bv5orrZKO3X1tDiSN+wZMKeyfsJVS34V5MlgBPZxk4moBssjhBamo8vhk0iUe/PlM czHR4qa8Z3pWHGwt+bTPt7fe/BR56krtTigBW4kkBmV/yUtgxLF4qtTz7bTMlDDbEhx3 /vvw== X-Gm-Message-State: AOAM5335BkDVLWpIj4FtLQ+PxWqRgF0AwHgjVya3tofUb95dnKnHDPxj or0k0FcOwx/dZ+Q+ch+lYzyDRIj5iYdAOKrBnXWp/+0S6i1ASQ== X-Google-Smtp-Source: ABdhPJxDxaFSrCxD+cGL3ODZQHmUCKTzDJIdsXrm/Ibq4Zba/AwtNm50SF5KuSD18bFvkgPcRJQUHTr7OyydUJysX+I= X-Received: by 2002:a25:a044:: with SMTP id x62mr37792317ybh.153.1615282109010; Tue, 09 Mar 2021 01:28:29 -0800 (PST) MIME-Version: 1.0 References: <20210308222541460482867@bob.proulx.com> In-Reply-To: <20210308222541460482867@bob.proulx.com> From: Grigoriy Sokolik Date: Tue, 9 Mar 2021 11:28:18 +0200 Message-ID: Content-Type: multipart/alternative; boundary="00000000000051d7ef05bd172c91" X-Spam-Score: 0.8 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.2 (/) --00000000000051d7ef05bd172c91 Content-Type: text/plain; charset="UTF-8" I've rechecked: ``` $ gnutls-cli translationproject.org Processed 139 CA certificate(s). Resolving 'translationproject.org:443'... Connecting to '80.69.83.146:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `CN=stats.vrijschrift.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x043ecc3aacb8c85e4b142ad6a502a8e749c7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-03-01 10:34:36 UTC', expires `2021-05-30 10:34:36 UTC', pin-sha256="rsabKAqi6gmbwfkm2Kj69kMk9vceM1pOrIsSWJ29axA=" Public Key ID: sha1:351b768332605268f158f75cc602b700c8950d71 sha256:aec69b280aa2ea099bc1f926d8a8faf64324f6f71e335a4eac8b12589dbd6b10 Public Key PIN: pin-sha256:rsabKAqi6gmbwfkm2Kj69kMk9vceM1pOrIsSWJ29axA= - Certificate[1] info: - subject `CN=stats.vrijschrift.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x043ecc3aacb8c85e4b142ad6a502a8e749c7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-03-01 10:34:36 UTC', expires `2021-05-30 10:34:36 UTC', pin-sha256="rsabKAqi6gmbwfkm2Kj69kMk9vceM1pOrIsSWJ29axA=" - Certificate[2] info: - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x400175048314a4c8218c84a90c16cddf, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-10-07 19:21:40 UTC', expires `2021-09-29 19:21:40 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=" - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. ``` ``` $ openssl s_client -connect translationproject.org:443 -CApath /etc/ssl/certs -showcerts /dev/null | sed -n '/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/p' > /tmp/translationproject.org.certs $ certtool --verbose --verify-profile=high --verify --infile=/tmp/translationproject.org.certs Loaded system trust (139 CAs available) Subject: CN=stats.vrijschrift.org Issuer: CN=R3,O=Let's Encrypt,C=US Signature algorithm: RSA-SHA256 Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Subject: CN=stats.vrijschrift.org Issuer: CN=R3,O=Let's Encrypt,C=US Signature algorithm: RSA-SHA256 Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Subject: CN=stats.vrijschrift.org Issuer: CN=R3,O=Let's Encrypt,C=US Signature algorithm: RSA-SHA256 Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Chain verification output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. ``` Thanks! Best regards, Grigorii On Tue, 9 Mar 2021 at 07:55, Bob Proulx wrote: > Is this problem still a problem? Perhaps it has been fixed in the > time this has been under discussion? Because it looks okay to me. > > Grigoriy Sokolik wrote: > > $ curl -v https://translationproject.org/latest/coreutils/ -o > /dev/null > ... > > * Connected to translationproject.org (80.69.83.146) port 443 (#0) > ... > > * successfully set certificate verify locations: > > * CAfile: /etc/ssl/certs/ca-certificates.crt > > * CApath: none > > I suspect this last line to be the root cause of the problem. There > is no CApath and therefore no root anchoring certificates trusted. > Without that I don't see how any certificates can be trusted. > > I do the same test here and see this. > > $ curl -v https://translationproject.org/latest/coreutils/ -o > /dev/null > ... > * Connected to translationproject.org (80.69.83.146) port 443 (#0) > ... > * successfully set certificate verify locations: > * CAfile: /etc/ssl/certs/ca-certificates.crt > * CApath: /etc/ssl/certs > > Note the inclusion of the trusted root path. > > * Server certificate: > * subject: CN=stats.vrijschrift.org > * start date: Mar 1 10:34:36 2021 GMT > * expire date: May 30 10:34:36 2021 GMT > * subjectAltName: host "translationproject.org" matched cert's > * "translationproject.org" > * issuer: C=US; O=Let's Encrypt; CN=R3 > * SSL certificate verify ok. > > Note that the certificate validates as okay. > > Also if I simply ask openssl to validate: > > $ openssl s_client -connect translationproject.org:443 -CApath > /etc/ssl/certs -showcerts /dev/null > ... > Verify return code: 0 (ok) > > If I download all of the certificates and validate using certtool, > since you mentioned certtool I will use your example: > > $ openssl s_client -connect translationproject.org:443 -CApath > /etc/ssl/certs -showcerts /dev/null | sed -n '/^-----BEGIN > CERTIFICATE-----/,/^-----END CERTIFICATE-----/p' > /tmp/ > translationproject.org.certs > $ certtool --verbose --verify-profile=high --verify > --infile=/tmp/translationproject.org.certs > Loaded system trust (127 CAs available) > Subject: CN=R3,O=Let's Encrypt,C=US > Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. > Checked against: CN=DST Root CA X3,O=Digital Signature Trust Co. > Signature algorithm: RSA-SHA256 > Output: Verified. The certificate is trusted. > > Subject: CN=stats.vrijschrift.org > Issuer: CN=R3,O=Let's Encrypt,C=US > Checked against: CN=R3,O=Let's Encrypt,C=US > Signature algorithm: RSA-SHA256 > Output: Verified. The certificate is trusted. > > Chain verification output: Verified. The certificate is trusted. > > Then it again validates okay. > > I note that the certificate is current as of now and just recently > renewed. It's fresh. > > $ openssl s_client -connect translationproject.org:443 -CApath > /etc/ssl/certs -showcerts /dev/null | sed -n '/^-----BEGIN > CERTIFICATE-----/,/^-----END CERTIFICATE-----/p;/^-----END > CERTIFICATE-----/q' | openssl x509 -noout -dates > notBefore=Mar 1 10:34:36 2021 GMT > notAfter=May 30 10:34:36 2021 GMT > > Therefore I think everything is okay as far as I can tell from the > above. Perhaps something about the site has changed to resolve a > problem since then? Perhaps an intermediate certificate was added? > > Bob > --00000000000051d7ef05bd172c91 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I've rechecked:

```
=C2= =A0 =C2=A0 $ gnutls-cli translati= onproject.org =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
=C2=A0 =C2=A0 Processed= 139 CA certificate(s).
=C2=A0 =C2=A0 Resolving 'translationproject.= org:443'...
=C2=A0 =C2=A0 Connecting to '80.69.83.146:443'..= .
=C2=A0 =C2=A0 - Certificate type: X.509
=C2=A0 =C2=A0 - Got a certi= ficate list of 3 certificates.
=C2=A0 =C2=A0 - Certificate[0] info:
= =C2=A0 =C2=A0 - subject `CN=3Dstat= s.vrijschrift.org', issuer `CN=3DR3,O=3DLet's Encrypt,C=3DUS= 9;, serial 0x043ecc3aacb8c85e4b142ad6a502a8e749c7, RSA key 4096 bits, signe= d using RSA-SHA256, activated `2021-03-01 10:34:36 UTC', expires `2021-= 05-30 10:34:36 UTC', pin-sha256=3D"rsabKAqi6gmbwfkm2Kj69kMk9vceM1p= OrIsSWJ29axA=3D"
=C2=A0 =C2=A0 Public Key ID:
=C2=A0 =C2=A0 sha1= :351b768332605268f158f75cc602b700c8950d71
=C2=A0 =C2=A0 sha256:aec69b280= aa2ea099bc1f926d8a8faf64324f6f71e335a4eac8b12589dbd6b10
=C2=A0 =C2=A0 Pu= blic Key PIN:
=C2=A0 =C2=A0 pin-sha256:rsabKAqi6gmbwfkm2Kj69kMk9vceM1pOr= IsSWJ29axA=3D

=C2=A0 =C2=A0 - Certificate[1] info:
=C2=A0 =C2=A0 = - subject `CN=3Dstats.vrijschrift.= org', issuer `CN=3DR3,O=3DLet's Encrypt,C=3DUS', serial 0x0= 43ecc3aacb8c85e4b142ad6a502a8e749c7, RSA key 4096 bits, signed using RSA-SH= A256, activated `2021-03-01 10:34:36 UTC', expires `2021-05-30 10:34:36= UTC', pin-sha256=3D"rsabKAqi6gmbwfkm2Kj69kMk9vceM1pOrIsSWJ29axA= =3D"
=C2=A0 =C2=A0 - Certificate[2] info:
=C2=A0 =C2=A0 - subjec= t `CN=3DR3,O=3DLet's Encrypt,C=3DUS', issuer `CN=3DDST Root CA X3,O= =3DDigital Signature Trust Co.', serial 0x400175048314a4c8218c84a90c16c= ddf, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-10-07 19:2= 1:40 UTC', expires `2021-09-29 19:21:40 UTC', pin-sha256=3D"jQ= JTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=3D"
=C2=A0 =C2=A0 - Statu= s: The certificate is NOT trusted. The certificate issuer is unknown.
= =C2=A0 =C2=A0 *** PKI verification of server certificate failed...
=C2= =A0 =C2=A0 *** Fatal error: Error in the certificate.
```

