OSCP server for download.opensuse.org down?
Hi, Could it be that the OSCP (SSL cert revocation) server for download.opensuse.org is down? apt, by default, requires OSCP responses and fails to install otherwise (in contrast to browsers, for example), making the repository unavailable for me. This started this morning (Europe): Apt error message: Err:9 https://download.opensuse.org/repositories/home:/phiwag:/edatools/xUbuntu_18... Release Certificate verification failed: The certificate is NOT trusted. The received OCSP status response is invalid. Could not handshake: Error in the certificate verification. [IP: 195.135.221.134 443] Curl agrees with apt (note the "Invalid OCSP response status: trylater"): ❯ curl --cert-status -sLO --verbose https://download.opensuse.org/repositories/home:/phiwag:/edatools/xUbuntu_18... * Trying 195.135.221.134:443... * Connected to download.opensuse.org (195.135.221.134) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [122 bytes data] * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): { [19 bytes data] * TLSv1.3 (IN), TLS handshake, Certificate (11): { [2744 bytes data] * TLSv1.3 (IN), TLS handshake, CERT verify (15): { [520 bytes data] * TLSv1.3 (IN), TLS handshake, Finished (20): { [52 bytes data] * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data] * TLSv1.3 (OUT), TLS handshake, Finished (20): } [52 bytes data] * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=opensuse.org * start date: Apr 27 00:52:15 2021 GMT * expire date: Jul 26 00:52:15 2021 GMT * subjectAltName: host "download.opensuse.org" matched cert's "*.opensuse.org" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok. * Invalid OCSP response status: trylater (3) * Closing connection 0 } [5 bytes data] * TLSv1.3 (OUT), TLS alert, close notify (256): } [2 bytes data] What's the best way to inform someone who can fix this? Thanks! Philipp
Hi, Seems like this is resolved now, but now the mirrors are out of sync (gwdg is serving badly outdated things). I saw https://progress.opensuse.org/issues/93686 and will report back if things don't go back to normal in the next couple of hours. Thanks! Philipp On 09.06.21 10:27, Philipp Wagner wrote:
Hi,
Could it be that the OSCP (SSL cert revocation) server for download.opensuse.org is down?
apt, by default, requires OSCP responses and fails to install otherwise (in contrast to browsers, for example), making the repository unavailable for me.
This started this morning (Europe):
Apt error message:
Err:9 https://download.opensuse.org/repositories/home:/phiwag:/edatools/xUbuntu_18... Release Certificate verification failed: The certificate is NOT trusted. The received OCSP status response is invalid. Could not handshake: Error in the certificate verification. [IP: 195.135.221.134 443]
Curl agrees with apt (note the "Invalid OCSP response status: trylater"):
❯ curl --cert-status -sLO --verbose https://download.opensuse.org/repositories/home:/phiwag:/edatools/xUbuntu_18...
* Trying 195.135.221.134:443... * Connected to download.opensuse.org (195.135.221.134) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [122 bytes data] * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): { [19 bytes data] * TLSv1.3 (IN), TLS handshake, Certificate (11): { [2744 bytes data] * TLSv1.3 (IN), TLS handshake, CERT verify (15): { [520 bytes data] * TLSv1.3 (IN), TLS handshake, Finished (20): { [52 bytes data] * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data] * TLSv1.3 (OUT), TLS handshake, Finished (20): } [52 bytes data] * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=opensuse.org * start date: Apr 27 00:52:15 2021 GMT * expire date: Jul 26 00:52:15 2021 GMT * subjectAltName: host "download.opensuse.org" matched cert's "*.opensuse.org" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok. * Invalid OCSP response status: trylater (3) * Closing connection 0 } [5 bytes data] * TLSv1.3 (OUT), TLS alert, close notify (256): } [2 bytes data]
What's the best way to inform someone who can fix this?
Thanks!
Philipp
participants (1)
-
Philipp Wagner