Describe the bug
The UBI build is failing both in CI and locally.
The issue seems to be an invalid certificate chain for the centos.org website (we need to download GPG keys from the website to install some distro packages).
To Reproduce
It's very easy to reproduce:
$ docker run -ti registry.access.redhat.com/ubi9 bash
[root@debc271746b8 /]# curl https://www.centos.org
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
When inspecting the certificate chain with openssl, we can see:
---
Certificate chain
0 s:CN = centos.org
i:C = US, O = Let's Encrypt, CN = R10
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Oct 16 10:10:20 2024 GMT; NotAfter: Jan 14 10:10:19 2025 GMT
1 s:C = US, O = Let's Encrypt, CN = R11
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
Verify return code: 21 (unable to verify the first certificate)
The issuer for the centos.org certificate is Let’s Encrypt R10, while the certificate included in the chain is Let’s Encrypt R11. That discrepancy is causing the curl failure.
I can reproduce the same issue from a ubuntu:24.04 container. Surprisingly, the curl command can run successfully from my macOS laptop, and I can also visit the website from the browser. When inspecting the certificate from the browser, the chain is correct (R10 is included, not R11). So I am very puzzled.
The ca-certificates package is installed and up-to-date (but that should be unrelated in this case).
antoninbas
commented
8 hours ago
Describe the bug The UBI build is failing both in CI and locally. The issue seems to be an invalid certificate chain for the centos.org website (we need to download GPG keys from the website to install some distro packages).
To Reproduce It's very easy to reproduce:
When inspecting the certificate chain with openssl, we can see:
The issuer for the centos.org certificate is Let’s Encrypt R10, while the certificate included in the chain is Let’s Encrypt R11. That discrepancy is causing the curl failure. I can reproduce the same issue from a ubuntu:24.04 container. Surprisingly, the curl command can run successfully from my macOS laptop, and I can also visit the website from the browser. When inspecting the certificate from the browser, the chain is correct (R10 is included, not R11). So I am very puzzled. The
ca-certificatespackage is installed and up-to-date (but that should be unrelated in this case).Additional context I have posted a message in the CentOS community forums: https://discussion.fedoraproject.org/t/invalid-certificate-trust-chain-for-centos-org/133921 Hopefully this is a transient issue which will be resolved within a couple of days.