Danny, I am running Ubuntu, version 20.04.02 LTS. I'm not sure how to update the ca-certificates. I tried:
sudo update-ca-certificates and it didn't do anything. Then I tried sudo dpkg-reconfigure ca-certificates sudo update-ca-certificates and still no joy. Am I supposed to add some particular certificate to /etc/ca-certificates.conf ? On Sat, Oct 2, 2021 at 11:19 AM Danny McGrath <d...@blender.org> wrote: > Hi Howard, > > I got the same on Ubuntu until I updated the ca-certificates to the latest > version. > > Does this also work for you? > > On Sat, Oct 2, 2021 at 9:50 AM Howard Trickey via Bf-committers < > bf-committers@blender.org> wrote: > >> I am getting this error on my Linux: >> >> $ git submodule foreach git pull >> Entering 'release/datafiles/locale' >> fatal: unable to access ' >> https://git.blender.org/blender-translations.git/': >> server certificate verification failed. CAfile: none CRLfile: none >> fatal: run_command returned non-zero status for release/datafiles/locale >> . >> >> On Sat, Oct 2, 2021 at 8:19 AM Danny McGrath via Bf-committers < >> bf-committers@blender.org> wrote: >> >> > Hi, >> > >> > Just a heads up that I think I might have solved this server side by >> > removing the expired CA from the certificate chain. >> > >> > I updated git, svn, builder, and developer scripts to remove the >> > problematic (expired) DST root CA from the web servers. I tried the >> certbot >> > --preferred-ca option as well, but it doesn't seem to work, compared to >> > just removing it from the chain.pem/fullchain.pem files. >> > >> > As a test on my Windows 10 machine with TortoiseSVN, it works without >> error >> > here. Let me know if it helps or breaks anything! >> > >> > On Thu, Sep 30, 2021 at 10:35 PM Ray Molenkamp via Bf-committers < >> > bf-committers@blender.org> wrote: >> > >> > > For people having ssl issues with arcanist, the easiest solution is >> > > >> > > 1) grab the latest cacert.pem from >> https://curl.se/docs/caextract.html >> > > 2) copy it to [arcanist_installation_folder]/resources/ssl/custom.pem >> > > >> > > Pay attention to the slightly different filename it *NEEDS* to be >> > > custom.pem the original filename cacert.pem will not work. >> > > >> > > This should do the trick on all platforms (but it's only been tested >> > > on Linux and Windows). >> > > >> > > --Ray >> > > On 2021-09-30 1:06 p.m., Sergey Sharybin via Bf-committers wrote: >> > > > Hi, >> > > > >> > > > Just a quick memo about the issue of expired Let's Encrypt >> > certificates. >> > > It >> > > > might be useful for developers who experience issues with HTTPS >> > > connection >> > > > to our servers. >> > > > >> > > > One of the root Let's Encrypt certificates did expire today which >> > > affected >> > > > parts of our development infrastructure. In all cases it doesn't >> seem >> > to >> > > be >> > > > an issue with the server configuration but is caused by quirks on >> the >> > > > client side. We are only aware of issues on Windows. >> > > > >> > > > The Subversion clients did not trust the SSL certificate of >> > > > https://svn.blender.org/. The work-around we did for the >> > > builder.blender.org >> > > > was to install the Let’s Encrypt R3 intermediate certificate [1]. >> This >> > > > "worked (tm)", although ideally intermediate certificates shouldn't >> > need >> > > to >> > > > be installed and the system should go by the root CA certificates >> from >> > > the >> > > > Windows Certificates Store. >> > > > >> > > > The Arcanist uses the CURL extension of PHP, and it does not use the >> > > > Windows Certificates Store. The way it was fixed on the buildbot >> > workers >> > > > was by creating a cacert.pem with the "ISRG Root X1" certificate >> which >> > > was >> > > > exported from the Store (and matched the one from Let's Encrypt >> > > information >> > > > page [1]). >> > > > >> > > > Our server administrator Danny McGrath also took the liberty of >> > disabling >> > > > TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided that >> > this >> > > > doesn't make matters worse, the changes are likely to be kept. >> > > > >> > > > [1] https://letsencrypt.org/certificates/ >> > > > >> > > > Best regards, >> > > > - Your Engineering Team Danny and Sergey - >> > > > -------------------------------------------------------------------- >> > > > Sergey Sharybin - ser...@blender.org - www.blender.org >> > > > Principal Software Engineer, Blender >> > > > Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands >> > > > _______________________________________________ >> > > > Bf-committers mailing list >> > > > Bf-committers@blender.org >> > > > List details, subscription details or unsubscribe: >> > > > https://lists.blender.org/mailman/listinfo/bf-committers >> > > _______________________________________________ >> > > Bf-committers mailing list >> > > Bf-committers@blender.org >> > > List details, subscription details or unsubscribe: >> > > https://lists.blender.org/mailman/listinfo/bf-committers >> > > >> > >> > >> > -- >> > Cheers, >> > Danny >> > >> > ------------------------------------------------- >> > Danny McGrath - d...@blender.org - www.blender.org >> > System Administrator at Blender >> > GPG key: 0x696871CA >> > _______________________________________________ >> > Bf-committers mailing list >> > Bf-committers@blender.org >> > List details, subscription details or unsubscribe: >> > https://lists.blender.org/mailman/listinfo/bf-committers >> > >> _______________________________________________ >> Bf-committers mailing list >> Bf-committers@blender.org >> List details, subscription details or unsubscribe: >> https://lists.blender.org/mailman/listinfo/bf-committers >> > > > -- > Cheers, > Danny > > ------------------------------------------------- > Danny McGrath - d...@blender.org - www.blender.org > System Administrator at Blender > GPG key: 0x696871CA > _______________________________________________ Bf-committers mailing list Bf-committers@blender.org List details, subscription details or unsubscribe: https://lists.blender.org/mailman/listinfo/bf-committers
