NET::ERR_CERT_AUTHORITY_INVALID

[doctor-pi]

The command opam update does not work and the site https://opam.ocaml.org/ fails to load on https because of the following certificate issue: NET::ERR_CERT_AUTHORITY_INVALID.

[dbuenzli]

That's likely an issue with the certificates that are installed on your machine.

[doctor-pi]

That's likely an issue with the certificates that are installed on your machine.

i don't think so, it also fails on my phone.

the certificate seems misconfigured?

[dbuenzli]

Strange. I can both do an opam udpate and access https://opam.ocaml.org/ from my webbrowser here.

[doctor-pi]

I get the error: Verification error: self signed certificate

 ❯ openssl s_client -connect opam.ocaml.org:443
 
CONNECTED(00000005)
---
Certificate chain
 0 s:C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = scw-serene-panini, emailAddress = root@scw-serene-panini
   i:C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = scw-serene-panini, emailAddress = root@scw-serene-panini
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID/jCCAuagAwIBAgICcRcwDQYJKoZIhvcNAQELBQAwgbMxCzAJBgNVBAYTAi0t
MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
bml0MRowGAYDVQQDDBFzY3ctc2VyZW5lLXBhbmluaTElMCMGCSqGSIb3DQEJARYW
cm9vdEBzY3ctc2VyZW5lLXBhbmluaTAeFw0yMzA1MTQxNTIzMTBaFw0yNDA1MTMx
NTIzMTBaMIGzMQswCQYDVQQGEwItLTESMBAGA1UECAwJU29tZVN0YXRlMREwDwYD
VQQHDAhTb21lQ2l0eTEZMBcGA1UECgwQU29tZU9yZ2FuaXphdGlvbjEfMB0GA1UE
CwwWU29tZU9yZ2FuaXphdGlvbmFsVW5pdDEaMBgGA1UEAwwRc2N3LXNlcmVuZS1w
YW5pbmkxJTAjBgkqhkiG9w0BCQEWFnJvb3RAc2N3LXNlcmVuZS1wYW5pbmkwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXU3xxkjIrC2gkJoG+0Xe9Lnhn
Iy37gwcHnOLTa3kDB9s+Aa8wD2I/d1FbL1vq5hlfIRscPHo2ZhZDwgPhnfT071fa
GDSpvf3XQTlh9urQtCi98kdsJM0oWnb98zlLRXGWIr3PdlblTswpYkfYdkOdMlGM
+5x8lFYjl1RgIftw+DQSvuMOHHvkAJecfdYp0bsviIyPQFbkd5FlBNufUfsJ0gNI
H67G9Et5N3FaMnAChPAtuUSWYfQ5WdZXkZfmsxQwUccFlauLXqy7vFgunO7QhydC
YPDmll/lJILF/gP7STQjrD0jWm/c96GsVPsN7YrP/YMgaYYfCVyqleV8CeALAgMB
AAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBCwUAA4IB
AQDNEhW1LeG3k9C0Aa3FwEbYRfoBilC/UGrD57+dhyRJS10zcnYxIgyPRyFgakGD
asdpkZpLuItbKwNIr31ZvE2iaEHF/1+yMSMDjnAm1UCeaBQsoyImrIm41RebyFpc
o1TirFQKeAB3b5+6Te59Qluz+xqRMDEMsQPyOpV7fpPMEJyz4SF+TRm9lv5y+iH3
ULNy79vUga3fp8uBVBI+rjNPrYUOl2xuX1cbmO7iqg9LoFpl78CZsDzh/u046j+2
mhG8raVkgrM1PclLfnRZsuJuSI6UJTIFEcWqIHR1IrEse1rS3Vp3HLM9XnT3sasX
hfxXXoUbGseagFXt1rDIJVYP
-----END CERTIFICATE-----
subject=C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = scw-serene-panini, emailAddress = root@scw-serene-panini

issuer=C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = scw-serene-panini, emailAddress = root@scw-serene-panini

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1728 bytes and written 442 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 2EAEE29311EEB4912BDF7E5919A3FD570761030409C9DCB8350F42690A70B072
    Session-ID-ctx: 
    Master-Key: F369843BB3459028268ECC92D9DEA712E7499D17D0EFE0749C6200278454376BFEF6887EC09F1B637A0F99254FB3ECA7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - b0 4d 21 fb 7e a6 ad 64-7e c8 77 39 6c 6b 7d 36   .M!.~..d~.w9lk}6
    0010 - 1c d3 c4 be bd 4c 24 f4-9a 7f a3 0b c5 4c aa 52   .....L$......L.R
    0020 - 35 fe 5e 13 6b a0 fd c0-4c 2b c1 d5 5d ef d5 6f   5.^.k...L+..]..o
    0030 - fb 85 b4 74 d6 b3 ab b8-1c 96 5c a0 03 c4 77 1c   ...t......\...w.
    0040 - d8 aa 9a cc 55 ea 1d 6e-8f 6d 82 04 22 c1 9f 87   ....U..n.m.."...
    0050 - 85 c4 ed 33 a9 c4 ff c6-b6 e5 f5 e8 f3 bf b9 cb   ...3............
    0060 - c9 38 d2 21 3b 2c 4a 6e-29 6e db 6c 56 53 fa f6   .8.!;,Jn)n.lVS..
    0070 - 0d 62 f6 b6 e4 27 2f 9a-d1 94 34 25 ee cc 69 ff   .b...'/...4%..i.
    0080 - 38 c3 11 45 75 c4 53 b5-3c 7d c2 60 44 ee 79 ca   8..Eu.S.<}.`D.y.
    0090 - 1c 32 6a e0 67 82 87 26-0e 2e 85 06 01 f9 eb 8b   .2j.g..&........
    00a0 - f0 31 5f 7c 31 d4 0f f8-d4 32 1e 9a a6 01 43 01   .1_|1....2....C.
    00b0 - 15 5d fc 44 c7 6b 0e 56-be a6 c8 da c5 50 1a 95   .].D.k.V.....P..
    00c0 - cc be 0c 31 3a df 2e 1f-6f ae e3 c6 7c 84 98 0f   ...1:...o...|...

    Start Time: 1684088058
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
---

[dbuenzli]

It may be an ipv6 issue:

https://www.ssllabs.com/ssltest/analyze.html?d=opam.ocaml.org

[doctor-pi]

Yes. I was able to connect using a mobile network just now....

[hannesm]

There's a similar report at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271418 -- maybe something @mtelvers need to look into (excuse me if I'm wrong, but I remember he's maintaining the opam.ocaml.org infrastructure)

[mtelvers]

It looks like the IPv6 addresses have been changed by Scaleway. @avsm will need to update the DNS records. ocaml/infrastructure#42