Hi Jonathan and Andreas, Andreas Metzler wrote: > > I updated gnutls to 3.7.0-3 this morning, then apt was unable to connect to > > the Debian mirror https://debian.ethz.ch/debian/: > > > $ sudo apt update > > Ign:1 https://debian.ethz.ch/debian sid InRelease > > Err:2 https://debian.ethz.ch/debian sid Release > > Certificate verification failed: The certificate is NOT trusted. The > > certificate issuer is unknown. Could not handshake: Error in the > > certificate verification. [IP: 129.132.53.171 443] > > Reading package lists... Done [...] > afaict the server is misconfigured:
I beg to disagree. ;-) > The certificate chain sent by the server consists of 3 certificates > but not each following certificate directly certifies the one > preceding it. > - Certificate[1] and Certificate[2] are identical. Thanks for that hint! As I already wrote in https://gitlab.com/gnutls/gnutls/-/issues/1131#note_46246993, this happens easily when you switch from an earlier version to acme-tiny 4.x and believe that adding the intermediate certificate twice is "not a big deal, it should still work fine" (or you haven't noticed that note on upgrading or the upgrade just happened automatically, etc.)... Anyway, I just fixed that for https://debian.ethz.ch/ (hopefully permanently — we'll see on next renewal :-) and also verified that the breakage is indeed there before I manually removed the second occurence from the certificate file. Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
signature.asc
Description: PGP signature
