qubes-templates-itl-testing: certificate expired. Drop https or update cert?
45 views
Skip to first unread message
Dupéron Georges
Feb 10, 2019, 1:18:53 PM2/10/19
to qubes...@googlegroups.com
It seems that the SSL certificate for the qubes-templates-itl-testing repo has expired.
sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing qubes-template-debian-9-minimal
[...]
DNF will only download packages for the transaction.
Downloading Packages:
[MIRROR] qubes-template-debian-9-minimal-4.0.1-201901271906.noarch.rpm: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.dgplug.org/qubes/repo/yum/r4.0/templates-itl-testing/rpm/qubes-template-debian-9-minimal-4.0.1-201901271906.noarch.rpm [SSL certificate problem: certificate has expired]
GPG signature of the packages is checked by dom0 anyway, so they can be downloaded using an insecure connection, right?
sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing qubes-template-debian-9-minimal
[...]
DNF will only download packages for the transaction.
Downloading Packages:
[MIRROR] qubes-template-debian-9-minimal-4.0.1-201901271906.noarch.rpm: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.dgplug.org/qubes/repo/yum/r4.0/templates-itl-testing/rpm/qubes-template-debian-9-minimal-4.0.1-201901271906.noarch.rpm [SSL certificate problem: certificate has expired]
GPG signature of the packages is checked by dom0 anyway, so they can be downloaded using an insecure connection, right?
Should the httpS be removed in /etc/yum.repos.d/qubes-templates.repo, or can the certificate be updated?
Cheers,
Georges Dupéron
Marek Marczykowski-Górecki
Feb 10, 2019, 4:09:52 PM2/10/19
to Dupéron Georges, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sun, Feb 10, 2019 at 06:23:37PM +0100, Dupéron Georges wrote:
> It seems that the SSL certificate for the qubes-templates-itl-testing repo
> has expired.
>
> sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing
> qubes-template-debian-9-minimal
> [...]
> DNF will only download packages for the transaction.
> Downloading Packages:
> [MIRROR] qubes-template-debian-9-minimal-4.0.1-201901271906.noarch.rpm:
> Curl error (60): Peer certificate cannot be authenticated with given CA
> certificates for
> https://mirrors.dgplug.org/qubes/repo/yum/r4.0/templates-itl-testing/rpm/qubes-template-debian-9-minimal-4.0.1-201901271906.noarch.rpm
> [SSL certificate problem: certificate has expired]
>
> GPG signature of the packages is checked by dom0 anyway, so they can be
> downloaded using an insecure connection, right?
Yes, this does not affect integrity of the packages.
> Should the httpS be removed in /etc/yum.repos.d/qubes-templates.repo, or
> can the certificate be updated?
This is just one of the mirrors, yum/dnf should fallback to another one
automatically, doesn't it for you?
Regardless of the above, I've notified mirror operator.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxgkxgACgkQ24/THMrX
1yyjLAf9G+ECqEhEd6pTsXrfhi91l+B5ULITYEcNxH5aoeS6xv+JZ+qu/WsyStfU
+qV6oPaoG1fxhPGZ0wcbkiCrg9CXa5jQbpuP3WPDLeohTEwL1vI3PcIBUjyqFFXu
cTUAu8Y7QLQ9BfA28e+EiMUMXyP0fq7a9EJiBh1Oa8CLkP/BRKdRLXt6794xzYaT
UgCGtos3rXFMVQcntCAPG0lMgAp8Yj83XaOerCvEvj8SyQRuVAjzHq3GH7FXJVRK
K8pylk49T3Od7xzgwEXFSnL8LeqneIzsHXVp9eN+O2AjKACXe1pc9qb5hyZxZwFN
ACFnppacVKyQFz3wRPxNmcttLv5vdQ==
=sPIL
-----END PGP SIGNATURE-----
Hash: SHA256
On Sun, Feb 10, 2019 at 06:23:37PM +0100, Dupéron Georges wrote:
> It seems that the SSL certificate for the qubes-templates-itl-testing repo
> has expired.
>
> sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing
> qubes-template-debian-9-minimal
> [...]
> DNF will only download packages for the transaction.
> Downloading Packages:
> [MIRROR] qubes-template-debian-9-minimal-4.0.1-201901271906.noarch.rpm:
> Curl error (60): Peer certificate cannot be authenticated with given CA
> certificates for
> https://mirrors.dgplug.org/qubes/repo/yum/r4.0/templates-itl-testing/rpm/qubes-template-debian-9-minimal-4.0.1-201901271906.noarch.rpm
> [SSL certificate problem: certificate has expired]
>
> GPG signature of the packages is checked by dom0 anyway, so they can be
> downloaded using an insecure connection, right?
> Should the httpS be removed in /etc/yum.repos.d/qubes-templates.repo, or
> can the certificate be updated?
automatically, doesn't it for you?
Regardless of the above, I've notified mirror operator.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxgkxgACgkQ24/THMrX
1yyjLAf9G+ECqEhEd6pTsXrfhi91l+B5ULITYEcNxH5aoeS6xv+JZ+qu/WsyStfU
+qV6oPaoG1fxhPGZ0wcbkiCrg9CXa5jQbpuP3WPDLeohTEwL1vI3PcIBUjyqFFXu
cTUAu8Y7QLQ9BfA28e+EiMUMXyP0fq7a9EJiBh1Oa8CLkP/BRKdRLXt6794xzYaT
UgCGtos3rXFMVQcntCAPG0lMgAp8Yj83XaOerCvEvj8SyQRuVAjzHq3GH7FXJVRK
K8pylk49T3Od7xzgwEXFSnL8LeqneIzsHXVp9eN+O2AjKACXe1pc9qb5hyZxZwFN
ACFnppacVKyQFz3wRPxNmcttLv5vdQ==
=sPIL
-----END PGP SIGNATURE-----
Dupéron Georges
Feb 18, 2019, 4:23:57 AM2/18/19
to qubes-users
sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing qubes-template-debian-9-minimal
[...]
DNF will only download packages for the transaction.
Downloading Packages:
[MIRROR] qubes-template-debian-9-minimal-4.0.1-201901271906.noarch.rpm: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.dgplug.org/qubes/repo/yum/r4.0/templates-itl-testing/rpm/qubes-template-debian-9-minimal-4.0.1-201901271906.noarch.rpm [SSL certificate problem: certificate has expired]
I don't get this error/warning anymore, so someone must have updated the SSL certificate. Thanks!
Reply all
Reply to author
Forward
0 new messages