Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Chiselapp SSL certificate problem

72 views
Skip to first unread message

Alan Grunwald

unread,
Jun 27, 2021, 5:15:21 PM6/27/21
to
I've been seeing this error for the last couple of weeks when syncing to
chiselapp.com:

Unable to verify SSL cert from chiselapp.com
subject: CN = chiselapp.com
issuer: C = US, O = Let's Encrypt, CN = R3
sha256: da4fa47712231caafd855af85a48d9cf51744c63299a6111ca61a82b6a167822
accept this cert and continue (y/N)? y

Is anyone else seeing this?

I guess the certificate has expired and it's nothing much to worry about.

Alan

Schelte

unread,
Jun 28, 2021, 4:34:19 AM6/28/21
to
I get that too. But the problem is not that the certificate has expired.
Visiting chiselapp.com with a browser works fine and it shows that the
certificate is valid until Aug 22 2021.

The browser has its own set of CAs. But fossil uses the list of OpenSSL
CAs (unless the ssl-ca-location setting is configured). Running `openssl
s_client -connect chiselapp.com:443` also shows an error:
CONNECTED(00000003)
depth=0 CN = chiselapp.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = chiselapp.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = chiselapp.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

Some googling seems to suggest that the server is not sending the
complete chain:
https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce

Quote: "Usually certificates are tested using a browser, visiting the
URL by going to https://yourwebsite.com and see if it shows as green (or
if it’s not showing Not Secure in the latest version of Google Chrome).
Problem using this approach is that browsers tend to complete the chain
if it’s not sent from the server using their embedded certificate store
(or from the operating system). This means that even an incomplete chain
will show as valid in the browser. [...] If you try to connect to the
same URL using command line tools, it will fail"

This would be something for Roy to fix.


Schelte.

Alan Grunwald

unread,
Jun 28, 2021, 2:39:54 PM6/28/21
to
On 28/06/2021 09:34, Schelte wrote:
> On 27/06/2021 23:14, Alan Grunwald wrote:
>> I've been seeing this error for the last couple of weeks when syncing
>> to chiselapp.com:
>>
>> Unable to verify SSL cert from chiselapp.com
>>    subject: CN = chiselapp.com
>>    issuer:  C = US, O = Let's Encrypt, CN = R3
>>    sha256:
>> da4fa47712231caafd855af85a48d9cf51744c63299a6111ca61a82b6a167822
>> accept this cert and continue (y/N)? y
>>
>> Is anyone else seeing this?
>>
>> I guess the certificate has expired and it's nothing much to worry about.
>>
> I get that too. But the problem is not that the certificate has expired.
> Visiting chiselapp.com with a browser works fine and it shows that the
> certificate is valid until Aug 22 2021.
>

<snip>

> This would be something for Roy to fix.

Thanks for the extra information about the likely fault.

I now see that my latest changes aren't appearing on chiselapp, which
*is* something I'm worried about. Does anyone have an email address for Roy?

Alan
0 new messages