Hi Jay,

from your description I'm not clear what you added to your root certificate store.
Let's Encrypt provides their root certs in various formats at https://letsencrypt.org/certificates/
Things should work after you add those (right now, review.coreboot.org is certified through the X1 root)

If that doesn't help, the issue might be incompatible cipher suite requirements (your clients only supporting cryptographic algorithms that the server doesn't support) but I don't think we changed anything in that regard on the servers in the last few years.


Patrick

Am Di., 18. Jan. 2022 um 02:26 Uhr schrieb Jay Talbott <JayTalbott@sysproconsulting.com>:
Ok, I'm running into the same issue on an Ubuntu 16.04 system.

$ git clone https://review.coreboot.org/coreboot.git
Cloning into 'coreboot'...
fatal: unable to access 'https://review.coreboot.org/coreboot.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

In the past I've had no problems with cloning coreboot on this system, but now it's broken with the same error message as Gregg encountered.

I've updated the ca-certificates, but it said I already had the latest certs and that didn't fix it.

I found an article online about pulling the cert from coreboot into a .pem file, and then appending that into the ca-certificdates.crt file, but that didn’t work either.

I imagine there are others that have run into this... what's the solution?

Thanks,

- Jay

> -----Original Message-----
> From: Gregg Levine <gregg.drwho8@gmail.com>
> Sent: Thursday, September 30, 2021 6:16 PM
> To: Patrick Georgi <pgeorgi@google.com>
> Cc: coreboot <coreboot@coreboot.org>
> Subject: [coreboot] Re: Git reports an interesting error message
>
> Hello!
> Okay update. This is WSL remember, I grabbed an Ubuntu image that I'd
> previously claimed and allowed the automation to install it.  I should
> mention that I also followed normal Debian based Linux methods to
> upgrade it.
> And I then pulled over a tar compressed with Bzip2 tree of my entire
> work, and extracted it. Inside it I went into the original coreboot
> directory from a while ago. Inside it I ran the git command steps to
> update it. I did not see the error message.
>
> I did note that it found problems with updating an earlier source
> tree, but had no problems pulling down a new one. The problems were
> related to the contents. I renamed the tree to call it a backup. It is
> still working to retrieve things. So I believe the problems were
> related to the SuSe image I was using, it was not put together in a
> form that could be properly updated. Yes I agree with you regarding
> the pending certificates but will the problem such as it is impact us?
> And when?
> -----
> Gregg C Levine gregg.drwho8@gmail.com
> "This signature fought the Time Wars, time and again."
>
> On Thu, Sep 30, 2021 at 6:19 PM Gregg Levine <gregg.drwho8@gmail.com>
> wrote:
> >
> > Hello!
> > Okay, I tried setting that variable, and it did not show me anything.
> > I also looked at the page you suggested. Interesting, I suspect I'd
> > need to do that should I go ahead and want to contribute.
> >
> > As for updating certificates, the big problem is that is a WSL
> > prebuilt image, and someone else built it, and deliberately broke the
> > methods SuSe uses to update things.
> > -----
> > Gregg C Levine gregg.drwho8@gmail.com
> > "This signature fought the Time Wars, time and again."
> >
> > On Thu, Sep 30, 2021 at 3:37 PM Patrick Georgi <pgeorgi@google.com>
> wrote:
> > >
> > > Hi Gregg,
> > >
> > > Am Do., 30. Sept. 2021 um 21:16 Uhr schrieb Gregg Levine
> <gregg.drwho8@gmail.com>:
> > >>
> > >> fatal: unable to access 'https://review.coreboot.org/coreboot.git/':
> > >> SSL certificate problem: certificate has expired
> > >
> > >
> > > Given the timing, I wonder if https://techcrunch.com/2021/09/21/lets-
> encrypt-root-expiry/ might be the cause: We serve a pretty complete
> certificate chain but if your client doesn't support the root certificate that we
> now rely on exclusively (because the other path using the more popular root
> has expired), your client won't like any of our certs.
> > >
> > > You could try changing the environment to carry
> GIT_CURL_VERBOSE=true to see what's going on, or maybe just look at
> updating the ca-certificate store of your system.
> > >
> > > Alternatively you could set up the SSH based access method to access the
> server, as outlined in https://doc.coreboot.org/tutorial/part2.html#step-2a-
> set-up-rsa-private-public-key but you might run into more issues with certs
> going forward on other servers if the cert store is old.
> > >
> > >
> > > All the best,
> > > Patrick
> > > --
> > > Google Germany GmbH, ABC-Str. 19, 20354 Hamburg
> > > Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft:
> Hamburg
> > > Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> _______________________________________________
> coreboot mailing list -- coreboot@coreboot.org
> To unsubscribe send an email to coreboot-leave@coreboot.org



--
Google Germany GmbH, ABC-Str. 19, 20354 Hamburg
Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado