X-Original-To: alpine-devel@mail.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id CABB1DC12FE for ; Wed, 23 Dec 2015 09:15:48 +0000 (UTC) Received: from mail-lf0-f51.google.com (mail-lf0-f51.google.com [209.85.215.51]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 1BE39DC00E1 for ; Wed, 23 Dec 2015 09:15:47 +0000 (UTC) Received: by mail-lf0-f51.google.com with SMTP id y184so143178593lfc.1 for ; Wed, 23 Dec 2015 01:15:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=5B53j9e4TTK8xC3QonXmymjVPAR0+mkgmXQb0fAjF6Q=; b=K+oPwbQGOmIRHz1d7BDuHTtxWKfrVsu4F9DbATEecKIT9mQJjjUFEiDdljLXb4HpeK j5bj6cRuzW3G8VMwiVlnKHBhO1bPjz6dbENjMg564VQ0UFbko3si+TZ6yTqWd0/ngf1B WW57hUXt5ZcQtXSb92k9UNcw9yY7NAi13WGQamxLgXCFElHbMMLfco53xYeqmGV4PybJ UJ4z+sF5FKt4mHSQJ28rRGl2ECyoTKtZ8B29rsOze+jGFI0uq6zdJtlcqSWt+XFmdm3P z+YPtAZPuSPPHPEPPMSg3dP2ViCZEw0IEymvkj6tVLGYSQGENQFSGmz4nNmVqwityMtL PbVA== X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 X-Received: by 10.25.134.130 with SMTP id i124mr6013573lfd.63.1450862143844; Wed, 23 Dec 2015 01:15:43 -0800 (PST) Received: by 10.114.82.70 with HTTP; Wed, 23 Dec 2015 01:15:43 -0800 (PST) In-Reply-To: <20151220195530.GF14943@eucalyptus> References: <20151220195530.GF14943@eucalyptus> Date: Wed, 23 Dec 2015 10:15:43 +0100 Message-ID: Subject: Re: [alpine-devel] pkgs.alpinelinux.org broken tls setup From: Carlo Landmeter To: Alpine-devel Content-Type: text/plain; charset=UTF-8 X-Virus-Scanned: ClamAV using ClamSMTP On 20 December 2015 at 20:55, Jiri Horner wrote: > Hi all, > > it looks to me that certificate chain exposed by pkg.alpinelinux.org is > wrong. > > ~$ apk version ca-certificates > Installed: Available: > ca-certificates-20150426-r3 = 20150426-r3 ~$ gnutls-cli > pkgs.alpinelinux.org > Processed 180 CA certificate(s). > Resolving 'pkgs.alpinelinux.org'... > Connecting to '88.159.20.183:443'... > - Certificate type: X.509 > - Got a certificate list of 2 certificates. > - Certificate[0] info: > - subject `C=NL,CN=pkgs.alpinelinux.org,EMAIL=webmaster@alpinelinux.org', > issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing, > CN=StartCom Class 1 Primary Intermediate Server CA', <-- here > RSA key 2048 bits, signed using RSA-SHA256, activated `2015-08-20 22:25:04 > UTC', expires `2016-08-20 12:24:08 UTC', SHA-1 fingerprint (...) > - Certificate[1] info: > - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate > Signing,CN=StartCom Certification Authority', > issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing, > CN=StartCom Certification Authority', RSA key 4096 bits, signed using > RSA-SHA1, activated `2006-09-17 19:46:36 UTC', expires `2036-09-17 19:46:36 > UTC', SHA-1 (...) > - Status: The certificate is NOT trusted. The certificate issuer is unknown. > *** PKI verification of server certificate failed... > *** Fatal error: Error in the certificate. > > It offers 'StartCom Certification Authority' certificate as Certificate[1]. > But it should be 'StartCom Class 1 Primary Intermediate Server CA' which is > issuer of Certificate[0]. > > Probably somebody placed there a CA root cert instead of intermediate CA? I updated the config, can you verify its ok now? Thx! > > Same story with openssl > > ~$ openssl s_client -connect pkgs.alpinelinux.org:443 > depth=0 C = NL, CN = pkgs.alpinelinux.org, emailAddress = > webmaster@alpinelinux.org > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 C = NL, CN = pkgs.alpinelinux.org, emailAddress = > webmaster@alpinelinux.org > verify error:num=21:unable to verify the first certificate > verify return:1 > > Cheers, > Jiri > > > --- > Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org > Help: alpine-devel+help@lists.alpinelinux.org > --- > --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---