Re: [Savannah-hackers-public] Unreachable https and rsync mirrors

[Bob Proulx]

Bob Proulx wrote:
> All of those seem to be the outdated CA list and openssl on
> download0.  All but one of the above were issued by Comodo.  Which is
> the mostly common thread among them.  They apparently have a newly
> issued trust anchor.

It turns out that this was a pretty widely felt expired certificate.
And tickles an openssl bug.  And therefore fixes have been rippling
through.

The way I have been reading the blogs on this the problem is one of
the certificate chains has expired.  Coupled with openssl prior to 1.1
which flagged as invalid the chain if either were invalid.  Requiring
both of them to be valid.  As opposed to validating it as okay if any
of the chains validated as it is supposed to have been working.

Over the weekend I realized that I could extract the expired
certificate and leave only the valid one and this would fix the
problem.  And I could even update the bundle.

But then the Debian Stretch LTS team prepared a package upgrade doing
all of the work very nicely packaged making this trivial to install
their package and not needing any work at all.  :-)

I have upgrade the CA certificate bundle on our three machines that
were needing it, download0, vcs0, mgt0.  Testing shows that the
previous certificates that were previously invalid are now validating.
I am going to wait and let the mirmon scripts run and hopefully that
will now validate those mirrors and they will come back online in the
redirector over the next couple of hours.

Bob