[Bf-committers] Let's Encrypt SSL certificates incident on the blender.org servers

Howard Trickey howard.trickey at gmail.com
Sat Oct 2 18:29:41 CEST 2021


That worked! Thanks, Danny.


On Sat, Oct 2, 2021 at 12:10 PM Danny McGrath <dan at blender.org> wrote:

> Hi Howard,
>
> All I did was
>
>  sudo apt update && sudo apt dist-upgrade
>
> The ca-certificates package was among the updates. After this package
> update, it "just worked" (tm).
>
> On Sat, Oct 2, 2021 at 11:58 AM Howard Trickey <howard.trickey at gmail.com>
> wrote:
>
>> Danny,
>>
>> I am running Ubuntu, version 20.04.02 LTS.
>> I'm not sure how to update the ca-certificates. I tried:
>>
>> sudo update-ca-certificates
>>
>> and it didn't do anything.
>> Then I tried
>>
>> sudo dpkg-reconfigure ca-certificates
>> sudo update-ca-certificates
>>
>> and still no joy. Am I supposed to add some particular certificate to
>> /etc/ca-certificates.conf ?
>>
>>
>> On Sat, Oct 2, 2021 at 11:19 AM Danny McGrath <dan at blender.org> wrote:
>>
>>> Hi Howard,
>>>
>>> I got the same on Ubuntu until I updated the ca-certificates to the
>>> latest version.
>>>
>>> Does this also work for you?
>>>
>>> On Sat, Oct 2, 2021 at 9:50 AM Howard Trickey via Bf-committers <
>>> bf-committers at blender.org> wrote:
>>>
>>>> I am getting this error on my Linux:
>>>>
>>>> $ git submodule foreach git pull
>>>> Entering 'release/datafiles/locale'
>>>> fatal: unable to access '
>>>> https://git.blender.org/blender-translations.git/':
>>>> server certificate verification failed. CAfile: none CRLfile: none
>>>> fatal: run_command returned non-zero status for release/datafiles/locale
>>>> .
>>>>
>>>> On Sat, Oct 2, 2021 at 8:19 AM Danny McGrath via Bf-committers <
>>>> bf-committers at blender.org> wrote:
>>>>
>>>> > Hi,
>>>> >
>>>> > Just a heads up that I think I might have solved this server side by
>>>> > removing the expired CA from the certificate chain.
>>>> >
>>>> > I updated git, svn, builder, and developer scripts to remove the
>>>> > problematic (expired) DST root CA from the web servers. I tried the
>>>> certbot
>>>> > --preferred-ca option as well, but it doesn't seem to work, compared
>>>> to
>>>> > just removing it from the chain.pem/fullchain.pem files.
>>>> >
>>>> > As a test on my Windows 10 machine with TortoiseSVN, it works without
>>>> error
>>>> > here. Let me know if it helps or breaks anything!
>>>> >
>>>> > On Thu, Sep 30, 2021 at 10:35 PM Ray Molenkamp via Bf-committers <
>>>> > bf-committers at blender.org> wrote:
>>>> >
>>>> > > For people having ssl issues with arcanist, the easiest solution is
>>>> > >
>>>> > > 1) grab the latest cacert.pem from
>>>> https://curl.se/docs/caextract.html
>>>> > > 2) copy it to
>>>> [arcanist_installation_folder]/resources/ssl/custom.pem
>>>> > >
>>>> > > Pay attention to the slightly different filename it *NEEDS* to be
>>>> > > custom.pem the original filename cacert.pem will not work.
>>>> > >
>>>> > > This should do the trick on all platforms (but it's only been tested
>>>> > > on Linux and Windows).
>>>> > >
>>>> > > --Ray
>>>> > > On 2021-09-30 1:06 p.m., Sergey Sharybin via Bf-committers wrote:
>>>> > > > Hi,
>>>> > > >
>>>> > > > Just a quick memo about the issue of expired Let's Encrypt
>>>> > certificates.
>>>> > > It
>>>> > > > might be useful for developers who experience issues with HTTPS
>>>> > > connection
>>>> > > > to our servers.
>>>> > > >
>>>> > > > One of the root Let's Encrypt certificates did expire today which
>>>> > > affected
>>>> > > > parts of our development infrastructure. In all cases it doesn't
