this is crosspost from: https://code.google.com/p/pentoo/issues/detail?id=184 emerge --keep-going -uDN world --> >>> Emerging (1 of 5) net-wireless/multimode-9999 >>> Unpacking source... * subversion check out start --> * repository: https://www.cgran.org/svn/projects/multimode/trunk Error validating server certificate for 'https://www.cgran.org:443' - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! Certificate information: - Hostname: www.cgran.org - Valid: from Thu, 07 Mar 2013 00:00:00 GMT until Fri, 07 Mar 2014 23:59:59 GMT - Issuer: Domain Validated SSL, Thawte, Inc., US - Fingerprint: c6:7d:ba:59:28:d2:67:7b:b4:50:11:c9:45:04:3e:30:7c:fc:b3:07 (R)eject, accept (t)emporarily or accept (p)ermanently? svn: E175002: Unable to connect to a repository at URL 'https://www.cgran.org/svn/projects/multimode/trunk' svn: E175002: OPTIONS of 'https://www.cgran.org/svn/projects/multimode/trunk': Server certificate verification failed: issuer is not trusted (https://www.cgran.org) * ERROR: net-wireless/multimode-9999::gentoo failed (unpack phase): * subversion: can't fetch to /usr/portage/distfiles/svn-src/multimode/trunk from https://www.cgran.org/svn/projects/multimode/trunk.
unable to reproduce
What is your version of app-misc/ca-certificates?
(In reply to Chí-Thanh Christopher Nguyễn from comment #2) > What is your version of app-misc/ca-certificates? I am using app-misc/ca-certificates-20130119 and it works fine.
Ok, it certainly good to know "it works" for you, but there are at least 2 users with the error. I'm using the same 20130119 and i'm getting the same error with wget: wget https://www.cgran.org/svn/projects/multimode/trunk ERROR: cannot verify www.cgran.org's certificate, issued by ‘/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA’: Unable to locally verify the issuer's authority. equery f ca-certificates | grep -i thawte /etc/ssl/certs/Thawte_Premium_Server_CA.pem /etc/ssl/certs/Thawte_Server_CA.pem /etc/ssl/certs/thawte_Primary_Root_CA.pem /etc/ssl/certs/thawte_Primary_Root_CA_-_G2.pem /etc/ssl/certs/thawte_Primary_Root_CA_-_G3.pem /usr/share/ca-certificates/mozilla/Thawte_Premium_Server_CA.crt /usr/share/ca-certificates/mozilla/Thawte_Server_CA.crt /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA.crt /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G2.crt /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G3.crt grep -i thawte /etc/ca-certificates.conf mozilla/Thawte_Premium_Server_CA.crt mozilla/Thawte_Server_CA.crt mozilla/thawte_Primary_Root_CA.crt mozilla/thawte_Primary_Root_CA_-_G2.crt mozilla/thawte_Primary_Root_CA_-_G3.crt /etc/ssl/certs $ ll | grep -i thawte lrwxrwxrwx 1 root root 26 Sep 21 07:19 2e4eed3c.0 -> thawte_Primary_Root_CA.pem lrwxrwxrwx 1 root root 20 Sep 21 07:19 6cc3c4c3.0 -> Thawte_Server_CA.pem lrwxrwxrwx 1 root root 28 Sep 21 07:19 98ec67f0.0 -> Thawte_Premium_Server_CA.pem lrwxrwxrwx 1 root root 63 Sep 21 07:19 Thawte_Premium_Server_CA.pem -> /usr/share/ca-certificates/mozilla/Thawte_Premium_Server_CA.crt lrwxrwxrwx 1 root root 55 Sep 21 07:19 Thawte_Server_CA.pem -> /usr/share/ca-certificates/mozilla/Thawte_Server_CA.crt lrwxrwxrwx 1 root root 31 Sep 21 07:19 ba89ed3b.0 -> thawte_Primary_Root_CA_-_G3.pem lrwxrwxrwx 1 root root 31 Sep 21 07:19 c089bbbd.0 -> thawte_Primary_Root_CA_-_G2.pem lrwxrwxrwx 1 root root 61 Sep 21 07:19 thawte_Primary_Root_CA.pem -> /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA.crt lrwxrwxrwx 1 root root 66 Sep 21 07:19 thawte_Primary_Root_CA_-_G2.pem -> /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G2.crt lrwxrwxrwx 1 root root 66 Sep 21 07:19 thawte_Primary_Root_CA_-_G3.pem -> /usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G3.crt I've regenerated all certs with "update-ca-certificates -f" but the error is still there. So please tell me what is wrong with my setup.
Not necessarily a ca-certificates problem. Do you have any dangling symlinks in /etc/ssl/certs? was openssl built with or without bindist flag?
no dead links in /etc/ssl, bindist is not enabled: [ebuild R ] dev-libs/openssl-1.0.1e-r1 USE="(sse2) zlib -bindist -gmp -kerberos -rfc3779 -static-libs {-test} -vanilla" emerge --info Portage 2.2.1 (hardened/linux/amd64, gcc-4.6.3, glibc-2.15-r3, 3.9.9-pentoo x86_64) ================================================================= System uname: Linux-3.9.9-pentoo-x86_64-Intel-R-_Core-TM-_i5-3320M_CPU_@_2.60GHz-with-gentoo-2.2 KiB Mem: 7980692 total, 4321664 free KiB Swap: 4194300 total, 4194300 free Timestamp of tree: Wed, 18 Sep 2013 23:45:01 +0000 ld GNU ld (GNU Binutils) 2.23.1 app-shells/bash: 4.2_p45 dev-java/java-config: 2.1.12-r1 dev-lang/python: 2.7.5-r2, 3.2.5-r2 dev-util/cmake: 2.8.10.2-r2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8::pentoo sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.4_p6-r1, 1.11.6, 1.12.6, 1.13.4 sys-devel/binutils: 2.23.1 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.9 (virtual/os-headers) sys-libs/glibc: 2.15-r3 ABI="amd64" ABI_X86="32 64" ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA PUEL AdobeFlash-11.x Google-TOS dlj-1.1 google-chrome Oracle-BCLA-JavaSE Intel-SDP skype-4.0.0.7-copyright" ACCEPT_PROPERTIES="*" ACCEPT_RESTRICT="*" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ANDROID_SWT="/usr/share/swt-3.7/lib" ANT_HOME="/usr/share/ant" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ARCH="amd64" AUTOCLEAN="yes" BOOTSTRAP_USE="cxx unicode python_targets_python3_2 python_targets_python2_7 multilib hardened pax_kernel pic -jit -orc multilib" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -mtune=generic -O2 -pipe" CFLAGS_amd64="-m64" CFLAGS_x32="-mx32" CFLAGS_x86="-m32" CHOST="x86_64-pc-linux-gnu" CHOST_amd64="x86_64-pc-linux-gnu" CHOST_x32="x86_64-pc-linux-gnux32" CHOST_x86="i686-pc-linux-gnu" CLEAN_DELAY="5" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" COLLISION_IGNORE="/lib/modules/* *.py[co] *$py.class */dropin.cache" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=core2 -mtune=generic -O2 -pipe"
Created attachment 359174 [details] Correct chained certificate for www.cgran.org According to http://ftp-master.metadata.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20130906_changelog there wasn't a change in (related) certificates. It looks like a server configuration issue for me. www.cgran.org:443 is not sending the correct cert chain: $ openssl s_client -CApath /etc/ssl -connect www.cgran.org:443 CONNECTED(00000003) depth=0 OU = Go to https://www.thawte.com/repository/index.html, OU = Thawte SSL123 certificate, OU = Domain Validated, CN = www.cgran.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Go to https://www.thawte.com/repository/index.html, OU = Thawte SSL123 certificate, OU = Domain Validated, CN = www.cgran.org verify error:num=27:certificate not trusted verify return:1 depth=0 OU = Go to https://www.thawte.com/repository/index.html, OU = Thawte SSL123 certificate, OU = Domain Validated, CN = www.cgran.org verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=www.cgran.org i:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com GoDaddy? ValiCert? That's wrong. I created the correct chained certificate for you (basically 'cat www.cgran.org.crt > chain.crt && cat ThawteDVSSLCA.crt >> chain.crt', nothing else).
[ebuild R ] dev-libs/openssl-1.0.1e-r1 USE="(sse2) zlib -bindist -gmp -kerberos -rfc3779 -static-libs {-test} -vanilla" 0 kB no dangling symlinks here
yes, www.cgran.org is misconfigured (as others have pointed out here). you can also see it using a site like: https://www.ssllabs.com/ssltest/analyze.html?d=cgran.org look at the chain issues section. that said, is it expected that ca-certificates include intermediate CA certs like "Thawte DV SSL CA" ? i'm not sure ... that'd be a question for Debian really. we've been punting these bugs to http://bugs.debian.org/ because we're lazy :).