That worked! Thanks, Danny.
On Sat, Oct 2, 2021 at 12:10 PM Danny McGrath <d...@blender.org> wrote: > Hi Howard, > > All I did was > > sudo apt update && sudo apt dist-upgrade > > The ca-certificates package was among the updates. After this package > update, it "just worked" (tm). > > On Sat, Oct 2, 2021 at 11:58 AM Howard Trickey <howard.tric...@gmail.com> > wrote: > >> Danny, >> >> I am running Ubuntu, version 20.04.02 LTS. >> I'm not sure how to update the ca-certificates. I tried: >> >> sudo update-ca-certificates >> >> and it didn't do anything. >> Then I tried >> >> sudo dpkg-reconfigure ca-certificates >> sudo update-ca-certificates >> >> and still no joy. Am I supposed to add some particular certificate to >> /etc/ca-certificates.conf ? >> >> >> On Sat, Oct 2, 2021 at 11:19 AM Danny McGrath <d...@blender.org> wrote: >> >>> Hi Howard, >>> >>> I got the same on Ubuntu until I updated the ca-certificates to the >>> latest version. >>> >>> Does this also work for you? >>> >>> On Sat, Oct 2, 2021 at 9:50 AM Howard Trickey via Bf-committers < >>> bf-committers@blender.org> wrote: >>> >>>> I am getting this error on my Linux: >>>> >>>> $ git submodule foreach git pull >>>> Entering 'release/datafiles/locale' >>>> fatal: unable to access ' >>>> https://git.blender.org/blender-translations.git/': >>>> server certificate verification failed. CAfile: none CRLfile: none >>>> fatal: run_command returned non-zero status for release/datafiles/locale >>>> . >>>> >>>> On Sat, Oct 2, 2021 at 8:19 AM Danny McGrath via Bf-committers < >>>> bf-committers@blender.org> wrote: >>>> >>>> > Hi, >>>> > >>>> > Just a heads up that I think I might have solved this server side by >>>> > removing the expired CA from the certificate chain. >>>> > >>>> > I updated git, svn, builder, and developer scripts to remove the >>>> > problematic (expired) DST root CA from the web servers. I tried the >>>> certbot >>>> > --preferred-ca option as well, but it doesn't seem to work, compared >>>> to >>>> > just removing it from the chain.pem/fullchain.pem files. >>>> > >>>> > As a test on my Windows 10 machine with TortoiseSVN, it works without >>>> error >>>> > here. Let me know if it helps or breaks anything! >>>> > >>>> > On Thu, Sep 30, 2021 at 10:35 PM Ray Molenkamp via Bf-committers < >>>> > bf-committers@blender.org> wrote: >>>> > >>>> > > For people having ssl issues with arcanist, the easiest solution is >>>> > > >>>> > > 1) grab the latest cacert.pem from >>>> https://curl.se/docs/caextract.html >>>> > > 2) copy it to >>>> [arcanist_installation_folder]/resources/ssl/custom.pem >>>> > > >>>> > > Pay attention to the slightly different filename it *NEEDS* to be >>>> > > custom.pem the original filename cacert.pem will not work. >>>> > > >>>> > > This should do the trick on all platforms (but it's only been tested >>>> > > on Linux and Windows). >>>> > > >>>> > > --Ray >>>> > > On 2021-09-30 1:06 p.m., Sergey Sharybin via Bf-committers wrote: >>>> > > > Hi, >>>> > > > >>>> > > > Just a quick memo about the issue of expired Let's Encrypt >>>> > certificates. >>>> > > It >>>> > > > might be useful for developers who experience issues with HTTPS >>>> > > connection >>>> > > > to our servers. >>>> > > > >>>> > > > One of the root Let's Encrypt certificates did expire today which >>>> > > affected >>>> > > > parts of our development infrastructure. In all cases it doesn't >>>> seem >>>> > to >>>> > > be >>>> > > > an issue with the server configuration but is caused by quirks on >>>> the >>>> > > > client side. We are only aware of issues on Windows. >>>> > > > >>>> > > > The Subversion clients did not trust the SSL certificate of >>>> > > > https://svn.blender.org/. The work-around we did for the >>>> > > builder.blender.org >>>> > > > was to install the Let’s Encrypt R3 intermediate certificate [1]. >>>> This >>>> > > > "worked (tm)", although ideally intermediate certificates >>>> shouldn't >>>> > need >>>> > > to >>>> > > > be installed and the system should go by the root CA certificates >>>> from >>>> > > the >>>> > > > Windows Certificates Store. >>>> > > > >>>> > > > The Arcanist uses the CURL extension of PHP, and it does not use >>>> the >>>> > > > Windows Certificates Store. The way it was fixed on the buildbot >>>> > workers >>>> > > > was by creating a cacert.pem with the "ISRG Root X1" certificate >>>> which >>>> > > was >>>> > > > exported from the Store (and matched the one from Let's Encrypt >>>> > > information >>>> > > > page [1]). >>>> > > > >>>> > > > Our server administrator Danny McGrath also took the liberty of >>>> > disabling >>>> > > > TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided >>>> that >>>> > this >>>> > > > doesn't make matters worse, the changes are likely to be kept. >>>> > > > >>>> > > > [1] https://letsencrypt.org/certificates/ >>>> > > > >>>> > > > Best regards, >>>> > > > - Your Engineering Team Danny and Sergey - >>>> > > > >>>> -------------------------------------------------------------------- >>>> > > > Sergey Sharybin - ser...@blender.org - www.blender.org >>>> > > > Principal Software Engineer, Blender >>>> > > > Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands >>>> > > > _______________________________________________ >>>> > > > Bf-committers mailing list >>>> > > > Bf-committers@blender.org >>>> > > > List details, subscription details or unsubscribe: >>>> > > > https://lists.blender.org/mailman/listinfo/bf-committers >>>> > > _______________________________________________ >>>> > > Bf-committers mailing list >>>> > > Bf-committers@blender.org >>>> > > List details, subscription details or unsubscribe: >>>> > > https://lists.blender.org/mailman/listinfo/bf-committers >>>> > > >>>> > >>>> > >>>> > -- >>>> > Cheers, >>>> > Danny >>>> > >>>> > ------------------------------------------------- >>>> > Danny McGrath - d...@blender.org - www.blender.org >>>> > System Administrator at Blender >>>> > GPG key: 0x696871CA >>>> > _______________________________________________ >>>> > Bf-committers mailing list >>>> > Bf-committers@blender.org >>>> > List details, subscription details or unsubscribe: >>>> > https://lists.blender.org/mailman/listinfo/bf-committers >>>> > >>>> _______________________________________________ >>>> Bf-committers mailing list >>>> Bf-committers@blender.org >>>> List details, subscription details or unsubscribe: >>>> https://lists.blender.org/mailman/listinfo/bf-committers >>>> >>> >>> >>> -- >>> Cheers, >>> Danny >>> >>> ------------------------------------------------- >>> Danny McGrath - d...@blender.org - www.blender.org >>> System Administrator at Blender >>> GPG key: 0x696871CA >>> >> > > -- > Cheers, > Danny > > ------------------------------------------------- > Danny McGrath - d...@blender.org - www.blender.org > System Administrator at Blender > GPG key: 0x696871CA > _______________________________________________ Bf-committers mailing list Bf-committers@blender.org List details, subscription details or unsubscribe: https://lists.blender.org/mailman/listinfo/bf-committers
