bug#45358: bootstrap fails due to a certificate mismatch

Sat, 13 Feb 2021 05:01:33 -0800 

I have the same issue.

Some investigations:

   1. I decided to find out the particular command that fails and added
   more debug print:

   diff --git a/bootstrap b/bootstrap
   index 7523f65b4..44c21db23 100755
   --- a/bootstrap
   +++ b/bootstrap
   @@ -749,6 +749,7 @@ download_po_files() {
      domain=$2
      echo "$me: getting translations into $subdir for $domain..."
      cmd=$(printf "$po_download_command_format" "$subdir" "$domain")
   +  echo "$me: going to exec \"$cmd\"..."
      eval "$cmd"
   }

   2. Tried to run:

   $ ./bootstrap
   ./bootstrap: Bootstrapping from checked-out coreutils sources...
   ./bootstrap: consider installing git-merge-changelog from gnulib
   ./bootstrap: getting gnulib files...
   ./bootstrap: getting translations into po/.reference for coreutils...
   ./bootstrap: going to exec "wget --mirror --level=1 -nd -nv -A.po -P
   'po/.reference' https://translationproject.org/latest/coreutils/";...
   ERROR: The certificate of 'translationproject.org' is not trusted.
   ERROR: The certificate of 'translationproject.org' doesn't have a known
   issuer.

   3. Tried to run the command directly, but without `-nv` flag:

   $ wget --mirror --level=1 -nd -v -A.po -P 'po/.reference'
   https://translationproject.org/latest/coreutils/
   --2021-02-13 14:23:35--  https://translationproject.org/latest/coreutils/
   Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
   Resolving translationproject.org (translationproject.org)...
   80.69.83.146, 2a01:7c8:c037:6::20
   Connecting to translationproject.org
(translationproject.org)|80.69.83.146|:443...
   connected.
   ERROR: The certificate of ‘translationproject.org’ is not trusted.
   ERROR: The certificate of ‘translationproject.org’ doesn't have a known
   issuer.

   4. Tried the same with curl:

   $ curl -v https://translationproject.org/latest/coreutils/ -o /dev/null
     % Total    % Received % Xferd  Average Speed   Time    Time     Time
    Current
                                    Dload  Upload   Total   Spent    Left
    Speed
     0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--
       0*   Trying 80.69.83.146:443...
   * Connected to translationproject.org (80.69.83.146) port 443 (#0)
   * ALPN, offering h2
   * ALPN, offering http/1.1
   * successfully set certificate verify locations:
   *  CAfile: /etc/ssl/certs/ca-certificates.crt
   *  CApath: none
   } [5 bytes data]
   * TLSv1.3 (OUT), TLS handshake, Client hello (1):
   } [512 bytes data]
   * TLSv1.3 (IN), TLS handshake, Server hello (2):
   { [93 bytes data]
   * TLSv1.2 (IN), TLS handshake, Certificate (11):
   { [6723 bytes data]
   * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
   { [589 bytes data]
   * TLSv1.2 (IN), TLS handshake, Server finished (14):
   { [4 bytes data]
   * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
   } [70 bytes data]
   * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
   } [1 bytes data]
   * TLSv1.2 (OUT), TLS handshake, Finished (20):
   } [16 bytes data]
   * TLSv1.2 (IN), TLS handshake, Finished (20):
   { [16 bytes data]
   * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
   * ALPN, server did not agree to a protocol
   * Server certificate:
   *  subject: CN=stats.vrijschrift.org
   *  start date: Dec 31 10:34:41 2020 GMT
   *  expire date: Mar 31 10:34:41 2021 GMT
   *  subjectAltName: host "translationproject.org" matched cert's
   "translationproject.org"
   *  issuer: C=US; O=Let's Encrypt; CN=R3
   *  SSL certificate verify ok.
   } [5 bytes data]
   > GET /latest/coreutils/ HTTP/1.1
   > Host: translationproject.org
   > User-Agent: curl/7.75.0
   > Accept: */*
   >
   { [5 bytes data]
   * Mark bundle as not supporting multiuse
   < HTTP/1.1 200 OK
   < Date: Sat, 13 Feb 2021 12:26:00 GMT
   < Server: Apache/2.4.10 (Debian)
   < Vary: Accept-Encoding
   < Transfer-Encoding: chunked
   < Content-Type: text/html;charset=UTF-8
   <
   { [5 bytes data]
   100  8881    0  8881    0     0  16980      0 --:--:-- --:--:-- --:--:--
   16980
   * Connection #0 to host translationproject.org left intact

   5. Trying to export and verify the cert with certtools:

   $ certtool --verbose --verify-profile=high --verify --infile=/tmp/
   stats.vrijschrift.org
   Loaded system trust (139 CAs available)
           Subject: CN=R3,O=Let's Encrypt,C=US
           Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
           Signature algorithm: RSA-SHA256
           Output: Not verified. The certificate is NOT trusted. The
   certificate issuer is unknown.

           Subject: CN=R3,O=Let's Encrypt,C=US
           Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
           Signature algorithm: RSA-SHA256
           Output: Not verified. The certificate is NOT trusted. The
   certificate issuer is unknown.

           Subject: CN=R3,O=Let's Encrypt,C=US
           Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
           Checked against: CN=DST Root CA X3,O=Digital Signature Trust Co.
           Signature algorithm: RSA-SHA256
           Output: Verified. The certificate is trusted.

           Subject: CN=stats.vrijschrift.org
           Issuer: CN=R3,O=Let's Encrypt,C=US
           Checked against: CN=R3,O=Let's Encrypt,C=US
           Signature algorithm: RSA-SHA256
           Output: Verified. The certificate is trusted.

   Chain verification output: Verified. The certificate is trusted.

   Maybe that "Output: Not verified. The certificate is NOT trusted. The
   certificate issuer is unknown." Is the issue?


Thanks!
Best regards,
Grigorii

Reply via email to