search

nicferrier / elmarmalade

emacs-lisp version of the marmalade package repository
111 stars 24 forks source link

Incomplete SSL certificate chain #138

Open mrschyte opened 8 years ago

mrschyte commented 8 years ago

Hi,

The marmalade-repo.org server sends an incomplete SSL certificate chain when connecting. This makes emacs, openssl and curl fail when trying to connect on certain linux distros, since the missing certs are not included in the trust-store.

Can you please include the certificates marked by Qualys as "Extra Download" in the certificate bundle?

https://www.ssllabs.com/ssltest/analyze.html?d=marmalade-repo.org

Thanks!

mrschyte commented 7 years ago

@nicferrier can you please look into the issue?

benizi commented 7 years ago

@nicferrier Ping?

I've just run into this, too. Under nginx, the file listed for ssl_certificate should contain both the certificate for marmalade-repo.org¹ and its intermediate certificate². The issuer of the intermediate cert (COMODO RSA Certification Authority) is trusted on most systems, AFAICT.

Correcting the chain might help with other issues (#58, #134, and #140), where there are GNUTLS-related issues at play³ and/or on Linux distros that don't include the intermediate cert.

Certificate details

¹ the certificate currently present:

$ openssl x509 -noout -subject -fingerprint -issuer < marmalade-repo.org.server.crt
subject= /OU=Domain Control Validated/OU=PositiveSSL/CN=marmalade-repo.org
SHA1 Fingerprint=6E:08:0A:47:7D:14:63:1D:2E:DF:83:9D:E5:82:AC:04:D4:36:3D:09
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

² the certificate for its issuer, available from COMODO's Knowledgebase:

$ openssl x509 -noout -subject -fingerprint -issuer < comodo.rsa.ca.intermediate.crt
subject= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
SHA1 Fingerprint=33:9C:DD:57:CF:D5:B1:41:16:9B:61:5F:F3:14:28:78:2D:1D:A6:39
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority

GNUTLS example

³ examples indicating it might help.

Current state, intermediate cert is untrusted:

$ gnutls-cli marmalade-repo.org < /dev/null 2> /dev/null | grep Status
- Status: The certificate is NOT trusted. The certificate issuer is unknown.

After trusting the intermediate cert, your cert is trusted:

$ gnutls-cli --x509cafile=comodo.rsa.ca.intermediate.crt marmalade-repo.org < /dev/null 2> /dev/null | grep Status
- Status: The certificate is trusted.

Or adding the intermediate to my local trust store:

$ sudo tee -a /usr/share/ca-certificates/trust-source/anchors/comodo.rsa.ca.intermediate.crt < comodo.rsa.ca.intermediate.crt > /dev/null
$ gnutls-cli marmalade-repo.org < /dev/null 2> /dev/null | grep Status
- Status: The certificate is trusted.
tolsen commented 7 years ago

I've run into this issue too. marmalade-repo.org is definitely missing an intermediate certificate.

onetom commented 7 years ago

Just downloaded Emacs 25.1-1 from https://emacsformacosx.com and installed the config from http://www.braveclojure.com/basic-emacs/ under ~/.emacs.d, started Emacs then M-x package-list-packages and got invalid certificate message about marmalade-repo.org shortly after some list of packages did appear.

jccode commented 6 years ago

same issue +1

lg2011 commented 5 years ago

same issue +1 (GNU Emacs 25.2.2)

pheaver commented 5 years ago

Broken for me, too. This certificate problem has been reported many times for a while now, and nothing is being done. Others have just stopped using marmalade, and that seems to be the only reasonable thing to do.