Bug#976836: libgnutls30: 3.7.0-3 fails to connect on debian.ethz.ch
Axel Beckert
abe at debian.org
Tue Dec 8 15:23:32 GMT 2020
Hi Jonathan and Andreas,
Andreas Metzler wrote:
> > I updated gnutls to 3.7.0-3 this morning, then apt was unable to connect to
> > the Debian mirror https://debian.ethz.ch/debian/:
>
> > $ sudo apt update
> > Ign:1 https://debian.ethz.ch/debian sid InRelease
> > Err:2 https://debian.ethz.ch/debian sid Release
> > Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 129.132.53.171 443]
> > Reading package lists... Done
[...]
> afaict the server is misconfigured:
I beg to disagree. ;-)
> The certificate chain sent by the server consists of 3 certificates
> but not each following certificate directly certifies the one
> preceding it.
> - Certificate[1] and Certificate[2] are identical.
Thanks for that hint!
As I already wrote in
https://gitlab.com/gnutls/gnutls/-/issues/1131#note_46246993, this
happens easily when you switch from an earlier version to acme-tiny
4.x and believe that adding the intermediate certificate twice is "not
a big deal, it should still work fine" (or you haven't noticed that
note on upgrading or the upgrade just happened automatically, etc.)...
Anyway, I just fixed that for https://debian.ethz.ch/ (hopefully
permanently — we'll see on next renewal :-) and also verified that the
breakage is indeed there before I manually removed the second
occurence from the certificate file.
Regards, Axel
--
,''`. | Axel Beckert <abe at debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnutls-maint/attachments/20201208/83bbfcab/attachment-0001.sig>
More information about the Pkg-gnutls-maint
mailing list