I see the daily fetch from mirrorbrain was stopped, last one was 10/1 - I presume because of the certificate problem?
I was just wondering.
Per Jessen wrote:
I see the daily fetch from mirrorbrain was stopped, last one was 10/1
- I presume because of the certificate problem?
I was just wondering.
I opened a ticket about 3 weeks ago, but I don't remember disabling the cron-job:
https://progress.opensuse.org/issues/61789
Per Jessen wrote:
Per Jessen wrote:
I see the daily fetch from mirrorbrain was stopped, last one was 10/1
- I presume because of the certificate problem?
I was just wondering.
I opened a ticket about 3 weeks ago, but I don't remember disabling the cron-job:
I have installed the Lets Encrcypt X3 cross-signed CA - I don't know why the DST CA does not work, but it doesn't.
Is anyone else working on the mirror setup right now? I can tell the cron table was modified on Jan 10, at 0352. I very rarely have reason to be that late/early :-)
I'll ask on IRC too.
On 1/24/20 11:55 AM, Per Jessen wrote:
Per Jessen wrote:
Per Jessen wrote:
I see the daily fetch from mirrorbrain was stopped, last one was 10/1
- I presume because of the certificate problem?
I was just wondering.
I opened a ticket about 3 weeks ago, but I don't remember disabling the cron-job:
I have installed the Lets Encrcypt X3 cross-signed CA - I don't know why the DST CA does not work, but it doesn't.
Is anyone else working on the mirror setup right now? I can tell the cron table was modified on Jan 10, at 0352. I very rarely have reason to be that late/early :-)
I'll ask on IRC too.
It's still a problem?
https://mirrorbrain.org is clearly misconfigured: It lacks to send the intermediate CA cert needed by the TLS client to build the CA cert chain up to pre-installed root cert.
You can check that with
$ openssl s_client -connect mirrorbrain.org:443 -showcerts CONNECTED(00000003) depth=0 CN = mirrorbrain.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = mirrorbrain.org verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:CN = mirrorbrain.org i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
You can use a PEM file containing the CA cert chain downloaded and concatenated like this:
$ wget -O - https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
letsencrypt-chain.crt
$ wget -O - https://letsencrypt.org/certs/isrgrootx1.pem.txt >> letsencrypt-chain.crt
Check again with explicitly providing the PEM file with CA cert chain:
$ openssl s_client -connect mirrorbrain.org:443 -showcerts -CAfile letsencrypt-chain.crt
It's ok if the output ends with "Verify return code: 0 (ok)"
Ciao, Michael.
Michael Strc3b6der wrote:
On 1/24/20 11:55 AM, Per Jessen wrote:
Per Jessen wrote:
Per Jessen wrote:
I see the daily fetch from mirrorbrain was stopped, last one was 10/1 - I presume because of the certificate problem?
I was just wondering.
I opened a ticket about 3 weeks ago, but I don't remember disabling the cron-job:
I have installed the Lets Encrcypt X3 cross-signed CA - I don't know why the DST CA does not work, but it doesn't.
Is anyone else working on the mirror setup right now? I can tell the cron table was modified on Jan 10, at 0352. I very rarely have reason to be that late/early :-)
I'll ask on IRC too.
It's still a problem?
No, I installed the LE X3 cross-signed CA and it's working.
https://mirrorbrain.org is clearly misconfigured: It lacks to send the intermediate CA cert needed by the TLS client to build the CA cert chain up to pre-installed root cert.
[snip]
Ciao, Michael.
Thanks for explaining that - I was loosing my last hair trying to figure it out.
Am January 24, 2020 9:13:07 AM UTC schrieb Per Jessen per@opensuse.org:
I see the daily fetch from mirrorbrain was stopped, last one was 10/1 - I presume because of the certificate problem?
I was just wondering.
That was probably me, sorry. The mirror setup (pontifex, mirrordb*, provo-mirror, ...) is currently very noisy on admin-auto. As the job had a known problem, I disabled it.
Sorry for not notifying you in advance. I was just doing this while debugging something else - and forgot about this later... :-(
Lars
Lars Vogdt wrote:
Am January 24, 2020 9:13:07 AM UTC schrieb Per Jessen per@opensuse.org:
I see the daily fetch from mirrorbrain was stopped, last one was 10/1
- I presume because of the certificate problem?
I was just wondering.
That was probably me, sorry. The mirror setup (pontifex, mirrordb*, provo-mirror, ...) is currently very noisy on admin-auto. As the job had a known problem, I disabled it.
Sorry for not notifying you in advance. I was just doing this while debugging something else - and forgot about this later... :-(
No big deal, I just couldn't remember if I'd done it myself :-)
In fact, it was probably a Good Thing(R) because it made me look at tha routeviews process - only to find out it hasn't been working for a while :-(
Am January 25, 2020 6:59:10 PM UTC schrieb Per Jessen per@opensuse.org:
No big deal, I just couldn't remember if I'd done it myself :-)
Thanks for your understanding.
I'm still sorry for this, especially as I'm currently still concentrating on other things that are not related to the mirroring. There is a lot of movement in many areas - and I tend to forget to write down what happened at the end of my (evening ;-) activities.
But I hope not to forget too much, when I send the next "work reports" to this list in a few days.
Regards, Lars
-
Lars Vogdt -
Michael Ströder -
Per Jessen