~alpine/devel

2 2

[alpine-devel] pkgs.alpinelinux.org broken tls setup

Jiri Horner <laeqten@gmail.com>
Details
Message ID
<20151220195530.GF14943@eucalyptus>
Sender timestamp
1450641330
DKIM signature
missing
Download raw message
Hi all,

it looks to me that certificate chain exposed by pkg.alpinelinux.org is wrong.

~$ apk version ca-certificates
Installed:                                Available:
ca-certificates-20150426-r3             = 20150426-r3 
~$ gnutls-cli pkgs.alpinelinux.org
Processed 180 CA certificate(s).
Resolving 'pkgs.alpinelinux.org'...
Connecting to '88.159.20.183:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `C=NL,CN=pkgs.alpinelinux.org,EMAIL=webmaster@alpinelinux.org', 
 issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,
 CN=StartCom Class 1 Primary Intermediate Server CA', <-- here
 RSA key 2048 bits, signed using RSA-SHA256, activated 
 `2015-08-20 22:25:04 UTC', expires `2016-08-20 12:24:08 UTC', SHA-1 fingerprint 
 (...)
- Certificate[1] info:
 - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority',
 issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,
 CN=StartCom Certification Authority', RSA key 4096 bits, signed using RSA-SHA1, activated `2006-09-17 19:46:36 UTC', expires `2036-09-17 19:46:36 UTC', SHA-1 
(...)
 - Status: The certificate is NOT trusted. The certificate issuer is unknown. 
 *** PKI verification of server certificate failed...
 *** Fatal error: Error in the certificate.

It offers 'StartCom Certification Authority' certificate as Certificate[1]. But 
it should be 'StartCom Class 1 Primary Intermediate Server CA' which is issuer 
of Certificate[0].

Probably somebody placed there a CA root cert instead of intermediate CA?

Same story with openssl

~$  openssl s_client -connect pkgs.alpinelinux.org:443
depth=0 C = NL, CN = pkgs.alpinelinux.org, emailAddress = webmaster@alpinelinux.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = NL, CN = pkgs.alpinelinux.org, emailAddress = webmaster@alpinelinux.org
verify error:num=21:unable to verify the first certificate
verify return:1

Cheers,
Jiri


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Carlo Landmeter <clandmeter@gmail.com>
Details
Message ID
<CA+cSEmOi_R-ibg4=7BrZ4RRO=0FVSK+EvS98ecY5Ebn87OsLUQ@mail.gmail.com>
In-Reply-To
<20151220195530.GF14943@eucalyptus> (view parent)
Sender timestamp
1450862143
DKIM signature
missing
Download raw message
On 20 December 2015 at 20:55, Jiri Horner <laeqten@gmail.com> wrote:
> Hi all,
>
> it looks to me that certificate chain exposed by pkg.alpinelinux.org is
> wrong.
>
> ~$ apk version ca-certificates
> Installed:                                Available:
> ca-certificates-20150426-r3             = 20150426-r3 ~$ gnutls-cli
> pkgs.alpinelinux.org
> Processed 180 CA certificate(s).
> Resolving 'pkgs.alpinelinux.org'...
> Connecting to '88.159.20.183:443'...
> - Certificate type: X.509
> - Got a certificate list of 2 certificates.
> - Certificate[0] info:
> - subject `C=NL,CN=pkgs.alpinelinux.org,EMAIL=webmaster@alpinelinux.org',
> issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,
> CN=StartCom Class 1 Primary Intermediate Server CA', <-- here
> RSA key 2048 bits, signed using RSA-SHA256, activated `2015-08-20 22:25:04
> UTC', expires `2016-08-20 12:24:08 UTC', SHA-1 fingerprint (...)
> - Certificate[1] info:
> - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate
> Signing,CN=StartCom Certification Authority',
> issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,
> CN=StartCom Certification Authority', RSA key 4096 bits, signed using
> RSA-SHA1, activated `2006-09-17 19:46:36 UTC', expires `2036-09-17 19:46:36
> UTC', SHA-1 (...)
> - Status: The certificate is NOT trusted. The certificate issuer is unknown.
> *** PKI verification of server certificate failed...
> *** Fatal error: Error in the certificate.
>
> It offers 'StartCom Certification Authority' certificate as Certificate[1].
> But it should be 'StartCom Class 1 Primary Intermediate Server CA' which is
> issuer of Certificate[0].
>
> Probably somebody placed there a CA root cert instead of intermediate CA?

I updated the config, can you verify its ok now?

Thx!

>
> Same story with openssl
>
> ~$  openssl s_client -connect pkgs.alpinelinux.org:443
> depth=0 C = NL, CN = pkgs.alpinelinux.org, emailAddress =
> webmaster@alpinelinux.org
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = NL, CN = pkgs.alpinelinux.org, emailAddress =
> webmaster@alpinelinux.org
> verify error:num=21:unable to verify the first certificate
> verify return:1
>
> Cheers,
> Jiri
>
>
> ---
> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
> Help:         alpine-devel+help@lists.alpinelinux.org
> ---
>


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Jiri Horner <laeqten@gmail.com>
Details
Message ID
<20151223200225.GJ14943@eucalyptus>
In-Reply-To
<CA+cSEmOi_R-ibg4=7BrZ4RRO=0FVSK+EvS98ecY5Ebn87OsLUQ@mail.gmail.com> (view parent)
Sender timestamp
1450900945
DKIM signature
missing
Download raw message
>
>I updated the config, can you verify its ok now?
>
>Thx!
>

Yes, it's perfect now. Thanks.

Jiri


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)