Anomaly: "SSL certificate problem" message during Poudriere job
22 views
Skip to first unread message
F N
Mar 10, 2022, 11:17:17 PM3/10/22
to HardenedBSD Users
Hello,
just a short question.
Since last night I'm aware of the following message while running Poudriere:
"fatal: unable to access 'https://git.hardenedbsd.org/hardenedbsd/hardenedbsd.git/': SSL certificate problem: unable to get local issuer certificate"
The Poudriere jobs are running fine so far I can tell.
Nevertheless I can not find any log file entries linked to this event(s) in the related system units so far.
Well, I' wondering now is this just a faulty configuration on my side or is this a (maybe already known) non-conformity of some kind?
Any advice on how to handle this situation would be highly appreciated.
Thank you
Frank
Loic
Mar 11, 2022, 8:09:54 AM3/11/22
to F N, HardenedBSD Users, Shawn Webb
Le Thu, 10 Mar 2022 20:17:17 -0800 (PST),
F N <stn2...@gmail.com> a écrit :
Hi Franck,
A new certificate is in place since yesterday for git.hardenedbsd.org:
Thu, 10 Mar 2022 00:00:00 GMT
Although we don't have any problems with firefox, the new certificate
causes problems with git, openssl, or some android application like
Firefox Focus.
Here is the error obtained with openssl:
$ openssl s_client -connect git.hardenedbsd.org:443 -showcerts
CONNECTED(00000003)
depth=0 CN = git.hardenedbsd.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = git.hardenedbsd.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = git.hardenedbsd.org
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
CN = Sectigo ECC Domain Validation Secure Server CA -----BEGIN
CERTIFICATE-----
MIIEwTCCBGigAwIBAgIRAP/hafBEuPEEZfTaW///t2MwCgYIKoZIzj0EAwIwgY8x
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV
BAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UEAxMu
U2VjdGlnbyBFQ0MgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTAe
Fw0yMjAzMTAwMDAwMDBaFw0yMzA0MTAyMzU5NTlaMB4xHDAaBgNVBAMTE2dpdC5o
YXJkZW5lZGJzZC5vcmcwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATDNV8f1+oUxwaJ
XGcilJf20RxLxH5mUgDo42TH2rQ/5eOPzCFGWCzsRuqqByqD1yAr4nvwTGSP6Mi1
rk0zzBwULrp+VOv3DsXnNEm9PY8cwpypL9huKSTdY4Y8ijnE5hujggL2MIIC8jAf
BgNVHSMEGDAWgBT2hQo7EYbhBH0Oqgss0u7MZHt7rjAdBgNVHQ4EFgQU2KOxzBY4
bvny7O031Yua0YMMf/AwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGy
MQECAgcwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYG
Z4EMAQIBMIGEBggrBgEFBQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQu
c2VjdGlnby5jb20vU2VjdGlnb0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2
ZXJDQS5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMIIB
fwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdgCt9776fP8QyIudPZwePhhqtGcpXc+x
DCTKhYY069yCigAAAX90gg6QAAAEAwBHMEUCIBpKPc/bgjCqfAGMCIL/2ro3vD1X
f7ICTruJMlajnzHzAiEArzNu2Ep0szNjaBzruWGKhj3sS/tAQaGLUL1Rvo8zhUUA
dgB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAX90gg5cAAAEAwBH
MEUCICFPP0AUTzpjGWhN3sSzL7T6jV8fB620PdvquI26UYeHAiEA/6sF0ssi0Y2k
J34vDCMPPtsGcKz1blVM345iBfQZBSQAdwDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr
7Otp4Xd9bQa9bgAAAX90gg4jAAAEAwBIMEYCIQCSp5Dpem/n+RJKDvHCLF8/w77D
DWglFdz+SaBmxdf8RwIhAO8wjOUkuaX+I3j8UI2/B4GIa5ggybq5TvX2D1HiU4RE
MB4GA1UdEQQXMBWCE2dpdC5oYXJkZW5lZGJzZC5vcmcwCgYIKoZIzj0EAwIDRwAw
RAIgcjxs9eH4SAjdPreWIYhlkjnoYLh00Bo7STvjCMhvkXUCIFfOLpX/5i2t+ojm
HTlsCzYdI9qYxAij8azIu07Qupnu -----END CERTIFICATE-----
---
Server certificate
subject=CN = git.hardenedbsd.org
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo
Limited, CN = Sectigo ECC Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA384
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1629 bytes and written 391 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 384 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
Shawn has scheduled an urgent maintenance of the gitlab server, I'm
sure he will take care of this at the same time ;)
--
Loic
dev team
HardenedBSD
F N <stn2...@gmail.com> a écrit :
A new certificate is in place since yesterday for git.hardenedbsd.org:
Thu, 10 Mar 2022 00:00:00 GMT
Although we don't have any problems with firefox, the new certificate
causes problems with git, openssl, or some android application like
Firefox Focus.