>>>> seem
>>>> > to
>>>> > > be
>>>> > > > an issue with the server configuration but is caused by quirks on
>>>> the
>>>> > > > client side. We are only aware of issues on Windows.
>>>> > > >
>>>> > > > The Subversion clients did not trust the SSL certificate of
>>>> > > > https://svn.blender.org/. The work-around we did for the
>>>> > > builder.blender.org
>>>> > > > was to install the Let’s Encrypt R3 intermediate certificate [1].
>>>> This
>>>> > > > "worked (tm)", although ideally intermediate certificates
>>>> shouldn't
>>>> > need
>>>> > > to
>>>> > > > be installed and the system should go by the root CA certificates
>>>> from
>>>> > > the
>>>> > > > Windows Certificates Store.
>>>> > > >
>>>> > > > The Arcanist uses the CURL extension of PHP, and it does not use
>>>> the
>>>> > > > Windows Certificates Store. The way it was fixed on the buildbot
>>>> > workers
>>>> > > > was by creating a cacert.pem with the "ISRG Root X1" certificate
>>>> which
>>>> > > was
>>>> > > > exported from the Store (and matched the one from Let's Encrypt
>>>> > > information
>>>> > > > page [1]).
>>>> > > >
>>>> > > > Our server administrator Danny McGrath also took the liberty of
>>>> > disabling
>>>> > > > TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided
>>>> that
>>>> > this
>>>> > > > doesn't make matters worse, the changes are likely to be kept.
>>>> > > >
>>>> > > > [1] https://letsencrypt.org/certificates/
>>>> > > >
>>>> > > > Best regards,
>>>> > > > - Your Engineering Team Danny and Sergey -
>>>> > > >
>>>> --------------------------------------------------------------------
>>>> > > > Sergey Sharybin - sergey at blender.org - www.blender.org
>>>> > > > Principal Software Engineer, Blender
>>>> > > > Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands
>>>> > > > _______________________________________________
>>>> > > > Bf-committers mailing list
>>>> > > > Bf-committers at blender.org
>>>> > > > List details, subscription details or unsubscribe:
>>>> > > > https://lists.blender.org/mailman/listinfo/bf-committers
>>>> > > _______________________________________________
>>>> > > Bf-committers mailing list
>>>> > > Bf-committers at blender.org
>>>> > > List details, subscription details or unsubscribe:
>>>> > > https://lists.blender.org/mailman/listinfo/bf-committers
>>>> > >
>>>> >
>>>> >
>>>> > --
>>>> > Cheers,
>>>> > Danny
>>>> >
>>>> > -------------------------------------------------
>>>> > Danny McGrath - dan at blender.org - www.blender.org
>>>> > System Administrator at Blender
>>>> > GPG key: 0x696871CA
>>>> > _______________________________________________
>>>> > Bf-committers mailing list
>>>> > Bf-committers at blender.org
>>>> > List details, subscription details or unsubscribe:
>>>> > https://lists.blender.org/mailman/listinfo/bf-committers
>>>> >
>>>> _______________________________________________
>>>> Bf-committers mailing list
>>>> Bf-committers at blender.org
>>>> List details, subscription details or unsubscribe:
>>>> https://lists.blender.org/mailman/listinfo/bf-committers
>>>>
>>>
>>>
>>> --
>>> Cheers,
>>> Danny
>>>
>>> -------------------------------------------------
>>> Danny McGrath - dan at blender.org - www.blender.org
>>> System Administrator at Blender
>>> GPG key: 0x696871CA
>>>
>>
>
> --
> Cheers,
> Danny
>
> -------------------------------------------------
> Danny McGrath - dan at blender.org - www.blender.org
> System Administrator at Blender
> GPG key: 0x696871CA
>


More information about the Bf-committers mailing list