Ian Kelling wrote: > Related, on https://savannah.gnu.org/maintenance/Mirmon/ there is a > broken link, which also has a bad cert > > $ curl https://dl.sv.gnu.org/releases-noredirect/00_MIRRORS.html > curl: (51) SSL: no alternative certificate subject name matches target host > name 'dl.sv.gnu.org'
dl.sv is a shortcut DNS name. There are so many of those! Take all of the combination of gnu and nongnu, of savannah and sv, of dl and download, and then do that for all of the systems since most have short typing aid names, and there are a lot of names! I didn't have them all on download. I have updated the certificates to include these. These have been missing since February 10, 2020 when things were converted from Certbot to Dehydrated. dl.savannah.gnu.org dl.savannah.nongnu.org dl.sv.gnu.org dl.sv.nongnu.org Those now have been issued certificates and should be working for https now. > I manually curled 2 of the bad mirrors listed here > https://download.savannah.gnu.org/mirmon/allgnu/, and there is a cert > error. I'm pretty sure, the issue is that the ca-certs needs updating on > the machine running mirmorn. The os itself could use an update too. Bob, > you there? You are correct. Which becomes a motivation to get off the fallen out of support OS on download0 and over to the newer OS on the new download1 system soonest. I tried simply upgrading the ca-certificates individally but there is a dependency upon a newer openssl. At which point I stopped because that would open a can of worms of dependencies. Time better spent working on getting onto the newer system. > Thérèse Godefroy <godef...@free.fr> writes: > > 8 have been reported off-line for 6 days: > > https://www.singleboersen.com (http OK) > > https://mirror.checkdomain.de (http OK) > > https://www.gutscheinrausch.de (http OK) > > https://ftp.wrz.de (http OK) > > https://mirrors.nav.ro (http OK) > > http://mirror.lihnidos.org > > https://mirror.us-midwest-1.nexcess.net (http OK) > > https://mirrors.syringanetworks.net (http OK) All of those seem to be the outdated CA list and openssl on download0. All but one of the above were issued by Comodo. Which is the mostly common thread among them. They apparently have a newly issued trust anchor. > > One for 6.8 days: > > rsync://mirror2.evolution-host.com::gnu > > One for nearly 99 days: > > rsync://mirrors.syringanetworks.net/gnu I don't know. I didn't have time to look at the rsync mirrors. I need to dig more. > > What's strange is that I can reach all of them from France, except > > http://mirror.lihnidos.org. That system is simply down. Can't ping it or get any other life from it. > > Several rsync mirrors (not only these 2) have been wrongly reported > > off-line since January 2019, occasionally or almost constantly. But this > > is the first time I see so many https URLs being unreachable for Mirmon, > > while they are fine for me. The CA Certificate Authority trust anchors they are now using are newer than the files available on download0 to validate. > > Since these https URLs are supposedly off-line, they are not taken into > > account by the multiplexer. So the load on the other mirrors increases. > > Right? There are many mirrors however. The collection of all of them is therefore resilient to a small number of them being offline. At the time I look there are 13 listed offline out of 223 total. That is 6% which leaves 94% of the mirrors online. > > Is there a way to fix this? The real answer is the OS upgrade to get the newer openssl and newer ca-certificates package. Ian and I started on this back at LibrePlanet in March. But then other prioritites distracted me. I'll get back on the task again. Bob
