[Bf-committers] Let's Encrypt SSL certificates incident on the blender.org servers

[Sergey Sharybin]

Hi,

Just a quick memo about the issue of expired Let's Encrypt certificates. It
might be useful for developers who experience issues with HTTPS connection
to our servers.

One of the root Let's Encrypt certificates did expire today which affected
parts of our development infrastructure. In all cases it doesn't seem to be
an issue with the server configuration but is caused by quirks on the
client side. We are only aware of issues on Windows.

The Subversion clients did not trust the SSL certificate of
https://svn.blender.org/. The work-around we did for the builder.blender.org
was to install the Let’s Encrypt R3 intermediate certificate [1]. This
"worked (tm)", although ideally intermediate certificates shouldn't need to
be installed and the system should go by the root CA certificates from the
Windows Certificates Store.

The Arcanist uses the CURL extension of PHP, and it does not use the
Windows Certificates Store. The way it was fixed on the buildbot workers
was by creating a cacert.pem with the "ISRG Root X1" certificate which was
exported from the Store (and matched the one from Let's Encrypt information
page [1]).

Our server administrator Danny McGrath also took the liberty of disabling
TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided that this
doesn't make matters worse, the changes are likely to be kept.

[1] https://letsencrypt.org/certificates/

Best regards,
- Your Engineering Team Danny and Sergey -
--------------------------------------------------------------------
Sergey Sharybin - sergey at blender.org - www.blender.org
Principal Software Engineer, Blender
Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands