SSL issue on www.lightbend.com affecting the Dotty CLA check

[smarter]

(Reporting here as requested by @SethTisue) The CLA check is failing in https://github.com/lampepfl/dotty/actions/runs/6442154587/job/17493043000?pr=18663 for example.

Running curl locally I see:

% curl https://www.lightbend.com/contribute/cla/scala/check/johnduffell
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

According to https://www.ssllabs.com/ssltest/analyze.html?d=www.lightbend.com :

This server's certificate chain is incomplete.

This can also be checked with openssl:

% openssl s_client -connect www.lightbend.com:443
...
Verification error: unable to verify the first certificate
...

[gzm0]

I strongly suspect that the problem is that the Sectigo Intermediate certificate is not delivered by the server (server chain reply see here: https://github.com/scala-js/scala-js/pull/4909#issuecomment-1751809885). When looking at how Chrome validates the full chain, the top level certificate is valid. Probably Chrome just has the intermediate in its own store.

[SethTisue]

I've asked Lightbend IT to take a look.

[JustinPihony]

Hi @smarter - could you please try again. We had some hiccups in our servers and I believe this may have been related to that. Otherwise we can dig a bit deeper as I cannot reproduce it currently.

[sjrd]

Hi. Thanks for looking into it. It appears to still be broken at least in this job, which I just reran: https://github.com/scala-js/scala-js/actions/runs/6446814222/job/17517368491

[JustinPihony]

Yes, thanks - I realized now that the CA chain is messed up. We are looking into that and will update once this is resolved.

[JustinPihony]

OK, please try now

[sjrd]

Thank you. It's working now. ✔️

[smarter]

Working in dotty too!