search

jcrodriguez-dis / vpl-jail-system

Execution/jail server for VPL
GNU General Public License v3.0
21 stars 21 forks source link

VPL jail system download has incomplete certificate chain #70

Closed FeldrinH closed 4 months ago

FeldrinH commented 9 months ago

I appologize if this is the wrong place to report this issue, but I could not think of a more appropriate place.

When downloading https://vpl.dis.ulpgc.es/releases/vpl-jail-system-3.0.1.tar.gz in stock Ubuntu 22.04 (and presumably many other similar Linux distros) using wget https://vpl.dis.ulpgc.es/releases/vpl-jail-system-3.0.1.tar.gz the command gives the following error:

$ wget https://vpl.dis.ulpgc.es/releases/vpl-jail-system-3.0.1.tar.gz
--2023-09-30 20:08:18--  https://vpl.dis.ulpgc.es/releases/vpl-jail-system-3.0.1.tar.gz
Resolving vpl.dis.ulpgc.es (vpl.dis.ulpgc.es)... 193.145.147.130
Connecting to vpl.dis.ulpgc.es (vpl.dis.ulpgc.es)|193.145.147.130|:443... connected.
ERROR: cannot verify vpl.dis.ulpgc.es's certificate, issued by ‘CN=Sectigo RSA Extended Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB’:
  Unable to locally verify the issuer's authority.
To connect to vpl.dis.ulpgc.es insecurely, use `--no-check-certificate'.

I believe the reason is that the vpl.dis.ulpgc.es server does not send all the intermediate certificates required for verification and they are also not included in a stock wget installation.

This makes it very difficult to securely download the jail system on a Linux server.

tats-u commented 4 months ago

@jcrodriguez-dis

Online TLS diagnosis: https://www.ssllabs.com/ssltest/analyze.html?d=vpl.dis.ulpgc.es (new scan will begin when accessed)

image

Sectigo should have told you to serve an intermediate CA certificate file in addition to the endpoint server certificate file that has already been provided.

https://access.redhat.com/solutions/43575

You should concatenate 2 files into a single file or use the property named SSLCertificateChainFile.

jcrodriguez-dis commented 4 months ago

Dear @FeldrinH and @tats-u,

Thank you for bringing this issue to our attention. I apologize for any inconvenience this may have caused you. The issue was resolved by appending the intermediate CA certificate file to the server certificate file. We appreciate your patience and understanding.

Best regards, Juan Carlos

tats-u commented 4 months ago

@jcrodriguez-dis Thank you for your quick response. I have confirmed that wget and curl now work successfully.