Hello! I just tried to synch my local tree with what's stored back there, and instead of watching it update I saw this one: fatal: unable to access 'https://review.coreboot.org/coreboot.git/': SSL certificate problem: certificate has expired
Huh? Is everyone else aware of this? ----- Gregg C Levine gregg.drwho8@gmail.com "This signature fought the Time Wars, time and again."
Hi Gregg,
Am Do., 30. Sept. 2021 um 21:16 Uhr schrieb Gregg Levine < gregg.drwho8@gmail.com>:
fatal: unable to access 'https://review.coreboot.org/coreboot.git/': SSL certificate problem: certificate has expired
Given the timing, I wonder if https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/ might be the cause: We serve a pretty complete certificate chain but if your client doesn't support the root certificate that we now rely on exclusively (because the other path using the more popular root has expired), your client won't like any of our certs.
You could try changing the environment to carry GIT_CURL_VERBOSE=true to see what's going on, or maybe just look at updating the ca-certificate store of your system.
Alternatively you could set up the SSH based access method to access the server, as outlined in https://doc.coreboot.org/tutorial/part2.html#step-2a-set-up-rsa-private-publ... but you might run into more issues with certs going forward on other servers if the cert store is old.
All the best, Patrick
Hello! Okay, I tried setting that variable, and it did not show me anything. I also looked at the page you suggested. Interesting, I suspect I'd need to do that should I go ahead and want to contribute.
As for updating certificates, the big problem is that is a WSL prebuilt image, and someone else built it, and deliberately broke the methods SuSe uses to update things. ----- Gregg C Levine gregg.drwho8@gmail.com "This signature fought the Time Wars, time and again."
On Thu, Sep 30, 2021 at 3:37 PM Patrick Georgi pgeorgi@google.com wrote:
Hi Gregg,
Am Do., 30. Sept. 2021 um 21:16 Uhr schrieb Gregg Levine gregg.drwho8@gmail.com:
fatal: unable to access 'https://review.coreboot.org/coreboot.git/': SSL certificate problem: certificate has expired
Given the timing, I wonder if https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/ might be the cause: We serve a pretty complete certificate chain but if your client doesn't support the root certificate that we now rely on exclusively (because the other path using the more popular root has expired), your client won't like any of our certs.
You could try changing the environment to carry GIT_CURL_VERBOSE=true to see what's going on, or maybe just look at updating the ca-certificate store of your system.
Alternatively you could set up the SSH based access method to access the server, as outlined in https://doc.coreboot.org/tutorial/part2.html#step-2a-set-up-rsa-private-publ... but you might run into more issues with certs going forward on other servers if the cert store is old.
All the best, Patrick -- Google Germany GmbH, ABC-Str. 19, 20354 Hamburg Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Hello! Okay update. This is WSL remember, I grabbed an Ubuntu image that I'd previously claimed and allowed the automation to install it. I should mention that I also followed normal Debian based Linux methods to upgrade it. And I then pulled over a tar compressed with Bzip2 tree of my entire work, and extracted it. Inside it I went into the original coreboot directory from a while ago. Inside it I ran the git command steps to update it. I did not see the error message.
I did note that it found problems with updating an earlier source tree, but had no problems pulling down a new one. The problems were related to the contents. I renamed the tree to call it a backup. It is still working to retrieve things. So I believe the problems were related to the SuSe image I was using, it was not put together in a form that could be properly updated. Yes I agree with you regarding the pending certificates but will the problem such as it is impact us? And when? ----- Gregg C Levine gregg.drwho8@gmail.com "This signature fought the Time Wars, time and again."
On Thu, Sep 30, 2021 at 6:19 PM Gregg Levine gregg.drwho8@gmail.com wrote:
Hello! Okay, I tried setting that variable, and it did not show me anything. I also looked at the page you suggested. Interesting, I suspect I'd need to do that should I go ahead and want to contribute.
As for updating certificates, the big problem is that is a WSL prebuilt image, and someone else built it, and deliberately broke the methods SuSe uses to update things.
Gregg C Levine gregg.drwho8@gmail.com "This signature fought the Time Wars, time and again."
On Thu, Sep 30, 2021 at 3:37 PM Patrick Georgi pgeorgi@google.com wrote:
Hi Gregg,
Am Do., 30. Sept. 2021 um 21:16 Uhr schrieb Gregg Levine gregg.drwho8@gmail.com:
fatal: unable to access 'https://review.coreboot.org/coreboot.git/': SSL certificate problem: certificate has expired
Given the timing, I wonder if https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/ might be the cause: We serve a pretty complete certificate chain but if your client doesn't support the root certificate that we now rely on exclusively (because the other path using the more popular root has expired), your client won't like any of our certs.
You could try changing the environment to carry GIT_CURL_VERBOSE=true to see what's going on, or maybe just look at updating the ca-certificate store of your system.
Alternatively you could set up the SSH based access method to access the server, as outlined in https://doc.coreboot.org/tutorial/part2.html#step-2a-set-up-rsa-private-publ... but you might run into more issues with certs going forward on other servers if the cert store is old.
All the best, Patrick -- Google Germany GmbH, ABC-Str. 19, 20354 Hamburg Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Ok, I'm running into the same issue on an Ubuntu 16.04 system.
$ git clone https://review.coreboot.org/coreboot.git Cloning into 'coreboot'... fatal: unable to access 'https://review.coreboot.org/coreboot.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
In the past I've had no problems with cloning coreboot on this system, but now it's broken with the same error message as Gregg encountered.
I've updated the ca-certificates, but it said I already had the latest certs and that didn't fix it.
I found an article online about pulling the cert from coreboot into a .pem file, and then appending that into the ca-certificdates.crt file, but that didn’t work either.
I imagine there are others that have run into this... what's the solution?
Thanks,
- Jay
-----Original Message----- From: Gregg Levine gregg.drwho8@gmail.com Sent: Thursday, September 30, 2021 6:16 PM To: Patrick Georgi pgeorgi@google.com Cc: coreboot coreboot@coreboot.org Subject: [coreboot] Re: Git reports an interesting error message
Hello! Okay update. This is WSL remember, I grabbed an Ubuntu image that I'd previously claimed and allowed the automation to install it. I should mention that I also followed normal Debian based Linux methods to upgrade it. And I then pulled over a tar compressed with Bzip2 tree of my entire work, and extracted it. Inside it I went into the original coreboot directory from a while ago. Inside it I ran the git command steps to update it. I did not see the error message.
I did note that it found problems with updating an earlier source tree, but had no problems pulling down a new one. The problems were related to the contents. I renamed the tree to call it a backup. It is still working to retrieve things. So I believe the problems were related to the SuSe image I was using, it was not put together in a form that could be properly updated. Yes I agree with you regarding the pending certificates but will the problem such as it is impact us? And when?
Gregg C Levine gregg.drwho8@gmail.com "This signature fought the Time Wars, time and again."
On Thu, Sep 30, 2021 at 6:19 PM Gregg Levine gregg.drwho8@gmail.com wrote:
Hello! Okay, I tried setting that variable, and it did not show me anything. I also looked at the page you suggested. Interesting, I suspect I'd need to do that should I go ahead and want to contribute.
As for updating certificates, the big problem is that is a WSL prebuilt image, and someone else built it, and deliberately broke the methods SuSe uses to update things.
Gregg C Levine gregg.drwho8@gmail.com "This signature fought the Time Wars, time and again."
On Thu, Sep 30, 2021 at 3:37 PM Patrick Georgi pgeorgi@google.com
wrote:
Hi Gregg,
Am Do., 30. Sept. 2021 um 21:16 Uhr schrieb Gregg Levine
fatal: unable to access 'https://review.coreboot.org/coreboot.git/': SSL certificate problem: certificate has expired
Given the timing, I wonder if https://techcrunch.com/2021/09/21/lets-
encrypt-root-expiry/ might be the cause: We serve a pretty complete certificate chain but if your client doesn't support the root certificate that we now rely on exclusively (because the other path using the more popular root has expired), your client won't like any of our certs.
You could try changing the environment to carry
GIT_CURL_VERBOSE=true to see what's going on, or maybe just look at updating the ca-certificate store of your system.
Alternatively you could set up the SSH based access method to access the
server, as outlined in https://doc.coreboot.org/tutorial/part2.html#step-2a- set-up-rsa-private-public-key but you might run into more issues with certs going forward on other servers if the cert store is old.