=
```
=C2=A0 =C2=A0 $ openssl s_client -connect translationproject.org:443 -CApath /etc/= ssl/certs -showcerts </dev/null 2>/dev/null =C2=A0| sed -n '/^---= --BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/p' > /tmp/tran= slationproject.org.certs
=C2=A0 =C2=A0 $ certtool --verbose --verify-pr= ofile=3Dhigh --verify --infile=3D/tmp/translationproject.org.certs
=C2= =A0 =C2=A0 Loaded system trust (139 CAs available)
=C2=A0 =C2=A0 Subject= : CN=3Dstats.vrijschrift.org=C2=A0 =C2=A0 Issuer: CN=3DR3,O=3DLet's Encrypt,C=3DUS
=C2=A0 =C2= =A0 Signature algorithm: RSA-SHA256
=C2=A0 =C2=A0 Output: Not verified. = The certificate is NOT trusted. The certificate issuer is unknown.
=C2= =A0 =C2=A0=C2=A0
=C2=A0 =C2=A0 Subject: CN=3Dstats.vrijschrift.org
=C2=A0 =C2=A0 Issuer: CN=3DR3,O= =3DLet's Encrypt,C=3DUS
=C2=A0 =C2=A0 Signature algorithm: RSA-SHA25= 6
=C2=A0 =C2=A0 Output: Not verified. The certificate is NOT trusted. Th= e certificate issuer is unknown.

=C2=A0 =C2=A0 Subject: CN=3Dstats.vrijschrift.org
=C2=A0 =C2= =A0 Issuer: CN=3DR3,O=3DLet's Encrypt,C=3DUS
=C2=A0 =C2=A0 Signature= algorithm: RSA-SHA256
=C2=A0 =C2=A0 Output: Not verified. The certifica= te is NOT trusted. The certificate issuer is unknown.

=C2=A0 =C2=A0= Chain verification output: Not verified. The certificate is NOT trusted. T= he certificate issuer is unknown.

