[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers-public] Unreachable https and rsync mirrors
|
From: |
Ian Kelling |
|
Subject: |
Re: [Savannah-hackers-public] Unreachable https and rsync mirrors |
|
Date: |
Mon, 08 Jun 2020 15:17:56 -0400 |
|
User-agent: |
mu4e 1.4.6; emacs 28.0.50 |
Bob Proulx <bob@proulx.com> writes:
> Bob Proulx wrote:
>> All of those seem to be the outdated CA list and openssl on
>> download0. All but one of the above were issued by Comodo. Which is
>> the mostly common thread among them. They apparently have a newly
>> issued trust anchor.
>
> It turns out that this was a pretty widely felt expired certificate.
> And tickles an openssl bug. And therefore fixes have been rippling
> through.
>
> The way I have been reading the blogs on this the problem is one of
> the certificate chains has expired. Coupled with openssl prior to 1.1
> which flagged as invalid the chain if either were invalid. Requiring
> both of them to be valid. As opposed to validating it as okay if any
> of the chains validated as it is supposed to have been working.
>
> Over the weekend I realized that I could extract the expired
> certificate and leave only the valid one and this would fix the
> problem. And I could even update the bundle.
>
> But then the Debian Stretch LTS team prepared a package upgrade doing
> all of the work very nicely packaged making this trivial to install
> their package and not needing any work at all. :-)
>
> I have upgrade the CA certificate bundle on our three machines that
> were needing it, download0, vcs0, mgt0. Testing shows that the
> previous certificates that were previously invalid are now validating.
> I am going to wait and let the mirmon scripts run and hopefully that
> will now validate those mirrors and they will come back online in the
> redirector over the next couple of hours.
>
> Bob
Awesome. Onto server upgrades! I just decommissioned a debian lenny
machine this last weekend.