Mail archive
alpine-devel

Re: [alpine-devel] pkgs.alpinelinux.org broken tls setup

From: Carlo Landmeter <clandmeter_at_gmail.com>
Date: Wed, 23 Dec 2015 10:15:43 +0100

On 20 December 2015 at 20:55, Jiri Horner <laeqten_at_gmail.com> wrote:
> Hi all,
>
> it looks to me that certificate chain exposed by pkg.alpinelinux.org is
> wrong.
>
> ~$ apk version ca-certificates
> Installed: Available:
> ca-certificates-20150426-r3 = 20150426-r3 ~$ gnutls-cli
> pkgs.alpinelinux.org
> Processed 180 CA certificate(s).
> Resolving 'pkgs.alpinelinux.org'...
> Connecting to '88.159.20.183:443'...
> - Certificate type: X.509
> - Got a certificate list of 2 certificates.
> - Certificate[0] info:
> - subject `C=NL,CN=pkgs.alpinelinux.org,EMAIL=webmaster_at_alpinelinux.org',
> issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,
> CN=StartCom Class 1 Primary Intermediate Server CA', <-- here
> RSA key 2048 bits, signed using RSA-SHA256, activated `2015-08-20 22:25:04
> UTC', expires `2016-08-20 12:24:08 UTC', SHA-1 fingerprint (...)
> - Certificate[1] info:
> - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate
> Signing,CN=StartCom Certification Authority',
> issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,
> CN=StartCom Certification Authority', RSA key 4096 bits, signed using
> RSA-SHA1, activated `2006-09-17 19:46:36 UTC', expires `2036-09-17 19:46:36
> UTC', SHA-1 (...)
> - Status: The certificate is NOT trusted. The certificate issuer is unknown.
> *** PKI verification of server certificate failed...
> *** Fatal error: Error in the certificate.
>
> It offers 'StartCom Certification Authority' certificate as Certificate[1].
> But it should be 'StartCom Class 1 Primary Intermediate Server CA' which is
> issuer of Certificate[0].
>
> Probably somebody placed there a CA root cert instead of intermediate CA?

I updated the config, can you verify its ok now?

Thx!

>
> Same story with openssl
>
> ~$ openssl s_client -connect pkgs.alpinelinux.org:443
> depth=0 C = NL, CN = pkgs.alpinelinux.org, emailAddress =
> webmaster_at_alpinelinux.org
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = NL, CN = pkgs.alpinelinux.org, emailAddress =
> webmaster_at_alpinelinux.org
> verify error:num=21:unable to verify the first certificate
> verify return:1
>
> Cheers,
> Jiri
>
>
> ---
> Unsubscribe: alpine-devel+unsubscribe_at_lists.alpinelinux.org
> Help: alpine-devel+help_at_lists.alpinelinux.org
> ---
>


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Wed Dec 23 2015 - 10:15:43 UTC