```=

Thanks!
Best regards,
Grigorii


On Tue, 9 Mar 2021 at 07:55, Bob Proulx = <bob@proulx.com> wrote:
Is this problem still a= problem?=C2=A0 Perhaps it has been fixed in the
time this has been under discussion?=C2=A0 Because it looks okay to me.

Grigoriy Sokolik wrote:
>=C2=A0 =C2=A0 $ curl -v https://translationproje= ct.org/latest/coreutils/ -o /dev/null
...
>=C2=A0 =C2=A0 * Connected to translationproject.org (80.69.83.1= 46) port 443 (#0)
...
>=C2=A0 =C2=A0 * successfully set certificate verify locations:
>=C2=A0 =C2=A0 *=C2=A0 CAfile: /etc/ssl/certs/ca-certificates.crt
>=C2=A0 =C2=A0 *=C2=A0 CApath: none

I suspect this last line to be the root cause of the problem.=C2=A0 There is no CApath and therefore no root anchoring certificates trusted.
Without that I don't see how any certificates can be trusted.

I do the same test here and see this.

=C2=A0 =C2=A0 $ curl -v https://translationproject.o= rg/latest/coreutils/ -o /dev/null
=C2=A0 =C2=A0 ...
=C2=A0 =C2=A0 * Connected to translationproject.org (80.69.83.146)= port 443 (#0)
=C2=A0 =C2=A0 ...
=C2=A0 =C2=A0 * successfully set certificate verify locations:
=C2=A0 =C2=A0 *=C2=A0 CAfile: /etc/ssl/certs/ca-certificates.crt
=C2=A0 =C2=A0 *=C2=A0 CApath: /etc/ssl/certs

Note the inclusion of the trusted root path.

=C2=A0 =C2=A0 * Server certificate:
=C2=A0 =C2=A0 *=C2=A0 subject: CN=3Dstats.vrijschrift.org
=C2=A0 =C2=A0 *=C2=A0 start date: Mar=C2=A0 1 10:34:36 2021 GMT
=C2=A0 =C2=A0 *=C2=A0 expire date: May 30 10:34:36 2021 GMT
=C2=A0 =C2=A0 *=C2=A0 subjectAltName: host "translationproject.org= " matched cert's
=C2=A0 =C2=A0 *=C2=A0 "translationproject.org"
=C2=A0 =C2=A0 *=C2=A0 issuer: C=3DUS; O=3DLet's Encrypt; CN=3DR3
=C2=A0 =C2=A0 *=C2=A0 SSL certificate verify ok.

Note that the certificate validates as okay.

Also if I simply ask openssl to validate:

=C2=A0 =C2=A0 $ openssl s_client -connect translationproject.org:44= 3 -CApath /etc/ssl/certs -showcerts </dev/null 2>/dev/null
=C2=A0 =C2=A0 ...
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Verify return code: 0 (ok)

If I download all of the certificates and validate using certtool,
since you mentioned certtool I will use your example:

=C2=A0 =C2=A0 $ openssl s_client -connect translationproject.org:44= 3 -CApath /etc/ssl/certs -showcerts </dev/null 2>/dev/null=C2=A0 = | sed -n '/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/p&= #39; > /tmp/= translationproject.org.certs
=C2=A0 =C2=A0 $ certtool --verbose --verify-profile=3Dhigh --verify --infil= e=3D/tmp/translationproject.org.certs
=C2=A0 =C2=A0 Loaded system trust (127 CAs available)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Subject: CN=3DR3,O=3DLet's Encrypt,C=3DUS =C2=A0 =C2=A0 =C2=A0 =C2=A0 Issuer: CN=3DDST Root CA X3,O=3DDigital Signatu= re Trust Co.
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Checked against: CN=3DDST Root CA X3,O=3DDigita= l Signature Trust Co.
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Signature algorithm: RSA-SHA256
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Output: Verified. The certificate is trusted. <= br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Subject: CN=3Dstats.vrijschrift.org
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Issuer: CN=3DR3,O=3DLet's Encrypt,C=3DUS =C2=A0 =C2=A0 =C2=A0 =C2=A0 Checked against: CN=3DR3,O=3DLet's Encrypt,= C=3DUS
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Signature algorithm: RSA-SHA256
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Output: Verified. The certificate is trusted. <= br>
=C2=A0 =C2=A0 Chain verification output: Verified. The certificate is trust= ed.

Then it again validates okay.

I note that the certificate is current as of now and just recently
renewed.=C2=A0 It's fresh.