All the best, Patrick -- Google Germany GmbH, ABC-Str. 19, 20354 Hamburg Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft:
Hamburg
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
Hi Jay,
from your description I'm not clear what you added to your root certificate store. Let's Encrypt provides their root certs in various formats at https://letsencrypt.org/certificates/ Things should work after you add those (right now, review.coreboot.org is certified through the X1 root)
If that doesn't help, the issue might be incompatible cipher suite requirements (your clients only supporting cryptographic algorithms that the server doesn't support) but I don't think we changed anything in that regard on the servers in the last few years.
Patrick
Am Di., 18. Jan. 2022 um 02:26 Uhr schrieb Jay Talbott < JayTalbott@sysproconsulting.com>:
Ok, I'm running into the same issue on an Ubuntu 16.04 system.
$ git clone https://review.coreboot.org/coreboot.git Cloning into 'coreboot'... fatal: unable to access 'https://review.coreboot.org/coreboot.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
In the past I've had no problems with cloning coreboot on this system, but now it's broken with the same error message as Gregg encountered.
I've updated the ca-certificates, but it said I already had the latest certs and that didn't fix it.
I found an article online about pulling the cert from coreboot into a .pem file, and then appending that into the ca-certificdates.crt file, but that didn’t work either.
I imagine there are others that have run into this... what's the solution?
Thanks,
- Jay
-----Original Message----- From: Gregg Levine gregg.drwho8@gmail.com Sent: Thursday, September 30, 2021 6:16 PM To: Patrick Georgi pgeorgi@google.com Cc: coreboot coreboot@coreboot.org Subject: [coreboot] Re: Git reports an interesting error message
Hello! Okay update. This is WSL remember, I grabbed an Ubuntu image that I'd previously claimed and allowed the automation to install it. I should mention that I also followed normal Debian based Linux methods to upgrade it. And I then pulled over a tar compressed with Bzip2 tree of my entire work, and extracted it. Inside it I went into the original coreboot directory from a while ago. Inside it I ran the git command steps to update it. I did not see the error message.
I did note that it found problems with updating an earlier source tree, but had no problems pulling down a new one. The problems were related to the contents. I renamed the tree to call it a backup. It is still working to retrieve things. So I believe the problems were related to the SuSe image I was using, it was not put together in a form that could be properly updated. Yes I agree with you regarding the pending certificates but will the problem such as it is impact us? And when?
Gregg C Levine gregg.drwho8@gmail.com "This signature fought the Time Wars, time and again."
On Thu, Sep 30, 2021 at 6:19 PM Gregg Levine gregg.drwho8@gmail.com wrote:
Hello! Okay, I tried setting that variable, and it did not show me anything. I also looked at the page you suggested. Interesting, I suspect I'd need to do that should I go ahead and want to contribute.
As for updating certificates, the big problem is that is a WSL prebuilt image, and someone else built it, and deliberately broke the methods SuSe uses to update things.
Gregg C Levine gregg.drwho8@gmail.com "This signature fought the Time Wars, time and again."
On Thu, Sep 30, 2021 at 3:37 PM Patrick Georgi pgeorgi@google.com
wrote:
Hi Gregg,
Am Do., 30. Sept. 2021 um 21:16 Uhr schrieb Gregg Levine
fatal: unable to access 'https://review.coreboot.org/coreboot.git/
':
SSL certificate problem: certificate has expired
Given the timing, I wonder if
https://techcrunch.com/2021/09/21/lets-
encrypt-root-expiry/ might be the cause: We serve a pretty complete certificate chain but if your client doesn't support the root
certificate that we
now rely on exclusively (because the other path using the more popular
root
has expired), your client won't like any of our certs.
You could try changing the environment to carry
GIT_CURL_VERBOSE=true to see what's going on, or maybe just look at updating the ca-certificate store of your system.
Alternatively you could set up the SSH based access method to access
the
server, as outlined in
https://doc.coreboot.org/tutorial/part2.html#step-2a-
set-up-rsa-private-public-key but you might run into more issues with
certs
going forward on other servers if the cert store is old.
All the best, Patrick -- Google Germany GmbH, ABC-Str. 19, 20354 Hamburg Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft:
Hamburg
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
-
Gregg Levine -
Jay Talbott -
Patrick Georgi