[Bf-committers] Let's Encrypt SSL certificates incident on the blender.org servers

Ray Molenkamp ray at lazydodo.com
Fri Oct 1 04:34:33 CEST 2021 

For people having ssl issues with arcanist, the easiest solution is

1) grab the latest cacert.pem from https://curl.se/docs/caextract.html
2) copy it to [arcanist_installation_folder]/resources/ssl/custom.pem

Pay attention to the slightly different filename it *NEEDS* to be
custom.pem the original filename cacert.pem will not work.

This should do the trick on all platforms (but it's only been tested
on Linux and Windows).

--Ray
On 2021-09-30 1:06 p.m., Sergey Sharybin via Bf-committers wrote:
> Hi,
>
> Just a quick memo about the issue of expired Let's Encrypt certificates. It
> might be useful for developers who experience issues with HTTPS connection
> to our servers.
>
> One of the root Let's Encrypt certificates did expire today which affected
> parts of our development infrastructure. In all cases it doesn't seem to be
> an issue with the server configuration but is caused by quirks on the
> client side. We are only aware of issues on Windows.
>
> The Subversion clients did not trust the SSL certificate of
> https://svn.blender.org/. The work-around we did for the builder.blender.org
> was to install the Let’s Encrypt R3 intermediate certificate [1]. This
> "worked (tm)", although ideally intermediate certificates shouldn't need to
> be installed and the system should go by the root CA certificates from the
> Windows Certificates Store.
>
> The Arcanist uses the CURL extension of PHP, and it does not use the
> Windows Certificates Store. The way it was fixed on the buildbot workers
> was by creating a cacert.pem with the "ISRG Root X1" certificate which was
> exported from the Store (and matched the one from Let's Encrypt information
> page [1]).
>
> Our server administrator Danny McGrath also took the liberty of disabling
> TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided that this
> doesn't make matters worse, the changes are likely to be kept.
>
> [1] https://letsencrypt.org/certificates/
>
> Best regards,
> - Your Engineering Team Danny and Sergey -
> --------------------------------------------------------------------
> Sergey Sharybin - sergey at blender.org - www.blender.org
> Principal Software Engineer, Blender
> Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> List details, subscription details or unsubscribe:
> https://lists.blender.org/mailman/listinfo/bf-committers

More information about the Bf-committers mailing list