=C2=A0 =C2=A0 $ openssl s_client -connect translationproject.org:44= 3 -CApath /etc/ssl/certs -showcerts </dev/null 2>/dev/null | sed = -n '/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/p;/^----= -END CERTIFICATE-----/q' | openssl x509 -noout -dates
=C2=A0 =C2=A0 notBefore=3DMar=C2=A0 1 10:34:36 2021 GMT
=C2=A0 =C2=A0 notAfter=3DMay 30 10:34:36 2021 GMT

Therefore I think everything is okay as far as I can tell from the
above.=C2=A0 Perhaps something about the site has changed to resolve a
problem since then?=C2=A0 Perhaps an intermediate certificate was added?
Bob
--00000000000051d7ef05bd172c91-- From unknown Mon Aug 18 04:42:31 2025 X-Loop: help-debbugs@gnu.org Subject: bug#45358: bootstrap fails due to a certificate mismatch Resent-From: Erik Auerswald Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Tue, 09 Mar 2021 10:37:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45358 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Grigoriy Sokolik Cc: 45358@debbugs.gnu.org, 45358-submitter@debbugs.gnu.org, Bob Proulx Received: via spool by 45358-submit@debbugs.gnu.org id=B45358.161528616416788 (code B ref 45358); Tue, 09 Mar 2021 10:37:01 +0000 Received: (at 45358) by debbugs.gnu.org; 9 Mar 2021 10:36:04 +0000 Received: from localhost ([127.0.0.1]:45711 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJZie-0004Mc-EF for submit@debbugs.gnu.org; Tue, 09 Mar 2021 05:36:04 -0500 Received: from mailgw1.uni-kl.de ([131.246.120.220]:55860) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJZib-0004M7-Ea; Tue, 09 Mar 2021 05:36:02 -0500 Received: from sushi.unix-ag.uni-kl.de (sushi.unix-ag.uni-kl.de [IPv6:2001:638:208:ef34:0:ff:fe00:65]) by mailgw1.uni-kl.de (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id 129AZxBv080092 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 9 Mar 2021 11:35:59 +0100 Received: from sushi.unix-ag.uni-kl.de (ip6-localhost [IPv6:::1]) by sushi.unix-ag.uni-kl.de (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id 129AZxpM001640 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 9 Mar 2021 11:35:59 +0100 Received: (from auerswal@localhost) by sushi.unix-ag.uni-kl.de (8.14.4/8.14.4/Submit) id 129AZwKw001637; Tue, 9 Mar 2021 11:35:58 +0100 Date: Tue, 9 Mar 2021 11:35:58 +0100 From: Erik Auerswald Message-ID: <20210309103558.GA26987@unix-ag.uni-kl.de> References: <20210308222541460482867@bob.proulx.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, hits=-0.999, tests=ALL_TRUSTED=-1,URIBL_BLOCKED=0.001 X-Spam-Score: (-0.999) X-Spam-Flag: NO X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, On Tue, Mar 09, 2021 at 11:28:18AM +0200, Grigoriy Sokolik wrote: > I've rechecked: I cannot reproduce the problem, the certificate is trusted by my system: # via IPv4 $ gnutls-cli --verbose translationproject.org [...]issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.'[...] On my Ubuntu 18.04 system, I find it via symlink from /etc/ssl/certs: $ ls /etc/ssl/certs/DST_Root_CA_X3.pem -l lrwxrwxrwx 1 root root 53 Mai 28 2018 /etc/ssl/certs/DST_Root_CA_X3.pem -> /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt $ certtool --certificate-info < /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt | grep Subject: Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. HTH, Erik -- [A]pplied cryptography mostly sucks. -- Green's law of applied cryptography From unknown Mon Aug 18 04:42:31 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: "j-james" Subject: bug#45358: closed (Re: bug#45358: bootstrap fails due to a certificate mismatch) Message-ID: References: <20210309112031844276337@bob.proulx.com> X-Gnu-PR-Message: they-closed 45358 X-Gnu-PR-Package: coreutils Reply-To: 45358@debbugs.gnu.org Date: Tue, 09 Mar 2021 18:31:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1615314662-31696-1" This is a multi-part message in MIME format... ------------=_1615314662-31696-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #45358: bootstrap fails due to a certificate mismatch which was filed against the coreutils package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 45358@debbugs.gnu.org. --=20 45358: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D45358 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1615314662-31696-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 45358-done) by debbugs.gnu.org; 9 Mar 2021 18:30:11 +0000 Received: from localhost ([127.0.0.1]:47909 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJh7S-0008Dj-W0 for submit@debbugs.gnu.org; Tue, 09 Mar 2021 13:30:11 -0500 Received: from havoc.proulx.com ([96.88.95.61]:40726) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJh7Q-0008CO-Md; Tue, 09 Mar 2021 13:30:09 -0500 Received: from joseki.proulx.com (localhost [127.0.0.1]) by havoc.proulx.com (Postfix) with ESMTP id 7220F498; Tue, 9 Mar 2021 11:30:02 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proulx.com; s=dkim2048; t=1615314602; bh=IdvFBZ1gDnW/x6sst/BIXBto+AkERu0VTcQKQa+lf4s=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=DpMOmGVAGYHXamsCvnM8net7KbBO6n5jBC0ma1XlYTahMPnvzlxB6oJQY5KGCYT07 RiByJS5bUoVGjzRdiQbY50ysJVapEh24RamO7LP3g5qa1HCdUBOZAJUWQ83a+apEXn Cbx2bLKCzUE/wOPhRhWnQG7z8w3amqne+veg2+Yfqx3oY6nWT6NM41LN0vosv4FzUx q2tybut53+LmMmFnQMdfQAOqfTMNA3OFTL1Ib/hf1lDf3IArdMufBr/9+/YyFnMS3s oJ9NLbs6L7fz8vTfjShTb1Ygm9pJiM0p/J6AgwKQN9L2l0loBtmi68Kac0vqvCRLrG BOQCVIZQqX1qA== Received: from hysteria.proulx.com (hysteria.proulx.com [192.168.230.119]) by joseki.proulx.com (Postfix) with ESMTP id 34EAC21144; Tue, 9 Mar 2021 11:30:02 -0700 (MST) Received: by hysteria.proulx.com (Postfix, from userid 1000) id 2B0DC2DC9F; Tue, 9 Mar 2021 11:30:02 -0700 (MST) Date: Tue, 9 Mar 2021 11:30:02 -0700 From: Bob Proulx To: Erik Auerswald Subject: Re: bug#45358: bootstrap fails due to a certificate mismatch Message-ID: <20210309112031844276337@bob.proulx.com> References: <20210308222541460482867@bob.proulx.com> <20210309103558.GA26987@unix-ag.uni-kl.