search

quicklisp / quicklisp-client

Quicklisp client.
http://www.quicklisp.org/
MIT License
298 stars 74 forks source link

beta.quicklisp.org: Certificate expired. #198

Closed j3pic closed 4 years ago

j3pic commented 4 years ago

I just had this error today in TravisCI:

+wget https://beta.quicklisp.org/quicklisp.lisp
--2020-05-31 01:34:47--  https://beta.quicklisp.org/quicklisp.lisp
Resolving beta.quicklisp.org (beta.quicklisp.org)... 13.227.47.68, 13.227.47.105, 13.227.47.117, ...
Connecting to beta.quicklisp.org (beta.quicklisp.org)|13.227.47.68|:443... connected.
ERROR: cannot verify beta.quicklisp.org's certificate, issued by ‘CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR’:
  Issued certificate has expired.
To connect to beta.quicklisp.org insecurely, use `--no-check-certificate'.
quicklisp commented 4 years ago

Thank you for reporting this. I get similar results on some of my computers, but not all of them.

When I view https://beta.quicklisp.org/dist/quicklisp/2020-04-27/systems.txt in my browser and view the certificate, it shows that it does not expire until 2021. And when I use curl on my laptop, that link is fetched without an error.

But on my server computers, both wget and curl complain that the certificate is expired. However, I also get this (note the 2021 "Not After" date):

$ echo | openssl s_client -showcerts -servername beta.quicklisp.org -connect beta.quicklisp.org:443 2>/dev/null | openssl x509 -inform pem -noout -text

Certificate: Data: Version: 3 (0x2) Serial Number: cc:29:ee:bb:3d:9c:ca:1d:71:f0:19:e7:58:ab:b2:25 Signature Algorithm: sha256WithRSAEncryption Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2 Validity Not Before: May 4 00:00:00 2019 GMT Not After : May 30 23:59:59 2021 GMT Subject: OU=Domain Control Validated, OU=Gandi Standard Wildcard SSL, CN=*.quicklisp.org

I don't understand what causes the expired certificate error yet. Any insight is most welcome.

On Sat, May 30, 2020 at 9:37 PM j3pic notifications@github.com wrote:

I just had this error today in TravisCI:

+wget https://beta.quicklisp.org/quicklisp.lisp

--2020-05-31 01:34:47-- https://beta.quicklisp.org/quicklisp.lisp

Resolving beta.quicklisp.org (beta.quicklisp.org)... 13.227.47.68, 13.227.47.105, 13.227.47.117, ...

Connecting to beta.quicklisp.org (beta.quicklisp.org)|13.227.47.68|:443... connected.

ERROR: cannot verify beta.quicklisp.org's certificate, issued by ‘CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR’:

Issued certificate has expired.

To connect to beta.quicklisp.org insecurely, use `--no-check-certificate'.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/quicklisp/quicklisp-client/issues/198, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACPNLPXGHPOTCWORSIJKGDRUGYG3ANCNFSM4NO6HW6Q .

quicklisp commented 4 years ago

https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 suggests that the client system needs an update, rather than the certificate. I'm still investigating.

phoe commented 4 years ago

See https://whatsmychaincert.com/?beta.quicklisp.org for more information.

quicklisp commented 4 years ago

I think this is fixed. I removed an expired intermediate cert from the cloudfront configuration. It seems to work for me. Can you confirm that it is working for you, please?

phoe commented 4 years ago

https://whatsmychaincert.com/?beta.quicklisp.org responds that the website now has a correct chain.

quicklisp commented 4 years ago

I'll consider it good, then. Please let me know of any new or persisting issues.