[Bf-committers] Let's Encrypt SSL certificates incident on the blender.org servers

Danny McGrath dan at blender.org
Sat Oct 2 18:09:57 CEST 2021 

Hi Howard,

All I did was

 sudo apt update && sudo apt dist-upgrade

The ca-certificates package was among the updates. After this package
update, it "just worked" (tm).

On Sat, Oct 2, 2021 at 11:58 AM Howard Trickey <howard.trickey at gmail.com>
wrote:

> Danny,
>
> I am running Ubuntu, version 20.04.02 LTS.
> I'm not sure how to update the ca-certificates. I tried:
>
> sudo update-ca-certificates
>
> and it didn't do anything.
> Then I tried
>
> sudo dpkg-reconfigure ca-certificates
> sudo update-ca-certificates
>
> and still no joy. Am I supposed to add some particular certificate to
> /etc/ca-certificates.conf ?
>
>
> On Sat, Oct 2, 2021 at 11:19 AM Danny McGrath <dan at blender.org> wrote:
>
>> Hi Howard,
>>
>> I got the same on Ubuntu until I updated the ca-certificates to the
>> latest version.
>>
>> Does this also work for you?
>>
>> On Sat, Oct 2, 2021 at 9:50 AM Howard Trickey via Bf-committers <
>> bf-committers at blender.org> wrote:
>>
>>> I am getting this error on my Linux:
>>>
>>> $ git submodule foreach git pull
>>> Entering 'release/datafiles/locale'
>>> fatal: unable to access '
>>> https://git.blender.org/blender-translations.git/':
>>> server certificate verification failed. CAfile: none CRLfile: none
>>> fatal: run_command returned non-zero status for release/datafiles/locale
>>> .
>>>
>>> On Sat, Oct 2, 2021 at 8:19 AM Danny McGrath via Bf-committers <
>>> bf-committers at blender.org> wrote:
>>>
>>> > Hi,
>>> >
>>> > Just a heads up that I think I might have solved this server side by
>>> > removing the expired CA from the certificate chain.
>>> >
>>> > I updated git, svn, builder, and developer scripts to remove the
>>> > problematic (expired) DST root CA from the web servers. I tried the
>>> certbot
>>> > --preferred-ca option as well, but it doesn't seem to work, compared to
>>> > just removing it from the chain.pem/fullchain.pem files.
>>> >
>>> > As a test on my Windows 10 machine with TortoiseSVN, it works without
>>> error
>>> > here. Let me know if it helps or breaks anything!
>>> >
>>> > On Thu, Sep 30, 2021 at 10:35 PM Ray Molenkamp via Bf-committers <
>>> > bf-committers at blender.org> wrote:
>>> >
>>> > > For people having ssl issues with arcanist, the easiest solution is
>>> > >
>>> > > 1) grab the latest cacert.pem from
>>> https://curl.se/docs/caextract.html
>>> > > 2) copy it to [arcanist_installation_folder]/resources/ssl/custom.pem
>>> > >
>>> > > Pay attention to the slightly different filename it *NEEDS* to be
>>> > > custom.pem the original filename cacert.pem will not work.
>>> > >
>>> > > This should do the trick on all platforms (but it's only been tested
>>> > > on Linux and Windows).
>>> > >
>>> > > --Ray
>>> > > On 2021-09-30 1:06 p.m., Sergey Sharybin via Bf-committers wrote:
>>> > > > Hi,
>>> > > >
>>> > > > Just a quick memo about the issue of expired Let's Encrypt
>>> > certificates.
>>> > > It
>>> > > > might be useful for developers who experience issues with HTTPS
>>> > > connection
>>> > > > to our servers.
>>> > > >
>>> > > > One of the root Let's Encrypt certificates did expire today which
>>> > > affected
>>> > > > parts of our development infrastructure. In all cases it doesn't
>>> seem
>>> > to
>>> > > be
>>> > > > an issue with the server configuration but is caused by quirks on
>>> the
>>> > > > client side. We are only aware of issues on Windows.
>>> > > >
>>> > > > The Subversion clients did not trust the SSL certificate of
>>> > > > https://svn.blender.org/. The work-around we did for the
>>> > > builder.blender.org
>>> > > > was to install the Let’s Encrypt R3 intermediate certificate [1].
>>> This
>>> > > > "worked (tm)", although ideally intermediate certificates shouldn't
>>> > need
>>> > > to
>>> > > > be installed and the system should go by the root CA certificates
>>> from
>>> > > the
>>> > > > Windows Certificates Store.
>>> > > >
>>> > > > The Arcanist uses the CURL extension of PHP, and it does not use
>>> the
>>> > > > Windows Certificates Store. The way it was fixed on the buildbot
>>> > workers
>>> > > > was by creating a cacert.pem with the "ISRG Root X1" certificate
>>> which
>>> > > was
>>> > > > exported from the Store (and matched the one from Let's Encrypt
>>> > > information
>>> > > > page [1]).
>>> > > >
>>> > > > Our server administrator Danny McGrath also took the liberty of
>>> > disabling
>>> > > > TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided
>>> that
>>> > this
>>> > > > doesn't make matters worse, the changes are likely to be kept.
>>> > > >
>>> > > > [1] https://letsencrypt.org/certificates/
>>> > > >
>>> > > > Best regards,
>>> > > > - Your Engineering Team Danny and Sergey -
>>> > > >
>>> --------------------------------------------------------------------
>>> > > > Sergey Sharybin - sergey at blender.org - www.blender.org
>>> > > > Principal Software Engineer, Blender
>>> > > > Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands
>>> > > > _______________________________________________
>>> > > > Bf-committers mailing list
>>> > > > Bf-committers at blender.org
>>> > > > List details, subscription details or unsubscribe:
>>> > > > https://lists.blender.org/mailman/listinfo/bf-committers
>>> > > _______________________________________________
>>> > > Bf-committers mailing list
>>> > > Bf-committers at blender.org
>>> > > List details, subscription details or unsubscribe:
>>> > > https://lists.blender.org/mailman/listinfo/bf-committers
>>> > >
>>> >
>>> >
>>> > --
>>> > Cheers,
>>> > Danny
>>> >
>>> > -------------------------------------------------
>>> > Danny McGrath - dan at blender.org - www.blender.org
>>> > System Administrator at Blender
>>> > GPG key: 0x696871CA
>>> > _______________________________________________
>>> > Bf-committers mailing list
>>> > Bf-committers at blender.org
>>> > List details, subscription details or unsubscribe:
>>> > https://lists.blender.org/mailman/listinfo/bf-committers
>>> >
>>> _______________________________________________
>>> Bf-committers mailing list
>>> Bf-committers at blender.org
>>> List details, subscription details or unsubscribe:
>>> https://lists.blender.org/mailman/listinfo/bf-committers
>>>
>>
>>
>> --
>> Cheers,
>> Danny
>>
>> -------------------------------------------------
>> Danny McGrath - dan at blender.org - www.blender.org
>> System Administrator at Blender
>> GPG key: 0x696871CA
>>
>

-- 
Cheers,
Danny

-------------------------------------------------
Danny McGrath - dan at blender.org - www.blender.org
System Administrator at Blender
GPG key: 0x696871CA

More information about the Bf-committers mailing list