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210309103558.GA26987@unix-ag.uni-kl.de> X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 45358-done Cc: 45358-done@debbugs.gnu.org, 45358-submitter@debbugs.gnu.org, Grigoriy Sokolik X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Erik Auerswald wrote: > Grigoriy Sokolik wrote: > > I've rechecked: > > I cannot reproduce the problem, the certificate is trusted by my system: > > # via IPv4 > $ gnutls-cli --verbose translationproject.org Connecting to '80.69.83.146:443'... > - Status: The certificate is trusted. > # via IPv6 > $ gnutls-cli --verbose translationproject.org Connecting to '2a01:7c8:c037:6::20:443'... > - Status: The certificate is trusted. I have the same results here. Everything looks okay in the inspection of it. > It seems to me as if your system does not trust the used root CA. > > > [...]issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.'[...] > > On my Ubuntu 18.04 system, I find it via symlink from /etc/ssl/certs: > > $ ls /etc/ssl/certs/DST_Root_CA_X3.pem -l > lrwxrwxrwx 1 root root 53 Mai 28 2018 /etc/ssl/certs/DST_Root_CA_X3.pem -> /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt > $ certtool --certificate-info < /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt | grep Subject: > Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. Again same here on my Debian system. The root certificate store for the trust anchor is in the ca-certificates package. Looking at my oldest system I see this is distributed as package version 20200601~deb9u1 and includes the above file. $ apt-cache policy ca-certificates ca-certificates: Installed: 20200601~deb9u1 Candidate: 20200601~deb9u1 Version table: *** 20200601~deb9u1 500 500 http://ftp.us.debian.org/debian stretch/main amd64 Packages 500 http://ftp.us.debian.org/debian stretch-updates/main amd64 Packages 100 /var/lib/dpkg/status Verifying that the equivalent of ca-certificates is installed on your system should provide for it. As this seems not to be a bug in Coreutils I am marking the bug as closed with this mail. However more discussion is always welcome. Bob ------------=_1615314662-31696-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 22 Dec 2020 02:01:49 +0000 Received: from localhost ([127.0.0.1]:48620 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1krWzk-0003er-Ax for submit@debbugs.gnu.org; Mon, 21 Dec 2020 21:01:49 -0500 Received: from lists.gnu.org ([209.51.188.17]:58520) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1krWck-00036l-6K for submit@debbugs.gnu.org; Mon, 21 Dec 2020 20:38:05 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:55162) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1krWcj-0004ci-Ou for bug-coreutils@gnu.org; Mon, 21 Dec 2020 20:38:02 -0500 Received: from mail-pg1-x52e.google.com ([2607:f8b0:4864:20::52e]:33192) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1krWcf-00062E-Qe for bug-coreutils@gnu.org; Mon, 21 Dec 2020 20:37:59 -0500 Received: by mail-pg1-x52e.google.com with SMTP id n25so1878085pgb.0 for ; Mon, 21 Dec 2020 17:37:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=j-james-me.20150623.gappssmtp.com; s=20150623; h=mime-version:content-transfer-encoding:subject:from:to:date :message-id; bh=JOm+IL4v+D9B3F3J8t0jI7FtxJMX+sjOrM+1Xz1hbjo=; b=KSsBoSxpsE4ag/dxu7v39pCoblBcY2LJF0m1G+1zgITlAScSVIGfH/qAcVpvIfc2n7 xfQ0ZRAZBMqnVf9wa8kn4O7omMck/WunO9Fy/EzWGJGhnIS0FKM5U1QV9zfSowhEAiS5 3SvkVOERKPRRwTmrS3v4Y9gaG1cAmWLtukn0UbEzLIx81fSfEcQ+5QfWFWKW64gYK2DI Iwgb3PyQGuA+rRMElyQ98rdshGe+PN1x1qKN1VSz3d3LENrdrE+7rWPBU6Mp974QWpko 5It9owK4wZdWSc2bmaqrLg3i7p7NlqG6odDUrYE0OWfeLUbTWZgU2WZK5wOKzCYNCgKZ 9EeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:content-transfer-encoding:subject :from:to:date:message-id; bh=JOm+IL4v+D9B3F3J8t0jI7FtxJMX+sjOrM+1Xz1hbjo=; b=MtauxmcgWQHRE2DplubgzMZcI9bQAXHQ0LIQT5PYXhei9asc9RIuHmzsI3ZnYwO8jW nbAIAGehM198A2UjMzKx2t2h1Yoisx49UnnU5xw5bh2DIwGxxAhHVSszARgxPbhFU+Ka 8U1ZpsA/vBDkIWEZg9QyrDA9RDMM77lo5RMllDA5f7gejfz53aU5LAaaYtoUo6A5UfSb 2DdrGDh19xRgbGdV/+w1W7ptRiqFGdkGcqcMHYm/Qf0z05F1FxUXNn/pcWcr4s5aFgNq DfBLTvUgLfVubMoa6E3nuOHTZi9sD5SXrwKkY9Jjxay6gvy9tINd3Knq1ao2zvqevZdk YMhA== X-Gm-Message-State: AOAM5327H85JrdP79P9VCwj/EENrfikFs13kwfzjIW+zcyxAV9vkpEHn 9Xs2jFqV0xKCQ8Zv12gT+U66XuA3Y6XV04HL X-Google-Smtp-Source: ABdhPJyGbDKTWbsWlOcLAcvArvYnFZ1kq+ZD0pHfweXlNGIx3BpKX7cAMnyZZSWy3JIguLCS5i2r0w== X-Received: by 2002:a63:74b:: with SMTP id 72mr17657173pgh.4.1608601073657; Mon, 21 Dec 2020 17:37:53 -0800 (PST) Received: from localhost (71-212-96-141.tukw.qwest.net. [71.212.96.141]) by smtp.gmail.com with ESMTPSA id z10sm18287163pfr.204.2020.12.21.17.37.52 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 21 Dec 2020 17:37:53 -0800 (PST) Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Subject: bootstrap fails due to a certificate mismatch From: "j-james" To: Date: Mon, 21 Dec 2020 17:29:35 -0800 Message-Id: Received-SPF: pass client-ip=2607:f8b0:4864:20::52e; envelope-from=jj@j-james.me; helo=mail-pg1-x52e.