[Bf-committers] Let's Encrypt SSL certificates incident on the blender.org servers

Sat Oct 2 17:57:58 CEST 2021

Danny,

I am running Ubuntu, version 20.04.02 LTS.
I'm not sure how to update the ca-certificates. I tried:

sudo update-ca-certificates

and it didn't do anything.
Then I tried

sudo dpkg-reconfigure ca-certificates
sudo update-ca-certificates

and still no joy. Am I supposed to add some particular certificate to
/etc/ca-certificates.conf ?

On Sat, Oct 2, 2021 at 11:19 AM Danny McGrath <dan at blender.org> wrote:

> Hi Howard,
>
> I got the same on Ubuntu until I updated the ca-certificates to the latest
> version.
>
> Does this also work for you?
>
> On Sat, Oct 2, 2021 at 9:50 AM Howard Trickey via Bf-committers <
> bf-committers at blender.org> wrote:
>
>> I am getting this error on my Linux:
>>
>> $ git submodule foreach git pull
>> Entering 'release/datafiles/locale'
>> fatal: unable to access '
>> https://git.blender.org/blender-translations.git/':
>> server certificate verification failed. CAfile: none CRLfile: none
>> fatal: run_command returned non-zero status for release/datafiles/locale
>> .
>>
>> On Sat, Oct 2, 2021 at 8:19 AM Danny McGrath via Bf-committers <
>> bf-committers at blender.org> wrote:
>>
>> > Hi,
>> >
>> > Just a heads up that I think I might have solved this server side by
>> > removing the expired CA from the certificate chain.
>> >
>> > I updated git, svn, builder, and developer scripts to remove the
>> > problematic (expired) DST root CA from the web servers. I tried the
>> certbot
>> > --preferred-ca option as well, but it doesn't seem to work, compared to
>> > just removing it from the chain.pem/fullchain.pem files.
>> >
>> > As a test on my Windows 10 machine with TortoiseSVN, it works without
>> error
>> > here. Let me know if it helps or breaks anything!
>> >
>> > On Thu, Sep 30, 2021 at 10:35 PM Ray Molenkamp via Bf-committers <
>> > bf-committers at blender.org> wrote:
>> >
>> > > For people having ssl issues with arcanist, the easiest solution is
>> > >
>> > > 1) grab the latest cacert.pem from
>> https://curl.se/docs/caextract.html
>> > > 2) copy it to [arcanist_installation_folder]/resources/ssl/custom.pem
>> > >
>> > > Pay attention to the slightly different filename it *NEEDS* to be
>> > > custom.pem the original filename cacert.pem will not work.
>> > >
>> > > This should do the trick on all platforms (but it's only been tested
>> > > on Linux and Windows).
>> > >
>> > > --Ray
>> > > On 2021-09-30 1:06 p.m., Sergey Sharybin via Bf-committers wrote:
>> > > > Hi,
>> > > >
>> > > > Just a quick memo about the issue of expired Let's Encrypt
>> > certificates.
>> > > It
>> > > > might be useful for developers who experience issues with HTTPS
>> > > connection
>> > > > to our servers.
>> > > >
>> > > > One of the root Let's Encrypt certificates did expire today which
>> > > affected
>> > > > parts of our development infrastructure. In all cases it doesn't
>> seem
>> > to
>> > > be
>> > > > an issue with the server configuration but is caused by quirks on
>> the
>> > > > client side. We are only aware of issues on Windows.
>> > > >
>> > > > The Subversion clients did not trust the SSL certificate of
>> > > > https://svn.blender.org/. The work-around we did for the
>> > > builder.blender.org
>> > > > was to install the Let’s Encrypt R3 intermediate certificate [1].
>> This
>> > > > "worked (tm)", although ideally intermediate certificates shouldn't
>> > need
>> > > to
>> > > > be installed and the system should go by the root CA certificates
>> from
>> > > the
>> > > > Windows Certificates Store.
>> > > >
>> > > > The Arcanist uses the CURL extension of PHP, and it does not use the
>> > > > Windows Certificates Store. The way it was fixed on the buildbot
>> > workers
>> > > > was by creating a cacert.pem with the "ISRG Root X1" certificate
>> which
>> > > was
>> > > > exported from the Store (and matched the one from Let's Encrypt
>> > > information
>> > > > page [1]).
>> > > >
>> > > > Our server administrator Danny McGrath also took the liberty of
>> > disabling
>> > > > TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided that
>> > this
>> > > > doesn't make matters worse, the changes are likely to be kept.
>> > > >
>> > > > [1] https://letsencrypt.org/certificates/
>> > > >
>> > > > Best regards,
>> > > > - Your Engineering Team Danny and Sergey -
>> > > > --------------------------------------------------------------------
>> > > > Sergey Sharybin - sergey at blender.org - www.blender.org
>> > > > Principal Software Engineer, Blender
>> > > > Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands
>> > > > _______________________________________________
>> > > > Bf-committers mailing list
>> > > > Bf-committers at blender.org
>> > > > List details, subscription details or unsubscribe:
>> > > > https://lists.blender.org/mailman/listinfo/bf-committers
>> > > _______________________________________________
>> > > Bf-committers mailing list
>> > > Bf-committers at blender.org
>> > > List details, subscription details or unsubscribe:
>> > > https://lists.blender.org/mailman/listinfo/bf-committers
>> > >
>> >
>> >
>> > --
>> > Cheers,
>> > Danny
>> >
>> > -------------------------------------------------
>> > Danny McGrath - dan at blender.org - www.blender.org
>> > System Administrator at Blender
>> > GPG key: 0x696871CA
>> > _______________________________________________
>> > Bf-committers mailing list
>> > Bf-committers at blender.org
>> > List details, subscription details or unsubscribe:
>> > https://lists.blender.org/mailman/listinfo/bf-committers
>> >
>> _______________________________________________
>> Bf-committers mailing list
>> Bf-committers at blender.org
>> List details, subscription details or unsubscribe:
>> https://lists.blender.org/mailman/listinfo/bf-committers
>>
>
>
> --
> Cheers,
> Danny
>
> -------------------------------------------------
> Danny McGrath - dan at blender.org - www.blender.org
> System Administrator at Blender
> GPG key: 0x696871CA
>