On Thu, 4 Jun 2020, Giovanni Biscuolo wrote:
Hello Guix,
--8<---------------cut here---------------end--------------->8---
I'm having a strange error with curl from Guix (on a foreign distro):
--8<---------------cut here---------------start------------->8---
giovanni@roquette: curl -I https://voices.transparency.org
curl: (60) server certificate verification failed. CAfile:
/home/giovanni/.guix-extra-profiles/emacs/emacs/etc/ssl/certs/ca-certificates.crt
CRLfile: none
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
--8<---------------cut here---------------end--------------->8---
Giovanni,
I think that this is due to the recent AdTrust Root CA cert expiration
[0]. The error wget gives is a little bit better, but you know about the
situation to interpret it correctly:
"""
$ wget "https://voices.transparency.org"; -O /dev/null
--2020-06-04 10:37:29-- https://voices.transparency.org/
Resolving voices.transparency.org (voices.transparency.org)...
52.4.225.124, 52.4.240.221, 52.1.119.170, ...
Connecting to voices.transparency.org
(voices.transparency.org)|52.4.225.124|:443... connected.
ERROR: The certificate of ‘voices.transparency.org’ is not trusted.
ERROR: The certificate of ‘voices.transparency.org’ has expired.
"""
In my experience, sometimes this cert expiration is easy to miss by site
administrators or others connecting to the site if they have one of the
intermediate certificates in their trust store. Our nss-certs package
tends not to have such intermediates.
Therefore, I think the fix is for voices.transparency.org to update the
certificate chain/bundle that they are sending.
[0] https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT
Best,
Jack
