[Bf-committers] Let's Encrypt SSL certificates incident on the blender.org servers

Danny McGrath dan at blender.org
Sat Oct 2 14:18:25 CEST 2021 

Hi,

Just a heads up that I think I might have solved this server side by
removing the expired CA from the certificate chain.

I updated git, svn, builder, and developer scripts to remove the
problematic (expired) DST root CA from the web servers. I tried the certbot
--preferred-ca option as well, but it doesn't seem to work, compared to
just removing it from the chain.pem/fullchain.pem files.

As a test on my Windows 10 machine with TortoiseSVN, it works without error
here. Let me know if it helps or breaks anything!

On Thu, Sep 30, 2021 at 10:35 PM Ray Molenkamp via Bf-committers <
bf-committers at blender.org> wrote:

> For people having ssl issues with arcanist, the easiest solution is
>
> 1) grab the latest cacert.pem from https://curl.se/docs/caextract.html
> 2) copy it to [arcanist_installation_folder]/resources/ssl/custom.pem
>
> Pay attention to the slightly different filename it *NEEDS* to be
> custom.pem the original filename cacert.pem will not work.
>
> This should do the trick on all platforms (but it's only been tested
> on Linux and Windows).
>
> --Ray
> On 2021-09-30 1:06 p.m., Sergey Sharybin via Bf-committers wrote:
> > Hi,
> >
> > Just a quick memo about the issue of expired Let's Encrypt certificates.
> It
> > might be useful for developers who experience issues with HTTPS
> connection
> > to our servers.
> >
> > One of the root Let's Encrypt certificates did expire today which
> affected
> > parts of our development infrastructure. In all cases it doesn't seem to
> be
> > an issue with the server configuration but is caused by quirks on the
> > client side. We are only aware of issues on Windows.
> >
> > The Subversion clients did not trust the SSL certificate of
> > https://svn.blender.org/. The work-around we did for the
> builder.blender.org
> > was to install the Let’s Encrypt R3 intermediate certificate [1]. This
> > "worked (tm)", although ideally intermediate certificates shouldn't need
> to
> > be installed and the system should go by the root CA certificates from
> the
> > Windows Certificates Store.
> >
> > The Arcanist uses the CURL extension of PHP, and it does not use the
> > Windows Certificates Store. The way it was fixed on the buildbot workers
> > was by creating a cacert.pem with the "ISRG Root X1" certificate which
> was
> > exported from the Store (and matched the one from Let's Encrypt
> information
> > page [1]).
> >
> > Our server administrator Danny McGrath also took the liberty of disabling
> > TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided that this
> > doesn't make matters worse, the changes are likely to be kept.
> >
> > [1] https://letsencrypt.org/certificates/
> >
> > Best regards,
> > - Your Engineering Team Danny and Sergey -
> > --------------------------------------------------------------------
> > Sergey Sharybin - sergey at blender.org - www.blender.org
> > Principal Software Engineer, Blender
> > Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands
> > _______________________________________________
> > Bf-committers mailing list
> > Bf-committers at blender.org
> > List details, subscription details or unsubscribe:
> > https://lists.blender.org/mailman/listinfo/bf-committers
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> List details, subscription details or unsubscribe:
> https://lists.blender.org/mailman/listinfo/bf-committers
>


-- 
Cheers,
Danny

-------------------------------------------------
Danny McGrath - dan at blender.org - www.blender.org
System Administrator at Blender
GPG key: 0x696871CA

More information about the Bf-committers mailing list