[Bf-committers] Let's Encrypt SSL certificates incident on the blender.org servers

Danny McGrath dan at blender.org
Sat Oct 2 17:19:07 CEST 2021 

Hi Howard,

I got the same on Ubuntu until I updated the ca-certificates to the latest
version.

Does this also work for you?

On Sat, Oct 2, 2021 at 9:50 AM Howard Trickey via Bf-committers <
bf-committers at blender.org> wrote:

> I am getting this error on my Linux:
>
> $ git submodule foreach git pull
> Entering 'release/datafiles/locale'
> fatal: unable to access 'https://git.blender.org/blender-translations.git/
> ':
> server certificate verification failed. CAfile: none CRLfile: none
> fatal: run_command returned non-zero status for release/datafiles/locale
> .
>
> On Sat, Oct 2, 2021 at 8:19 AM Danny McGrath via Bf-committers <
> bf-committers at blender.org> wrote:
>
> > Hi,
> >
> > Just a heads up that I think I might have solved this server side by
> > removing the expired CA from the certificate chain.
> >
> > I updated git, svn, builder, and developer scripts to remove the
> > problematic (expired) DST root CA from the web servers. I tried the
> certbot
> > --preferred-ca option as well, but it doesn't seem to work, compared to
> > just removing it from the chain.pem/fullchain.pem files.
> >
> > As a test on my Windows 10 machine with TortoiseSVN, it works without
> error
> > here. Let me know if it helps or breaks anything!
> >
> > On Thu, Sep 30, 2021 at 10:35 PM Ray Molenkamp via Bf-committers <
> > bf-committers at blender.org> wrote:
> >
> > > For people having ssl issues with arcanist, the easiest solution is
> > >
> > > 1) grab the latest cacert.pem from https://curl.se/docs/caextract.html
> > > 2) copy it to [arcanist_installation_folder]/resources/ssl/custom.pem
> > >
> > > Pay attention to the slightly different filename it *NEEDS* to be
> > > custom.pem the original filename cacert.pem will not work.
> > >
> > > This should do the trick on all platforms (but it's only been tested
> > > on Linux and Windows).
> > >
> > > --Ray
> > > On 2021-09-30 1:06 p.m., Sergey Sharybin via Bf-committers wrote:
> > > > Hi,
> > > >
> > > > Just a quick memo about the issue of expired Let's Encrypt
> > certificates.
> > > It
> > > > might be useful for developers who experience issues with HTTPS
> > > connection
> > > > to our servers.
> > > >
> > > > One of the root Let's Encrypt certificates did expire today which
> > > affected
> > > > parts of our development infrastructure. In all cases it doesn't seem
> > to
> > > be
> > > > an issue with the server configuration but is caused by quirks on the
> > > > client side. We are only aware of issues on Windows.
> > > >
> > > > The Subversion clients did not trust the SSL certificate of
> > > > https://svn.blender.org/. The work-around we did for the
> > > builder.blender.org
> > > > was to install the Let’s Encrypt R3 intermediate certificate [1].
> This
> > > > "worked (tm)", although ideally intermediate certificates shouldn't
> > need
> > > to
> > > > be installed and the system should go by the root CA certificates
> from
> > > the
> > > > Windows Certificates Store.
> > > >
> > > > The Arcanist uses the CURL extension of PHP, and it does not use the
> > > > Windows Certificates Store. The way it was fixed on the buildbot
> > workers
> > > > was by creating a cacert.pem with the "ISRG Root X1" certificate
> which
> > > was
> > > > exported from the Store (and matched the one from Let's Encrypt
> > > information
> > > > page [1]).
> > > >
> > > > Our server administrator Danny McGrath also took the liberty of
> > disabling
> > > > TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided that
> > this
> > > > doesn't make matters worse, the changes are likely to be kept.
> > > >
> > > > [1] https://letsencrypt.org/certificates/
> > > >
> > > > Best regards,
> > > > - Your Engineering Team Danny and Sergey -
> > > > --------------------------------------------------------------------
> > > > Sergey Sharybin - sergey at blender.org - www.blender.org
> > > > Principal Software Engineer, Blender
> > > > Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands
> > > > _______________________________________________
> > > > Bf-committers mailing list
> > > > Bf-committers at blender.org
> > > > List details, subscription details or unsubscribe:
> > > > https://lists.blender.org/mailman/listinfo/bf-committers
> > > _______________________________________________
> > > Bf-committers mailing list
> > > Bf-committers at blender.org
> > > List details, subscription details or unsubscribe:
> > > https://lists.blender.org/mailman/listinfo/bf-committers
> > >
> >
> >
> > --
> > Cheers,
> > Danny
> >
> > -------------------------------------------------
> > Danny McGrath - dan at blender.org - www.blender.org
> > System Administrator at Blender
> > GPG key: 0x696871CA
> > _______________________________________________
> > Bf-committers mailing list
> > Bf-committers at blender.org
> > List details, subscription details or unsubscribe:
> > https://lists.blender.org/mailman/listinfo/bf-committers
> >
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> List details, subscription details or unsubscribe:
> https://lists.blender.org/mailman/listinfo/bf-committers
>


-- 
Cheers,
Danny

-------------------------------------------------
Danny McGrath - dan at blender.org - www.blender.org
System Administrator at Blender
GPG key: 0x696871CA

More information about the Bf-committers mailing list