Hi all,
it looks to me that certificate chain exposed by pkg.alpinelinux.org is wrong.
~$ apk version ca-certificates
Installed: Available:
ca-certificates-20150426-r3 = 20150426-r3
~$ gnutls-cli pkgs.alpinelinux.org
Processed 180 CA certificate(s).
Resolving 'pkgs.alpinelinux.org'...
Connecting to '88.159.20.183:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `C=NL,CN=pkgs.alpinelinux.org,EMAIL=webmaster@alpinelinux.org',
issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,
CN=StartCom Class 1 Primary Intermediate Server CA', <-- here
RSA key 2048 bits, signed using RSA-SHA256, activated
`2015-08-20 22:25:04 UTC', expires `2016-08-20 12:24:08 UTC', SHA-1 fingerprint
(...)
- Certificate[1] info:
- subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority',
issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,
CN=StartCom Certification Authority', RSA key 4096 bits, signed using RSA-SHA1, activated `2006-09-17 19:46:36 UTC', expires `2036-09-17 19:46:36 UTC', SHA-1
(...)
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
It offers 'StartCom Certification Authority' certificate as Certificate[1]. But
it should be 'StartCom Class 1 Primary Intermediate Server CA' which is issuer
of Certificate[0].
Probably somebody placed there a CA root cert instead of intermediate CA?
Same story with openssl
~$ openssl s_client -connect pkgs.alpinelinux.org:443
depth=0 C = NL, CN = pkgs.alpinelinux.org, emailAddress = webmaster@alpinelinux.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = NL, CN = pkgs.alpinelinux.org, emailAddress = webmaster@alpinelinux.org
verify error:num=21:unable to verify the first certificate
verify return:1
Cheers,
Jiri
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---
On 20 December 2015 at 20:55, Jiri Horner <laeqten@gmail.com> wrote:
> Hi all,>> it looks to me that certificate chain exposed by pkg.alpinelinux.org is> wrong.>> ~$ apk version ca-certificates> Installed: Available:> ca-certificates-20150426-r3 = 20150426-r3 ~$ gnutls-cli> pkgs.alpinelinux.org> Processed 180 CA certificate(s).> Resolving 'pkgs.alpinelinux.org'...> Connecting to '88.159.20.183:443'...> - Certificate type: X.509> - Got a certificate list of 2 certificates.> - Certificate[0] info:> - subject `C=NL,CN=pkgs.alpinelinux.org,EMAIL=webmaster@alpinelinux.org',> issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,> CN=StartCom Class 1 Primary Intermediate Server CA', <-- here> RSA key 2048 bits, signed using RSA-SHA256, activated `2015-08-20 22:25:04> UTC', expires `2016-08-20 12:24:08 UTC', SHA-1 fingerprint (...)> - Certificate[1] info:> - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate> Signing,CN=StartCom Certification Authority',> issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,> CN=StartCom Certification Authority', RSA key 4096 bits, signed using> RSA-SHA1, activated `2006-09-17 19:46:36 UTC', expires `2036-09-17 19:46:36> UTC', SHA-1 (...)> - Status: The certificate is NOT trusted. The certificate issuer is unknown.> *** PKI verification of server certificate failed...> *** Fatal error: Error in the certificate.>> It offers 'StartCom Certification Authority' certificate as Certificate[1].> But it should be 'StartCom Class 1 Primary Intermediate Server CA' which is> issuer of Certificate[0].>> Probably somebody placed there a CA root cert instead of intermediate CA?
I updated the config, can you verify its ok now?
Thx!
>> Same story with openssl>> ~$ openssl s_client -connect pkgs.alpinelinux.org:443> depth=0 C = NL, CN = pkgs.alpinelinux.org, emailAddress => webmaster@alpinelinux.org> verify error:num=20:unable to get local issuer certificate> verify return:1> depth=0 C = NL, CN = pkgs.alpinelinux.org, emailAddress => webmaster@alpinelinux.org> verify error:num=21:unable to verify the first certificate> verify return:1>> Cheers,> Jiri>>> ---> Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org> Help: alpine-devel+help@lists.alpinelinux.org> --->
---
Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org
Help: alpine-devel+help@lists.alpinelinux.org
---