On 1/24/20 11:55 AM, Per Jessen wrote:
Per Jessen wrote:
Per Jessen wrote:
I see the daily fetch from mirrorbrain was stopped, last one was 10/1 - I presume because of the certificate problem?
I was just wondering.
I opened a ticket about 3 weeks ago, but I don't remember disabling the cron-job:
I have installed the Lets Encrcypt X3 cross-signed CA - I don't know why the DST CA does not work, but it doesn't.
Is anyone else working on the mirror setup right now? I can tell the cron table was modified on Jan 10, at 0352. I very rarely have reason to be that late/early :-)
I'll ask on IRC too.
It's still a problem? https://mirrorbrain.org is clearly misconfigured: It lacks to send the intermediate CA cert needed by the TLS client to build the CA cert chain up to pre-installed root cert. You can check that with $ openssl s_client -connect mirrorbrain.org:443 -showcerts CONNECTED(00000003) depth=0 CN = mirrorbrain.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = mirrorbrain.org verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:CN = mirrorbrain.org i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 You can use a PEM file containing the CA cert chain downloaded and concatenated like this: $ wget -O - https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
letsencrypt-chain.crt
$ wget -O - https://letsencrypt.org/certs/isrgrootx1.pem.txt >> letsencrypt-chain.crt Check again with explicitly providing the PEM file with CA cert chain: $ openssl s_client -connect mirrorbrain.org:443 -showcerts -CAfile letsencrypt-chain.crt It's ok if the output ends with "Verify return code: 0 (ok)" Ciao, Michael. -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org