Open mrschyte opened 8 years ago
@nicferrier can you please look into the issue?
@nicferrier Ping?
I've just run into this, too. Under nginx, the file listed for ssl_certificate
should contain both the certificate for marmalade-repo.org
¹ and its intermediate certificate². The issuer of the intermediate cert (COMODO RSA Certification Authority) is trusted on most systems, AFAICT.
Correcting the chain might help with other issues (#58, #134, and #140), where there are GNUTLS-related issues at play³ and/or on Linux distros that don't include the intermediate cert.
¹ the certificate currently present:
$ openssl x509 -noout -subject -fingerprint -issuer < marmalade-repo.org.server.crt
subject= /OU=Domain Control Validated/OU=PositiveSSL/CN=marmalade-repo.org
SHA1 Fingerprint=6E:08:0A:47:7D:14:63:1D:2E:DF:83:9D:E5:82:AC:04:D4:36:3D:09
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
² the certificate for its issuer, available from COMODO's Knowledgebase:
$ openssl x509 -noout -subject -fingerprint -issuer < comodo.rsa.ca.intermediate.crt
subject= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
SHA1 Fingerprint=33:9C:DD:57:CF:D5:B1:41:16:9B:61:5F:F3:14:28:78:2D:1D:A6:39
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
³ examples indicating it might help.
Current state, intermediate cert is untrusted:
$ gnutls-cli marmalade-repo.org < /dev/null 2> /dev/null | grep Status
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
After trusting the intermediate cert, your cert is trusted:
$ gnutls-cli --x509cafile=comodo.rsa.ca.intermediate.crt marmalade-repo.org < /dev/null 2> /dev/null | grep Status
- Status: The certificate is trusted.
Or adding the intermediate to my local trust store:
$ sudo tee -a /usr/share/ca-certificates/trust-source/anchors/comodo.rsa.ca.intermediate.crt < comodo.rsa.ca.intermediate.crt > /dev/null
$ gnutls-cli marmalade-repo.org < /dev/null 2> /dev/null | grep Status
- Status: The certificate is trusted.
I've run into this issue too. marmalade-repo.org is definitely missing an intermediate certificate.
Just downloaded Emacs 25.1-1 from https://emacsformacosx.com and installed the config from http://www.braveclojure.com/basic-emacs/ under ~/.emacs.d, started Emacs then M-x package-list-packages and got invalid certificate message about marmalade-repo.org shortly after some list of packages did appear.
same issue +1
same issue +1 (GNU Emacs 25.2.2)
Broken for me, too. This certificate problem has been reported many times for a while now, and nothing is being done. Others have just stopped using marmalade, and that seems to be the only reasonable thing to do.
Hi,
The marmalade-repo.org server sends an incomplete SSL certificate chain when connecting. This makes emacs, openssl and curl fail when trying to connect on certain linux distros, since the missing certs are not included in the trust-store.
Can you please include the certificates marked by Qualys as "Extra Download" in the certificate bundle?
Thanks!