[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#45358: bootstrap fails due to a certificate mismatch
From: |
Grigoriy Sokolik |
Subject: |
bug#45358: bootstrap fails due to a certificate mismatch |
Date: |
Sat, 13 Feb 2021 14:43:10 +0200 |
I have the same issue.
Some investigations:
1. I decided to find out the particular command that fails and added
more debug print:
diff --git a/bootstrap b/bootstrap
index 7523f65b4..44c21db23 100755
--- a/bootstrap
+++ b/bootstrap
@@ -749,6 +749,7 @@ download_po_files() {
domain=$2
echo "$me: getting translations into $subdir for $domain..."
cmd=$(printf "$po_download_command_format" "$subdir" "$domain")
+ echo "$me: going to exec \"$cmd\"..."
eval "$cmd"
}
2. Tried to run:
$ ./bootstrap
./bootstrap: Bootstrapping from checked-out coreutils sources...
./bootstrap: consider installing git-merge-changelog from gnulib
./bootstrap: getting gnulib files...
./bootstrap: getting translations into po/.reference for coreutils...
./bootstrap: going to exec "wget --mirror --level=1 -nd -nv -A.po -P
'po/.reference' https://translationproject.org/latest/coreutils/"...
ERROR: The certificate of 'translationproject.org' is not trusted.
ERROR: The certificate of 'translationproject.org' doesn't have a known
issuer.
3. Tried to run the command directly, but without `-nv` flag:
$ wget --mirror --level=1 -nd -v -A.po -P 'po/.reference'
https://translationproject.org/latest/coreutils/
--2021-02-13 14:23:35-- https://translationproject.org/latest/coreutils/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving translationproject.org (translationproject.org)...
80.69.83.146, 2a01:7c8:c037:6::20
Connecting to translationproject.org
(translationproject.org)|80.69.83.146|:443...
connected.
ERROR: The certificate of ‘translationproject.org’ is not trusted.
ERROR: The certificate of ‘translationproject.org’ doesn't have a known
issuer.
4. Tried the same with curl:
$ curl -v https://translationproject.org/latest/coreutils/ -o /dev/null
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0* Trying 80.69.83.146:443...
* Connected to translationproject.org (80.69.83.146) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [93 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [6723 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [589 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=stats.vrijschrift.org
* start date: Dec 31 10:34:41 2020 GMT
* expire date: Mar 31 10:34:41 2021 GMT
* subjectAltName: host "translationproject.org" matched cert's
"translationproject.org"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
} [5 bytes data]
> GET /latest/coreutils/ HTTP/1.1
> Host: translationproject.org
> User-Agent: curl/7.75.0
> Accept: */*
>
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sat, 13 Feb 2021 12:26:00 GMT
< Server: Apache/2.4.10 (Debian)
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html;charset=UTF-8
<
{ [5 bytes data]
100 8881 0 8881 0 0 16980 0 --:--:-- --:--:-- --:--:--
16980
* Connection #0 to host translationproject.org left intact
5. Trying to export and verify the cert with certtools:
$ certtool --verbose --verify-profile=high --verify --infile=/tmp/
stats.vrijschrift.org
Loaded system trust (139 CAs available)
Subject: CN=R3,O=Let's Encrypt,C=US
Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
Signature algorithm: RSA-SHA256
Output: Not verified. The certificate is NOT trusted. The
certificate issuer is unknown.
Subject: CN=R3,O=Let's Encrypt,C=US
Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
Signature algorithm: RSA-SHA256
Output: Not verified. The certificate is NOT trusted. The
certificate issuer is unknown.
Subject: CN=R3,O=Let's Encrypt,C=US
Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
Checked against: CN=DST Root CA X3,O=Digital Signature Trust Co.
Signature algorithm: RSA-SHA256
Output: Verified. The certificate is trusted.
Subject: CN=stats.vrijschrift.org
Issuer: CN=R3,O=Let's Encrypt,C=US
Checked against: CN=R3,O=Let's Encrypt,C=US
Signature algorithm: RSA-SHA256
Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.
Maybe that "Output: Not verified. The certificate is NOT trusted. The
certificate issuer is unknown." Is the issue?
Thanks!
Best regards,
Grigorii
- bug#45358: bootstrap fails due to a certificate mismatch,
Grigoriy Sokolik <=