Closed briatte closed 3 years ago
Yeah, essurvey
is facing a rough patch at the moment. Maybe others can help to figure this out.
It seems that https://www.europeansocialsurvey.org/ updated their security certificates to very new certificate (something that was published maybe a week ago). This has the problem of this:
curl -v https://europeansocialsurvey.org/
* Trying 129.177.90.95:443...
* TCP_NODELAY set
* Connected to europeansocialsurvey.org (129.177.90.95) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Pretty much no one can make requests to their website unless they have their local certificates updated to ESS's new certificates. Chrome and Firefox come bundled up with their own certificates and they take care of updating them automatically. But CRAN, Travis, GH actions haven't updated them. This means that all functions from essurvey
fail when called in any of these services, raising errors in tests, examples, vignettes and the like. I will definitely resubmit essurvey
to CRAN but I still don't know how to approach this problem. Some have suggested that we convince CRAN to update their certificates, so we might have to go that way.
I will reach out to rOpensci, in case they've experience this before and know a workaround. Any ideas? Can you actually try to make the curl request and see if you experience the same?
As far as I can tell, it's not a problem of the certificate being too new for R (as opposed to web browsers). The certificate chain is misconfigured and this is what's causing problems: https://whatsmychaincert.com/?europeansocialsurvey.org
Browsers are pretty clever and work around this problem but it's still a bug on ESS's side.
Do you have any way to report it to them?
As far as I can tell, it's not a problem of the certificate being too new for R (as opposed to web browsers). The certificate chain is misconfigured and this is what's causing problems: https://whatsmychaincert.com/?europeansocialsurvey.org
Browsers are pretty clever and work around this problem but it's still a bug on ESS's side.
Do you have any way to report it to them?
If @cimentadaj agrees, I can do that, copying him to the email. I'm not sure if I still know anyone at ESS, but I can figure it out.
@Bisaloo — do you believe that I should email them the result of the "Generate chain" download button right at the bottom of the Web page you linked?
I would copy the link to the website (https://whatsmychaincert.com/?europeansocialsurvey.org) instead of sending just the fix.
This problem might be completely new to some people so I think it's nice to have the small explanation at the beginning, the diagnostic, and then the solution.
@briatte, go ahead, that would be great. Feel free to cc me. @djhurio might know someone as well.
I have sent an e-mail to the ESS media relations officer Stefan Swift. He should know someone responsible for the ESS website.
SSL chain has been fixed. Looks good now. https://whatsmychaincert.com/?www.europeansocialsurvey.org
Thank you @djhurio , @briatte and @Bisaloo. essurvey
is now passing and back to normal. Resubmitting to CRAN within a day.
essurvey
is now back on CRAN!
Curious to know what policy we violated…