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Mon, 21 Dec 2020 21:01:46 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) When running ./bootstrap in a freshly-cloned repository, it seems to either= =20 not find some files it wants to or doesn't trust https://translationproject= .org. Connecting to https://translationproject.org in a (non-wget) web browser wo= rks fine. The following is the output of ./bootstrap. ``` ./bootstrap: Bootstrapping from checked-out coreutils sources... ./bootstrap: consider installing git-merge-changelog from gnulib ./bootstrap: getting gnulib files... Submodule 'gnulib' (git://git.sv.gnu.org/gnulib.git) registered for path 'g= nulib' Cloning into '/home/teal/Projects/coreutils/gnulib'... Submodule path 'gnulib': checked out '8183682cc4436bee18007d61bc79938eaf786= 19a' ./bootstrap: getting translations into po/.reference for coreutils... Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt' ERROR: The certificate of 'translationproject.org' is not trusted. ERROR: The certificate of 'translationproject.org' doesn't have a known iss= uer. ``` Do let me know if you need more information, or if this is a duplicate repo= rt. -- j-james ------------=_1615314662-31696-1-- From unknown Mon Aug 18 04:42:31 2025 X-Loop: help-debbugs@gnu.org Subject: bug#45358: bootstrap fails due to a certificate mismatch Reply-To: Bob Proulx , 45358-quiet@debbugs.gnu.org Mail-Followup-To: Bob Proulx , 45358-quiet@debbugs.gnu.org Original-Sender: "Debbugs-submit" Resent-To: "j-james" Resent-Date: Tue, 09 Mar 2021 18:31:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 45358 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Erik Auerswald Cc: 45358-done@debbugs.gnu.org, 45358-submitter@debbugs.gnu.org, Grigoriy Sokolik Received: via spool by 45358-submitter@debbugs.gnu.org id=U45358.161531461131615 (code U ref 45358); Tue, 09 Mar 2021 18:31:02 +0000 Received: (at 45358-submitter) by debbugs.gnu.org; 9 Mar 2021 18:30:11 +0000 Received: from localhost ([127.0.0.1]:47911 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJh7T-0008Dl-9D for submit@debbugs.gnu.org; Tue, 09 Mar 2021 13:30:11 -0500 Received: from havoc.proulx.com ([96.88.95.61]:40726) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJh7Q-0008CO-Md; Tue, 09 Mar 2021 13:30:09 -0500 Received: from joseki.proulx.com (localhost [127.0.0.1]) by havoc.proulx.com (Postfix) with ESMTP id 7220F498; Tue, 9 Mar 2021 11:30:02 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proulx.com; s=dkim2048; t=1615314602; bh=IdvFBZ1gDnW/x6sst/BIXBto+AkERu0VTcQKQa+lf4s=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=DpMOmGVAGYHXamsCvnM8net7KbBO6n5jBC0ma1XlYTahMPnvzlxB6oJQY5KGCYT07 RiByJS5bUoVGjzRdiQbY50ysJVapEh24RamO7LP3g5qa1HCdUBOZAJUWQ83a+apEXn Cbx2bLKCzUE/wOPhRhWnQG7z8w3amqne+veg2+Yfqx3oY6nWT6NM41LN0vosv4FzUx q2tybut53+LmMmFnQMdfQAOqfTMNA3OFTL1Ib/hf1lDf3IArdMufBr/9+/YyFnMS3s oJ9NLbs6L7fz8vTfjShTb1Ygm9pJiM0p/J6AgwKQN9L2l0loBtmi68Kac0vqvCRLrG BOQCVIZQqX1qA== Received: from hysteria.proulx.com (hysteria.proulx.com [192.168.230.119]) by joseki.proulx.com (Postfix) with ESMTP id 34EAC21144; Tue, 9 Mar 2021 11:30:02 -0700 (MST) Received: by hysteria.proulx.com (Postfix, from userid 1000) id 2B0DC2DC9F; Tue, 9 Mar 2021 11:30:02 -0700 (MST) Date: Tue, 9 Mar 2021 11:30:02 -0700 From: Bob Proulx Message-ID: <20210309112031844276337@bob.proulx.com> References: <20210308222541460482867@bob.proulx.com> <20210309103558.GA26987@unix-ag.uni-kl.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210309103558.GA26987@unix-ag.uni-kl.de> X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Erik Auerswald wrote: > Grigoriy Sokolik wrote: > > I've rechecked: > > I cannot reproduce the problem, the certificate is trusted by my system: > > # via IPv4 > $ gnutls-cli --verbose translationproject.org Connecting to '80.69.83.146:443'... > - Status: The certificate is trusted. > # via IPv6 > $ gnutls-cli --verbose translationproject.org Connecting to '2a01:7c8:c037:6::20:443'... > - Status: The certificate is trusted. I have the same results here. Everything looks okay in the inspection of it. > It seems to me as if your system does not trust the used root CA. > > > [...]issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.'[...] > > On my Ubuntu 18.04 system, I find it via symlink from /etc/ssl/certs: > > $ ls /etc/ssl/certs/DST_Root_CA_X3.pem -l > lrwxrwxrwx 1 root root 53 Mai 28 2018 /etc/ssl/certs/DST_Root_CA_X3.pem -> /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt > $ certtool --certificate-info < /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt | grep Subject: > Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. Again same here on my Debian system. The root certificate store for the trust anchor is in the ca-certificates package. Looking at my oldest system I see this is distributed as package version 20200601~deb9u1 and includes the above file. $ apt-cache policy ca-certificates ca-certificates: Installed: 20200601~deb9u1 Candidate: 20200601~deb9u1 Version table: *** 20200601~deb9u1 500 500 http://ftp.us.debian.org/debian stretch/main amd64 Packages 500 http://ftp.us.debian.org/debian stretch-updates/main amd64 Packages 100 /var/lib/dpkg/status Verifying that the