[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#50921: GNU ELPA TLS errors: server is returning chain with expired r
|
From: |
Eric Abrahamsen |
|
Subject: |
bug#50921: GNU ELPA TLS errors: server is returning chain with expired root |
|
Date: |
Thu, 30 Sep 2021 14:03:02 -0700 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) |
John Cummings <john@rootabega.net> writes:
> John Cummings <john@rootabega.net> wrote:
>
>> It appears that elpa.gnu.org is returning a certificate chain referring
>> to a root certificate that expired today. (More info:
>> https://twitter.com/letsencrypt/status/1443621997288767491) I don't know
>> if GnuTLS is supposed to be able to work around this (Firefox seems to, for
>> instance)
>
> One possibility (and note here that I'm clearly not a TLS expert) is that
> Firefox recognizes the intermediate cert "ISRG Root X1" as one that is also
> now a trusted root cert, and so short circuits the rest of the chain,
> ignoring the expired cross-signature. Is this something that is possible
> and desirable to have Emacs do with GnuTLS?
Not only that: I deleted the offending line from my ~/.ssh/known_hosts,
re-accepted the key as valid (of course I have no idea), and attempted
to pull, and it asked me for my Savannah password -- ie, did not go to
my local ssh key.
That really made me wonder -- does that mean we've switched machines
altogether, and the new machines don't have our public keys? I don't
know how all these things work well enough to know what's going on, but
it certainly seems broken.