Re: curl server certificate verification failed for a few sites

[Jack Hill]

On Thu, 4 Jun 2020, Giovanni Biscuolo wrote:

> Hello Guix,
>
> --8<---------------cut here---------------end--------------->8---
>
> I'm having a strange error with curl from Guix (on a foreign distro):
>
> --8<---------------cut here---------------start------------->8---
> giovanni@roquette: curl -I https://voices.transparency.org
> curl: (60) server certificate verification failed. CAfile: 
> /home/giovanni/.guix-extra-profiles/emacs/emacs/etc/ssl/certs/ca-certificates.crt
>  CRLfile: none
> More details here: https://curl.haxx.se/docs/sslcerts.html
>
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.
> --8<---------------cut here---------------end--------------->8---

Giovanni,

I think that this is due to the recent AdTrust Root CA cert expiration 
[0]. The error wget gives is a little bit better, but you know about the 
situation to interpret it correctly:

"""
$ wget "https://voices.transparency.org"; -O /dev/null
--2020-06-04 10:37:29--  https://voices.transparency.org/
Resolving voices.transparency.org (voices.transparency.org)... 
52.4.225.124, 52.4.240.221, 52.1.119.170, ...
Connecting to voices.transparency.org 
(voices.transparency.org)|52.4.225.124|:443... connected.
ERROR: The certificate of ‘voices.transparency.org’ is not trusted.
ERROR: The certificate of ‘voices.transparency.org’ has expired.
"""

In my experience, sometimes this cert expiration is easy to miss by site 
administrators or others connecting to the site if they have one of the 
intermediate certificates in their trust store. Our nss-certs package 
tends not to have such intermediates.

Therefore, I think the fix is for voices.transparency.org to update the 
certificate chain/bundle that they are sending.

[0] https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT

Best,
Jack