[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [GNUnet-developers] Moving to Git
From: |
Christian Grothoff |
Subject: |
Re: [GNUnet-developers] Moving to Git |
Date: |
Mon, 7 Nov 2016 23:45:55 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0 |
It works perfectly for me. Could it be that your CAfile lacks the root
certificate of Let's Encrypt?
On 11/07/2016 09:45 PM, jah wrote:
> On 07/11/16 17:40, Christian Grothoff wrote:
>> I've just finished migrating the (active) GNUnet Subversion repositories
>> to Git. You should be able to
>>
>> $ git clone git://gnunet.org/$REPONAME # read-only, insecure
>> $ git clone https://gnunet.org/git/$REPONAME # read-only, secure
>> $ git clone git+ssh://address@hidden/$REPONAME # dev-only
>
> It looks like there's an error with the HTTPS certificate chain that prevents
> git clone:-
>
> $ git --version
> git version 1.9.1
> $ git clone https://gnunet.org/git/gnunet.git
> Cloning into 'gnunet'...
> fatal: unable to access 'https://gnunet.org/git/gnunet.git/': server
> certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt
>
> I see three certs in the chain(see bottom): the first is the server cert and
> is good, the second is a duplicate of the first and the third is the Let's
> Encrypt CA.
>
> From [chain-issues]:
>
> "According to the standard, certificates must be presented in the order in
> which they are needed. The main, server, certificate must come first,
> followed by the certificate that signed it, followed by the next certificate
> in the chain, and so on. A small number of sites does not get this order
> right. Most SSL clients will deal with this problem silently, but there is a
> small number of platforms that will give up."
>
> jah
>
> [chain-issues]: https://community.qualys.com/docs/DOC-1931
>
>
> $ echo -n | openssl s_client -showcerts -connect gnunet.org:443
> CONNECTED(00000003)
> ---
> Certificate chain
> 0 s:/CN=ng.gnunet.org
> i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> -----BEGIN CERTIFICATE-----
> MIIFKjCCBBKgAwIBAgISA0GOQGL/8S4uIjkBZaReP2ohMA0GCSqGSIb3DQEBCwUA
> [snip]
> dL7BqTW/HMh1X+rTv9dfRb3fCGsoDJcuUGVojf2s
> -----END CERTIFICATE-----
> 1 s:/CN=ng.gnunet.org
> i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> -----BEGIN CERTIFICATE-----
> MIIFKjCCBBKgAwIBAgISA0GOQGL/8S4uIjkBZaReP2ohMA0GCSqGSIb3DQEBCwUA
> [snip]
> dL7BqTW/HMh1X+rTv9dfRb3fCGsoDJcuUGVojf2s
> -----END CERTIFICATE-----
> 2 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> -----BEGIN CERTIFICATE-----
> MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
> [snip]
> KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/CN=ng.gnunet.org
> issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 4523 bytes and written 421 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> [snip]
> Verify return code: 20 (unable to get local issuer certificate)
> ---
>
>
>
>
>
> _______________________________________________
> GNUnet-developers mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/gnunet-developers
>
signature.asc
Description: OpenPGP digital signature
Re: [GNUnet-developers] Moving to Git, Daniel Golle, 2016/11/09