gnunet-developers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNUnet-developers] Moving to Git

From: jah
Subject: Re: [GNUnet-developers] Moving to Git
Date: Mon, 7 Nov 2016 20:45:42 +0000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.8.0 
On 07/11/16 17:40, Christian Grothoff wrote:
> I've just finished migrating the (active) GNUnet Subversion repositories
> to Git.  You should be able to
>
> $ git clone git://gnunet.org/$REPONAME # read-only, insecure
> $ git clone https://gnunet.org/git/$REPONAME # read-only, secure
> $ git clone git+ssh://address@hidden/$REPONAME # dev-only

It looks like there's an error with the HTTPS certificate chain that prevents 
git clone:-

 $ git --version
 git version 1.9.1
 $ git clone https://gnunet.org/git/gnunet.git
 Cloning into 'gnunet'...
 fatal: unable to access 'https://gnunet.org/git/gnunet.git/': server 
certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt

I see three certs in the chain(see bottom): the first is the server cert and is 
good, the second is a duplicate of the first and the third is the Let's Encrypt 
CA. 

>From [chain-issues]:

"According to the standard, certificates must be presented in the order in 
which they are needed. The main, server, certificate must come first, followed 
by the certificate that signed it, followed by the next certificate in the 
chain, and so on. A small number of sites does not get this order right. Most 
SSL clients will deal with this problem silently, but there is a small number 
of platforms that will give up."

jah

[chain-issues]: https://community.qualys.com/docs/DOC-1931


$ echo -n | openssl s_client -showcerts -connect gnunet.org:443
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=ng.gnunet.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFKjCCBBKgAwIBAgISA0GOQGL/8S4uIjkBZaReP2ohMA0GCSqGSIb3DQEBCwUA
[snip]
dL7BqTW/HMh1X+rTv9dfRb3fCGsoDJcuUGVojf2s
-----END CERTIFICATE-----
 1 s:/CN=ng.gnunet.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFKjCCBBKgAwIBAgISA0GOQGL/8S4uIjkBZaReP2ohMA0GCSqGSIb3DQEBCwUA
[snip]
dL7BqTW/HMh1X+rTv9dfRb3fCGsoDJcuUGVojf2s
-----END CERTIFICATE-----
 2 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
[snip]
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ng.gnunet.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 4523 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
[snip]
    Verify return code: 20 (unable to get local issuer certificate)
---
reply via email to
[Prev in Thread] Current Thread [Next in Thread]