GNU bug report logs - #50921
GNU ELPA TLS errors: server is returning chain with expired root

Previous Next

Package: emacs;

Reported by: John Cummings <john <at> rootabega.net>

Date: Thu, 30 Sep 2021 20:25:01 UTC

Severity: normal

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#50921: closed (GNU ELPA TLS errors: server is returning chain
 with expired root)
Date: Fri, 01 Oct 2021 05:51:01 +0000

[Message part 1 (text/plain, inline)]
Your message dated Fri, 01 Oct 2021 08:49:35 +0300
with message-id <83ee95fg5s.fsf <at> gnu.org>
and subject line Re: bug#50921: GNU ELPA TLS errors: server is returning chain with expired root
has caused the debbugs.gnu.org bug report #50921,
regarding GNU ELPA TLS errors: server is returning chain with expired root
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
50921: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=50921
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: John Cummings <john <at> rootabega.net>
To: "bug-gnu-emacs <at> gnu.org" <bug-gnu-emacs <at> gnu.org>
Subject: GNU ELPA TLS errors: server is returning chain with expired root
Date: Thu, 30 Sep 2021 20:24:28 +0000

[Message part 3 (text/plain, inline)]
I'm not sure if we are supposed to report infrastructure problems as Emacs bugs, but it should be easy to close if not. I, and at least a few others, have had TLS connection problems to GNU ELPA in the last day or two, with the errors:

|Issued by:          R3
|Issued to:          CN=elpa.gnu.org
|Hostname:           elpa.gnu.org
|Public key:         RSA, signature: RSA-SHA256
|Protocol:           TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, mac: AEAD
|Security level:     Medium
|Valid:              From 2021-09-28 to 2021-12-27
|
|
|The TLS connection to elpa.gnu.org:443 is insecure for the following
|reasons:
|
|certificate has expired
|certificate could not be verified

It appears that elpa.gnu.org is returning a certificate chain referring to a root certificate that expired today. (More info: https://twitter.com/letsencrypt/status/1443621997288767491) I don't know if GnuTLS is supposed to be able to work around this (Firefox seems to, for instance), but I think it's a safe bet this is the cause of these connection errors.

I confirmed the chain that Emacs is seeing a couple ways. In Emacs 28, the security prompt lets you view certificate details by hitting "d", and in that window I confirmed it is seeing the root cert "CN=DST Root CA X3,O=Digital Signature Trust Co."

I also attached the chain I got by running:
openssl s_client -showcerts -servername elpa.gnu.org -connect elpa.gnu.org:443


Thanks!
[chain.pem (application/x-x509-ca-cert, attachment)]
[Message part 5 (message/rfc822, inline)]
From: Eli Zaretskii <eliz <at> gnu.org>
To: John Cummings <john <at> rootabega.net>
Cc: 50921-done <at> debbugs.gnu.org
Subject: Re: bug#50921: GNU ELPA TLS errors: server is returning chain with
 expired root
Date: Fri, 01 Oct 2021 08:49:35 +0300

> Date: Thu, 30 Sep 2021 20:24:28 +0000
> From: John Cummings <john <at> rootabega.net>
> 
> I'm not sure if we are supposed to report infrastructure problems as Emacs bugs, but it should be easy to close if not. I, and at least a few others, have had TLS connection problems to GNU ELPA in the last day or two, with the errors:
> 
> |Issued by:          R3
> |Issued to:          CN=elpa.gnu.org
> |Hostname:           elpa.gnu.org
> |Public key:         RSA, signature: RSA-SHA256
> |Protocol:           TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, mac: AEAD
> |Security level:     Medium
> |Valid:              From 2021-09-28 to 2021-12-27
> |
> |
> |The TLS connection to elpa.gnu.org:443 is insecure for the following
> |reasons:
> |
> |certificate has expired
> |certificate could not be verified
> 
> It appears that elpa.gnu.org is returning a certificate chain referring to a root certificate that expired today. (More info: https://twitter.com/letsencrypt/status/1443621997288767491) I don't know if GnuTLS is supposed to be able to work around this (Firefox seems to, for instance), but I think it's a safe bet this is the cause of these connection errors.

It isn't our issue, it's a possible issue with gnu.org infrastructure
and "older" TLS libraries.  The issue is known to GNU sysadmins and
they are working on it.  However, what they advise is to upgrade your
TLS libraries.  Here's a quote from what they told me:

  [GNU machines] have a lets encrypt cert that is valid, it seems some
  older tls libraries dont like that is has 2 alternate intermediate
  certificates and one of them expired.

So this is not an Emacs problem, and I'm therefore closing this bug.
If you want to pursue this further, please write to sysadmin <at> gnu.org.
This bug report was last modified 3 years and 231 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.