--- Begin Message ---
Subject: |
bootstrap fails due to a certificate mismatch |
Date: |
Mon, 21 Dec 2020 17:29:35 -0800 |
When running ./bootstrap in a freshly-cloned repository, it seems to either
not find some files it wants to or doesn't trust https://translationproject.org.
Connecting to https://translationproject.org in a (non-wget) web browser works
fine.
The following is the output of ./bootstrap.
```
./bootstrap: Bootstrapping from checked-out coreutils sources...
./bootstrap: consider installing git-merge-changelog from gnulib
./bootstrap: getting gnulib files...
Submodule 'gnulib' (git://git.sv.gnu.org/gnulib.git) registered for path
'gnulib'
Cloning into '/home/teal/Projects/coreutils/gnulib'...
Submodule path 'gnulib': checked out '8183682cc4436bee18007d61bc79938eaf78619a'
./bootstrap: getting translations into po/.reference for coreutils...
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
ERROR: The certificate of 'translationproject.org' is not trusted.
ERROR: The certificate of 'translationproject.org' doesn't have a known issuer.
```
Do let me know if you need more information, or if this is a duplicate report.
-- j-james
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#45358: bootstrap fails due to a certificate mismatch |
Date: |
Tue, 9 Mar 2021 11:30:02 -0700 |
Erik Auerswald wrote:
> Grigoriy Sokolik wrote:
> > I've rechecked:
>
> I cannot reproduce the problem, the certificate is trusted by my system:
>
> # via IPv4
> $ gnutls-cli --verbose translationproject.org </dev/null | grep -E
> 'Connecting|Status'
> Connecting to '80.69.83.146:443'...
> - Status: The certificate is trusted.
> # via IPv6
> $ gnutls-cli --verbose translationproject.org </dev/null | grep -E
> 'Connecting|Status'
> Connecting to '2a01:7c8:c037:6::20:443'...
> - Status: The certificate is trusted.
I have the same results here. Everything looks okay in the inspection
of it.
> It seems to me as if your system does not trust the used root CA.
>
> > [...]issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.'[...]
>
> On my Ubuntu 18.04 system, I find it via symlink from /etc/ssl/certs:
>
> $ ls /etc/ssl/certs/DST_Root_CA_X3.pem -l
> lrwxrwxrwx 1 root root 53 Mai 28 2018 /etc/ssl/certs/DST_Root_CA_X3.pem
> -> /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
> $ certtool --certificate-info <
> /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt | grep Subject:
> Subject: CN=DST Root CA X3,O=Digital Signature Trust Co.
Again same here on my Debian system. The root certificate store for
the trust anchor is in the ca-certificates package.
Looking at my oldest system I see this is distributed as package
version 20200601~deb9u1 and includes the above file.
$ apt-cache policy ca-certificates
ca-certificates:
Installed: 20200601~deb9u1
Candidate: 20200601~deb9u1
Version table:
*** 20200601~deb9u1 500
500 http://ftp.us.debian.org/debian stretch/main amd64 Packages
500 http://ftp.us.debian.org/debian stretch-updates/main amd64
Packages
100 /var/lib/dpkg/status
Verifying that the equivalent of ca-certificates is installed on your
system should provide for it.
As this seems not to be a bug in Coreutils I am marking the bug as
closed with this mail. However more discussion is always welcome.
Bob
--- End Message ---