guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Feedback from JRES in Dijon

From: Timothy Sample
Subject: Re: Feedback from JRES in Dijon
Date: Sat, 07 Dec 2019 23:11:19 -0500
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) 
Hi Bengt,

I omitted a lot of your message, but I hope I have the easy explanation
you’re looking for.  :)

Bengt Richter <address@hidden> writes:

> On +2019-12-07 11:35:02 -0500, Timothy Sample wrote:
>> 
>> [...]
>> 
>> Unfortunately, I got certificate errors, but VLC lets you temporarily
>> ignore those.
>
> [...]
>
> Anyone see an easy explanation?

After a little more digging, it seems that the certificate sent for
“ccwebcast.in2p3.fr” is signed with an intermediate certificate from
“TERENA”.  This is in turn signed with a DigiCert root certificate.
Unfortunately it looks like “ccwebcast.in2p3.fr” doesn’t send the whole
certificate chain, and the TERENA cert is not part of our “nss-certs”
package, so tools using certs from that package (basically everything on
a normal Guix install) will be unwilling to trust “ccwebcast.in2p3.fr”.
IceCat is okay with it, but it uses its own certificates (it must know
about the TERENA cert, so it doesn’t need the whole chain).

Fortunately, for exceptional situations like this, you can tell most
tools to skip certificate validation (like I mentioned with VLC).  For
youtube-dl, you can use the “--no-check-certificate” option.  Note
however that this is rather dangerous in general, since you are telling
youtube-dl allow anyone to pretend to be anyone else!  In this case,
since it’s just a video and IceCat is okay with the certificate it’s
probably fine.  Just be careful.  :)


-- Tim
reply via email to
[Prev in Thread] Current Thread [Next in Thread]