[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#50921: GNU ELPA TLS errors: server is returning chain with expired r
|
From: |
John Cummings |
|
Subject: |
bug#50921: GNU ELPA TLS errors: server is returning chain with expired root |
|
Date: |
Thu, 30 Sep 2021 20:24:28 +0000 |
I'm not sure if we are supposed to report infrastructure problems as Emacs
bugs, but it should be easy to close if not. I, and at least a few others, have
had TLS connection problems to GNU ELPA in the last day or two, with the errors:
|Issued by: R3
|Issued to: CN=elpa.gnu.org
|Hostname: elpa.gnu.org
|Public key: RSA, signature: RSA-SHA256
|Protocol: TLS1.3, key: ECDHE-RSA, cipher: AES-256-GCM, mac: AEAD
|Security level: Medium
|Valid: From 2021-09-28 to 2021-12-27
|
|
|The TLS connection to elpa.gnu.org:443 is insecure for the following
|reasons:
|
|certificate has expired
|certificate could not be verified
It appears that elpa.gnu.org is returning a certificate chain referring to a
root certificate that expired today. (More info:
https://twitter.com/letsencrypt/status/1443621997288767491) I don't know if
GnuTLS is supposed to be able to work around this (Firefox seems to, for
instance), but I think it's a safe bet this is the cause of these connection
errors.
I confirmed the chain that Emacs is seeing a couple ways. In Emacs 28, the
security prompt lets you view certificate details by hitting "d", and in that
window I confirmed it is seeing the root cert "CN=DST Root CA X3,O=Digital
Signature Trust Co."
I also attached the chain I got by running:
openssl s_client -showcerts -servername elpa.gnu.org -connect elpa.gnu.org:443
Thanks!
chain.pem
Description: application/x509-ca-cert
- bug#50921: GNU ELPA TLS errors: server is returning chain with expired root,
John Cummings <=