equivalent of ca-certificates is installed on your system should provide for it. As this seems not to be a bug in Coreutils I am marking the bug as closed with this mail. However more discussion is always welcome. Bob From unknown Mon Aug 18 04:42:31 2025 X-Loop: help-debbugs@gnu.org Subject: bug#45358: bootstrap fails due to a certificate mismatch Resent-From: Grigoriy Sokolik Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Wed, 10 Mar 2021 14:11:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45358 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Bob Proulx Cc: Erik Auerswald , 45358-done@debbugs.gnu.org, 45358-submitter@debbugs.gnu.org Received: via spool by 45358-done@debbugs.gnu.org id=D45358.161538545223115 (code D ref 45358); Wed, 10 Mar 2021 14:11:02 +0000 Received: (at 45358-done) by debbugs.gnu.org; 10 Mar 2021 14:10:52 +0000 Received: from localhost ([127.0.0.1]:49289 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJzY3-00060k-Hf for submit@debbugs.gnu.org; Wed, 10 Mar 2021 09:10:51 -0500 Received: from mail-yb1-f182.google.com ([209.85.219.182]:36109) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJzY1-00060T-RH; Wed, 10 Mar 2021 09:10:50 -0500 Received: by mail-yb1-f182.google.com with SMTP id b10so17990928ybn.3; Wed, 10 Mar 2021 06:10:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=g-sokol-info.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rChVLi46Z/ywdCH6G1ryYYXkqzsu8Cp4o6YhC6xQDVU=; b=frOFME5G7AISLbi3/PJ1ysflu60VJ7kmSZ6FnaaQFfVtfqygtvUmk4S5b7OMZLlpdW NwPByw5Cx2GCsFny/iNggnka94vwL0Ip5eFeJqccbpS6s3SGRVD/6vEpv1b0vQLUm6FJ xcDJsNcxppsFRqZQIiJZUYyeXz76KFF+hI1Adlq8uf2Z+7gNi6azyur+BfbuwJYIX8wE NwtA5ZNbQeuP8VIDIyGFsAhV+PRPczxXMsG232xX3TzMfxSd+FLDUEGKIWorlggvsIrP 7eqERe8LE9Gp/gbVey3ytUPoxeefGB8P9Dnes2a0634NQr/PcDvDHbMlgxcIMGSm9V+e aEQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rChVLi46Z/ywdCH6G1ryYYXkqzsu8Cp4o6YhC6xQDVU=; b=ahA5c64b0v+DathoqV83Y+SLkUso0FFLdYG5/T/4dSt7cYBiagyKKYPuL0VbT5DuPZ xAHCq2veJXVCl3CpML8MXbpRouQUFH1PzWhVrnFKlp+EYXkRDWWZO9NUOM6xbwdgwYvz FXGPEE+3H7JJCjGop4pP5rO7NWxB0li2wXI22BDICa3yP2gNDcsbJLCucGdMrwWaaEOk fsrZCcp09QJ2OIhubV6gWz8hLZeQig/I665pKXtixu5ZDpRXzFw7uSrd9eK1Y3bm0bi3 J4WRRO9FNjj/FFHfwMBsULfiiwHG89TO98VvrqcaC24jarjmZm/Inkm66a8If5BJAi35 svvg== X-Gm-Message-State: AOAM530dGvBa6PtRcaANLjILFK6p0K+60b/D6w3CYSo+fNM+AwOU08EH f9H0R5HhRAk/SUQ5qzvgyLhV1/02FZqMRUb4e7w= X-Google-Smtp-Source: ABdhPJxeQ8qQ0tN/+mtmafqs+8MFVM/lVuNbW1lp/GDvVyfaF5O6j/moIgIVhcmoEknp+mcV4eBwkIR/eDZ/15OqzCk= X-Received: by 2002:a25:a044:: with SMTP id x62mr4105056ybh.153.1615385444131; Wed, 10 Mar 2021 06:10:44 -0800 (PST) MIME-Version: 1.0 References: <20210308222541460482867@bob.proulx.com> <20210309103558.GA26987@unix-ag.uni-kl.de> <20210309112031844276337@bob.proulx.com> In-Reply-To: <20210309112031844276337@bob.proulx.com> From: Grigoriy Sokolik Date: Wed, 10 Mar 2021 16:10:33 +0200 Message-ID: Content-Type: multipart/alternative; boundary="00000000000092afa805bd2f3bd5" X-Spam-Score: 0.8 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.2 (/) --00000000000092afa805bd2f3bd5 Content-Type: text/plain; charset="UTF-8" That's fixed for me now with the new version of GnuTLS 3.7.1 Thanks! Best regards, Grigorii On Tue, 9 Mar 2021 at 20:30, Bob Proulx wrote: > Erik Auerswald wrote: > > Grigoriy Sokolik wrote: > > > I've rechecked: > > > > I cannot reproduce the problem, the certificate is trusted by my system: > > > > # via IPv4 > > $ gnutls-cli --verbose translationproject.org 'Connecting|Status' > > Connecting to '80.69.83.146:443'... > > - Status: The certificate is trusted. > > # via IPv6 > > $ gnutls-cli --verbose translationproject.org 'Connecting|Status' > > Connecting to '2a01:7c8:c037:6::20:443'... > > - Status: The certificate is trusted. > > I have the same results here. Everything looks okay in the inspection > of it. > > > It seems to me as if your system does not trust the used root CA. > > > > > [...]issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.'[...] > > > > On my Ubuntu 18.04 system, I find it via symlink from /etc/ssl/certs: > > > > $ ls /etc/ssl/certs/DST_Root_CA_X3.pem -l > > lrwxrwxrwx 1 root root 53 Mai 28 2018 > /etc/ssl/certs/DST_Root_CA_X3.pem -> > /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt > > $ certtool --certificate-info < > /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt | grep Subject: > > Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. > > Again same here on my Debian system. The root certificate store for > the trust anchor is in the ca-certificates package. > > Looking at my oldest system I see this is distributed as package > version 20200601~deb9u1 and includes the above file. > > $ apt-cache policy ca-certificates > ca-certificates: > Installed: 20200601~deb9u1 > Candidate: 20200601~deb9u1 > Version table: > *** 20200601~deb9u1 500 > 500 http://ftp.us.debian.org/debian stretch/main amd64 > Packages > 500 http://ftp.us.debian.org/debian stretch-updates/main > amd64 Packages > 100 /var/lib/dpkg/status > > Verifying that the equivalent of ca-certificates is installed on your > system should provide for it. > > As this seems not to be a bug in Coreutils I am marking the bug as > closed with this mail. However more discussion is always welcome. > > Bob > --00000000000092afa805bd2f3bd5 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
That's fixed for me now with the new version of GnuTLS= 3.7.1

Thanks!
Best= regards,
Grigorii

<= br>
On Tue,= 9 Mar 2021 at 20:30, Bob Proulx <bob@= proulx.com> wrote:
Erik Auerswald wrote:
> Grigoriy Sokolik wrote:
> > I've rechecked:
>
> I cannot reproduce the problem, the certificate is trusted by my syste= m:
>
>=C2=A0 =C2=A0 =C2=A0# via IPv4
>=C2=A0 =C2=A0 =C2=A0$ gnutls-cli --verbose translationproject.org </dev/null=C2=A0 | grep -E 'Connecting|Status'
>=C2=A0 =C2=A0 =C2=A0Connecting to '80.69.83.146:443'...
>=C2=A0 =C2=A0 =C2=A0- Status: The certificate is trusted.
>=C2=A0 =C2=A0 =C2=A0# via IPv6
>=C2=A0 =C2=A0 =C2=A0$ gnutls-cli --verbose translationproject.org </dev/null=C2=A0 | grep -E 'Connecting|Status'
>=C2=A0 =C2=A0 =C2=A0Connecting to '2a01:7c8:c037:6::20:443'...<= br> >=C2=A0 =C2=A0 =C2=A0- Status: The certificate is trusted.

I have the same results here.=C2=A0 Everything looks okay in the inspection=
of it.

> It seems to me as if your system does not trust the used root CA.
>
> >=C2=A0 =C2=A0 =C2=A0[...]issuer `CN=3DDST Root CA X3,O=3DDigital S= ignature Trust Co.'[...]
>
> On my Ubuntu 18.04 system, I find it via symlink from /etc/ssl/certs:<= br> >
>=C2=A0 =C2=A0 =C2=A0$ ls /etc/ssl/certs/DST_Root_CA_X3.pem -l
>=C2=A0 =C2=A0 =C2=A0lrwxrwxrwx 1 root root 53 Mai 28=C2=A0 2018 /etc/ss= l/certs/DST_Root_CA_X3.pem -> /usr/share/ca-certificates/mozilla/DST_Roo= t_CA_X3.crt
>=C2=A0 =C2=A0 =C2=A0$ certtool --certificate-info < /usr/share/ca-ce= rtificates/mozilla/DST_Root_CA_X3.crt | grep Subject:
>=C2=A0 =C2=A0 =C2=A0 =C2=A0Subject: CN=3DDST Root CA X3,O=3DDigital Sig= nature Trust Co.

Again same here on my Debian system.=C2=A0 The root certificate store for the trust anchor is in the ca-certificates package.

Looking at my oldest system I see this is distributed as package
version 20200601~deb9u1 and includes the above file.

=C2=A0 =C2=A0 $ apt-cache policy ca-certificates
=C2=A0 =C2=A0 ca-certificates:
=C2=A0 =C2=A0 =C2=A0 Installed: 20200601~deb9u1
=C2=A0 =C2=A0 =C2=A0 Candidate: 20200601~deb9u1
=C2=A0 =C2=A0 =C2=A0 Version table:
=C2=A0 =C2=A0 =C2=A0*** 20200601~deb9u1 500
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 500 http://ftp.us.debian.or= g/debian stretch/main amd64 Packages
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 500 http://ftp.us.debian.or= g/debian stretch-updates/main amd64 Packages
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 100 /var/lib/dpkg/status

Verifying that the equivalent of ca-certificates is installed on your
system should provide for it.

As this seems not to be a bug in Coreutils I am marking the bug as
closed with this mail.=C2=A0 However more discussion is always welcome.

Bob
--00000000000092afa805bd2f3bd5--