gnunet-developers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNUnet-developers] Moving to Git

From: Christian Grothoff
Subject: Re: [GNUnet-developers] Moving to Git
Date: Mon, 7 Nov 2016 23:45:55 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0 
It works perfectly for me. Could it be that your CAfile lacks the root
certificate of Let's Encrypt?

On 11/07/2016 09:45 PM, jah wrote:
> On 07/11/16 17:40, Christian Grothoff wrote:
>> I've just finished migrating the (active) GNUnet Subversion repositories
>> to Git.  You should be able to
>>
>> $ git clone git://gnunet.org/$REPONAME # read-only, insecure
>> $ git clone https://gnunet.org/git/$REPONAME # read-only, secure
>> $ git clone git+ssh://address@hidden/$REPONAME # dev-only
> 
> It looks like there's an error with the HTTPS certificate chain that prevents 
> git clone:-
> 
>  $ git --version
>  git version 1.9.1
>  $ git clone https://gnunet.org/git/gnunet.git
>  Cloning into 'gnunet'...
>  fatal: unable to access 'https://gnunet.org/git/gnunet.git/': server 
> certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt
> 
> I see three certs in the chain(see bottom): the first is the server cert and 
> is good, the second is a duplicate of the first and the third is the Let's 
> Encrypt CA. 
> 
> From [chain-issues]:
> 
> "According to the standard, certificates must be presented in the order in 
> which they are needed. The main, server, certificate must come first, 
> followed by the certificate that signed it, followed by the next certificate 
> in the chain, and so on. A small number of sites does not get this order 
> right. Most SSL clients will deal with this problem silently, but there is a 
> small number of platforms that will give up."
> 
> jah
> 
> [chain-issues]: https://community.qualys.com/docs/DOC-1931
> 
> 
> $ echo -n | openssl s_client -showcerts -connect gnunet.org:443
> CONNECTED(00000003)
> ---
> Certificate chain
>  0 s:/CN=ng.gnunet.org
>    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> -----BEGIN CERTIFICATE-----
> MIIFKjCCBBKgAwIBAgISA0GOQGL/8S4uIjkBZaReP2ohMA0GCSqGSIb3DQEBCwUA
> [snip]
> dL7BqTW/HMh1X+rTv9dfRb3fCGsoDJcuUGVojf2s
> -----END CERTIFICATE-----
>  1 s:/CN=ng.gnunet.org
>    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> -----BEGIN CERTIFICATE-----
> MIIFKjCCBBKgAwIBAgISA0GOQGL/8S4uIjkBZaReP2ohMA0GCSqGSIb3DQEBCwUA
> [snip]
> dL7BqTW/HMh1X+rTv9dfRb3fCGsoDJcuUGVojf2s
> -----END CERTIFICATE-----
>  2 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> -----BEGIN CERTIFICATE-----
> MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
> [snip]
> KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/CN=ng.gnunet.org
> issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 4523 bytes and written 421 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> [snip]
>     Verify return code: 20 (unable to get local issuer certificate)
> ---
> 
> 
> 
> 
> 
> _______________________________________________
> GNUnet-developers mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/gnunet-developers
>

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]