Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update resources/ssl/default.pem to the latest available at #259

Closed
wants to merge 1 commit into from
Closed

Update resources/ssl/default.pem to the latest available at #259

wants to merge 1 commit into from

Conversation

rashkov
Copy link

@rashkov rashkov commented Sep 30, 2021

Update default.pem to the latest available from https://curl.se/docs/caextract.html

Ideally this should PR should not be directly merged but re-created by a trusted maintainer.

The default.pem which is included no longer seems to work for me, for our wildcard lets encrypt certificate. I think this may have to do with this recent change: https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

The change described in the article above went into effect today 9/30/21 when one of Lets Encrypt's intermediate CA's expired, and consequently my arcanist stopped working today. However, others on my team are not experiencing this problem. It's possible that it's because I'm running a different setup (linux) and have different versions for various things. All I know is that updating this file fixed it for me.

Before the fix, I was getting this:

-> % arc diff origin/master
 Exception 
[cURL/60] (https://<redacted>/api/user.whoami) <CURLE_SSL_CACERT> There was an error verifying the SSL connection. This usually indicates that the remote host has an SSL certificate for a different domain name than you are connecting with. Make sure the certificate you have installed is signed for the correct domain.
(Run with `--trace` for a full exception trace.)

Further testing with curl also confirmed this:

curl -v --cacert resources/ssl/default.pem https://<redacted>     
                                                                            
*   Trying <redacted>:443...
* Connected to <redacted> (<redacted>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: resources/ssl/default.pem
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, certificate expired (557):
* SSL certificate problem: certificate has expired
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

@epriestley
Copy link
Member

See https://secure.phabricator.com/book/phabcontrib/article/contributing_code/.

(Phabricator never accepted pull requests.)

@epriestley epriestley closed this Oct 1, 2021
@joker-eph
Copy link

@epriestley is this in scope of things you still intend to fix though? (you mentioned not accepting contribution, but kind of "keep the light running" if I understood correctly)

@Flakebi Flakebi mentioned this pull request Oct 6, 2021
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@rashkov @epriestley @joker-eph