Here is the error obtained with openssl:
$ openssl s_client -connect git.hardenedbsd.org:443 -showcerts
CONNECTED(00000003)
depth=0 CN = git.hardenedbsd.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = git.hardenedbsd.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = git.hardenedbsd.org
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
CN = Sectigo ECC Domain Validation Secure Server CA -----BEGIN
CERTIFICATE-----
MIIEwTCCBGigAwIBAgIRAP/hafBEuPEEZfTaW///t2MwCgYIKoZIzj0EAwIwgY8x
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV
BAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UEAxMu
U2VjdGlnbyBFQ0MgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTAe
Fw0yMjAzMTAwMDAwMDBaFw0yMzA0MTAyMzU5NTlaMB4xHDAaBgNVBAMTE2dpdC5o
YXJkZW5lZGJzZC5vcmcwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATDNV8f1+oUxwaJ
XGcilJf20RxLxH5mUgDo42TH2rQ/5eOPzCFGWCzsRuqqByqD1yAr4nvwTGSP6Mi1
rk0zzBwULrp+VOv3DsXnNEm9PY8cwpypL9huKSTdY4Y8ijnE5hujggL2MIIC8jAf
BgNVHSMEGDAWgBT2hQo7EYbhBH0Oqgss0u7MZHt7rjAdBgNVHQ4EFgQU2KOxzBY4
bvny7O031Yua0YMMf/AwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGy
MQECAgcwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYG
Z4EMAQIBMIGEBggrBgEFBQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQu
c2VjdGlnby5jb20vU2VjdGlnb0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2
ZXJDQS5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMIIB
fwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdgCt9776fP8QyIudPZwePhhqtGcpXc+x
DCTKhYY069yCigAAAX90gg6QAAAEAwBHMEUCIBpKPc/bgjCqfAGMCIL/2ro3vD1X
f7ICTruJMlajnzHzAiEArzNu2Ep0szNjaBzruWGKhj3sS/tAQaGLUL1Rvo8zhUUA
dgB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAX90gg5cAAAEAwBH
MEUCICFPP0AUTzpjGWhN3sSzL7T6jV8fB620PdvquI26UYeHAiEA/6sF0ssi0Y2k
J34vDCMPPtsGcKz1blVM345iBfQZBSQAdwDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr
7Otp4Xd9bQa9bgAAAX90gg4jAAAEAwBIMEYCIQCSp5Dpem/n+RJKDvHCLF8/w77D
DWglFdz+SaBmxdf8RwIhAO8wjOUkuaX+I3j8UI2/B4GIa5ggybq5TvX2D1HiU4RE
MB4GA1UdEQQXMBWCE2dpdC5oYXJkZW5lZGJzZC5vcmcwCgYIKoZIzj0EAwIDRwAw
RAIgcjxs9eH4SAjdPreWIYhlkjnoYLh00Bo7STvjCMhvkXUCIFfOLpX/5i2t+ojm
HTlsCzYdI9qYxAij8azIu07Qupnu -----END CERTIFICATE-----
---
Server certificate
subject=CN = git.hardenedbsd.org
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo
Limited, CN = Sectigo ECC Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA384
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1629 bytes and written 391 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 384 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
Shawn has scheduled an urgent maintenance of the gitlab server, I'm
sure he will take care of this at the same time ;)
--
Loic
dev team
HardenedBSD
F N
Mar 11, 2022, 8:27:29 AM3/11/22
to HardenedBSD Users, loi...@hardenedbsd.org, HardenedBSD Users, Shawn Webb, F N
Hi Loic,
thank you for your fast response!
Good to know that the issue is known.
I will wait and observe my logs :-)
Frank
Reply all
Reply to author
Forward
0 new messages