[Bf-committers] Let's Encrypt SSL certificates incident on the blender.org servers

Howard Trickey howard.trickey at gmail.com
Sat Oct 2 15:50:02 CEST 2021 

I am getting this error on my Linux:

$ git submodule foreach git pull
Entering 'release/datafiles/locale'
fatal: unable to access 'https://git.blender.org/blender-translations.git/':
server certificate verification failed. CAfile: none CRLfile: none
fatal: run_command returned non-zero status for release/datafiles/locale
.

On Sat, Oct 2, 2021 at 8:19 AM Danny McGrath via Bf-committers <
bf-committers at blender.org> wrote:

> Hi,
>
> Just a heads up that I think I might have solved this server side by
> removing the expired CA from the certificate chain.
>
> I updated git, svn, builder, and developer scripts to remove the
> problematic (expired) DST root CA from the web servers. I tried the certbot
> --preferred-ca option as well, but it doesn't seem to work, compared to
> just removing it from the chain.pem/fullchain.pem files.
>
> As a test on my Windows 10 machine with TortoiseSVN, it works without error
> here. Let me know if it helps or breaks anything!
>
> On Thu, Sep 30, 2021 at 10:35 PM Ray Molenkamp via Bf-committers <
> bf-committers at blender.org> wrote:
>
> > For people having ssl issues with arcanist, the easiest solution is
> >
> > 1) grab the latest cacert.pem from https://curl.se/docs/caextract.html
> > 2) copy it to [arcanist_installation_folder]/resources/ssl/custom.pem
> >
> > Pay attention to the slightly different filename it *NEEDS* to be
> > custom.pem the original filename cacert.pem will not work.
> >
> > This should do the trick on all platforms (but it's only been tested
> > on Linux and Windows).
> >
> > --Ray
> > On 2021-09-30 1:06 p.m., Sergey Sharybin via Bf-committers wrote:
> > > Hi,
> > >
> > > Just a quick memo about the issue of expired Let's Encrypt
> certificates.
> > It
> > > might be useful for developers who experience issues with HTTPS
> > connection
> > > to our servers.
> > >
> > > One of the root Let's Encrypt certificates did expire today which
> > affected
> > > parts of our development infrastructure. In all cases it doesn't seem
> to
> > be
> > > an issue with the server configuration but is caused by quirks on the
> > > client side. We are only aware of issues on Windows.
> > >
> > > The Subversion clients did not trust the SSL certificate of
> > > https://svn.blender.org/. The work-around we did for the
> > builder.blender.org
> > > was to install the Let’s Encrypt R3 intermediate certificate [1]. This
> > > "worked (tm)", although ideally intermediate certificates shouldn't
> need
> > to
> > > be installed and the system should go by the root CA certificates from
> > the
> > > Windows Certificates Store.
> > >
> > > The Arcanist uses the CURL extension of PHP, and it does not use the
> > > Windows Certificates Store. The way it was fixed on the buildbot
> workers
> > > was by creating a cacert.pem with the "ISRG Root X1" certificate which
> > was
> > > exported from the Store (and matched the one from Let's Encrypt
> > information
> > > page [1]).
> > >
> > > Our server administrator Danny McGrath also took the liberty of
> disabling
> > > TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided that
> this
> > > doesn't make matters worse, the changes are likely to be kept.
> > >
> > > [1] https://letsencrypt.org/certificates/
> > >
> > > Best regards,
> > > - Your Engineering Team Danny and Sergey -
> > > --------------------------------------------------------------------
> > > Sergey Sharybin - sergey at blender.org - www.blender.org
> > > Principal Software Engineer, Blender
> > > Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands
> > > _______________________________________________
> > > Bf-committers mailing list
> > > Bf-committers at blender.org
> > > List details, subscription details or unsubscribe:
> > > https://lists.blender.org/mailman/listinfo/bf-committers
> > _______________________________________________
> > Bf-committers mailing list
> > Bf-committers at blender.org
> > List details, subscription details or unsubscribe:
> > https://lists.blender.org/mailman/listinfo/bf-committers
> >
>
>
> --
> Cheers,
> Danny
>
> -------------------------------------------------
> Danny McGrath - dan at blender.org - www.blender.org
> System Administrator at Blender
> GPG key: 0x696871CA
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> List details, subscription details or unsubscribe:
> https://lists.blender.org/mailman/listinfo/bf-committers
>

More information about the Bf-committers mailing list