GNU bug report logs - #45358
bootstrap fails due to a certificate mismatch

Previous Next

Package: coreutils;

Reported by: "j-james" <jj <at> j-james.me>

Date: Tue, 22 Dec 2020 02:02:01 UTC

Severity: normal

Done: Bob Proulx <bob <at> proulx.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Bob Proulx <bob <at> proulx.com>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#45358: closed (bootstrap fails due to a certificate mismatch)
Date: Tue, 09 Mar 2021 18:31:02 +0000

[Message part 1 (text/plain, inline)]
Your message dated Tue, 9 Mar 2021 11:30:02 -0700
with message-id <20210309112031844276337 <at> bob.proulx.com>
and subject line Re: bug#45358: bootstrap fails due to a certificate mismatch
has caused the debbugs.gnu.org bug report #45358,
regarding bootstrap fails due to a certificate mismatch
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
45358: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=45358
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: "j-james" <jj <at> j-james.me>
To: <bug-coreutils <at> gnu.org>
Subject: bootstrap fails due to a certificate mismatch
Date: Mon, 21 Dec 2020 17:29:35 -0800

When running ./bootstrap in a freshly-cloned repository, it seems to either 
not find some files it wants to or doesn't trust https://translationproject.org.

Connecting to https://translationproject.org in a (non-wget) web browser works fine.

The following is the output of ./bootstrap.
```
./bootstrap: Bootstrapping from checked-out coreutils sources...
./bootstrap: consider installing git-merge-changelog from gnulib
./bootstrap: getting gnulib files...
Submodule 'gnulib' (git://git.sv.gnu.org/gnulib.git) registered for path 'gnulib'
Cloning into '/home/teal/Projects/coreutils/gnulib'...
Submodule path 'gnulib': checked out '8183682cc4436bee18007d61bc79938eaf78619a'
./bootstrap: getting translations into po/.reference for coreutils...
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
ERROR: The certificate of 'translationproject.org' is not trusted.
ERROR: The certificate of 'translationproject.org' doesn't have a known issuer.
```

Do let me know if you need more information, or if this is a duplicate report.

-- j-james



[Message part 3 (message/rfc822, inline)]
From: Bob Proulx <bob <at> proulx.com>
To: Erik Auerswald <auerswal <at> unix-ag.uni-kl.de>
Cc: 45358-done <at> debbugs.gnu.org, 45358-submitter <at> debbugs.gnu.org,
 Grigoriy Sokolik <g.sokol99 <at> g-sokol.info>
Subject: Re: bug#45358: bootstrap fails due to a certificate mismatch
Date: Tue, 9 Mar 2021 11:30:02 -0700

Erik Auerswald wrote:
> Grigoriy Sokolik wrote:
> > I've rechecked:
> 
> I cannot reproduce the problem, the certificate is trusted by my system:
> 
>     # via IPv4
>     $ gnutls-cli --verbose translationproject.org </dev/null  | grep -E 'Connecting|Status'
>     Connecting to '80.69.83.146:443'...
>     - Status: The certificate is trusted. 
>     # via IPv6
>     $ gnutls-cli --verbose translationproject.org </dev/null  | grep -E 'Connecting|Status'
>     Connecting to '2a01:7c8:c037:6::20:443'...
>     - Status: The certificate is trusted.

I have the same results here.  Everything looks okay in the inspection
of it.

> It seems to me as if your system does not trust the used root CA.
> 
> >     [...]issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.'[...]
> 
> On my Ubuntu 18.04 system, I find it via symlink from /etc/ssl/certs:
> 
>     $ ls /etc/ssl/certs/DST_Root_CA_X3.pem -l
>     lrwxrwxrwx 1 root root 53 Mai 28  2018 /etc/ssl/certs/DST_Root_CA_X3.pem -> /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
>     $ certtool --certificate-info < /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt | grep Subject:
>     	Subject: CN=DST Root CA X3,O=Digital Signature Trust Co.

Again same here on my Debian system.  The root certificate store for
the trust anchor is in the ca-certificates package.

Looking at my oldest system I see this is distributed as package
version 20200601~deb9u1 and includes the above file.

    $ apt-cache policy ca-certificates
    ca-certificates:
      Installed: 20200601~deb9u1
      Candidate: 20200601~deb9u1
      Version table:
     *** 20200601~deb9u1 500
            500 http://ftp.us.debian.org/debian stretch/main amd64 Packages
            500 http://ftp.us.debian.org/debian stretch-updates/main amd64 Packages
            100 /var/lib/dpkg/status

Verifying that the equivalent of ca-certificates is installed on your
system should provide for it.

As this seems not to be a bug in Coreutils I am marking the bug as
closed with this mail.  However more discussion is always welcome.

Bob
This bug report was last modified 4 years and 132 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.