Suggestion: Add the Let's Encrypt Root & Intermediate certificates to the installer

[tom-11880]

• I was not able to find an open or closed issue matching what I'm seeing

Setup

• Which version of Git for Windows are you using? Is it 32-bit or 64-bit?

git version 2.32.0.windows.2
cpu: x86_64
built from commit: 3d45ac813c4adf97fe3733c1f763ab6617d5add5
sizeof-long: 4
sizeof-size_t: 8
shell-path: /bin/sh
feature: fsmonitor--daemon

• Which version of Windows are you running? Vista, 7, 8, 10? Is it 32-bit or 64-bit?

$ cmd.exe /c ver

Microsoft Windows [Version 10.0.19042.1165]

• What options did you set as part of the installation? Or did you choose the
  defaults?

# One of the following:
> type "C:\Program Files\Git\etc\install-options.txt"
> type "C:\Program Files (x86)\Git\etc\install-options.txt"
> type "%USERPROFILE%\AppData\Local\Programs\Git\etc\install-options.txt"
$ cat /etc/install-options.txt

Editor Option: Notepad++
Custom Editor Path: 
Default Branch Option: main
Path Option: Cmd
SSH Option: OpenSSH
Tortoise Option: false
CURL Option: OpenSSL
CRLF Option: CRLFCommitAsIs
Bash Terminal Option: MinTTY
Git Pull Behavior Option: Merge
Use Credential Manager: Core
Performance Tweaks FSCache: Enabled
Enable Symlinks: Disabled
Enable Pseudo Console Support: Enabled
Enable FSMonitor: Disabled

• Any other interesting things about your environment that might be related
  to the issue you're seeing?

** insert your response here **

Details

• Which terminal/shell are you running Git from? e.g Bash/CMD/PowerShell/other

Git Bash

• What commands did you run to trigger this issue? If you can provide a
  Minimal, Complete, and Verifiable example
  this will help us understand the issue.

I tried to do a git push to a repository running on a gogs server with a Let's encrypt SSL certificate

• What did you expect to occur after running these commands?

I expected the push to succeed

• What actually happened instead?

I got the following erro message: SSL Certificate problem: unable to get local issuer certificate.

• If the problem was occurring with a specific repository, can you provide the
  URL to that repository to help us with testing?

No, it is not a public URL.

I was able to fix the problem by adding the LetsEncrypt R3 certificate from https://letsencrypt.org/certificates/ to the bottom of
C:\Program Files\Git\mingw64\ssl\certs\ca-bundle.crt

Probably it would be a good idea to amend the installer with this certificates as well since more and mor servers are using Let'sEncrypt certificates.

[rimrul]

The bundle is generated based on Mozillas CA list and should include let's encrypts ISRG Root X1.

[tom-11880]

Thanks for the clarification.

The certificate path of the server certificate looks like this:

As I wrote, I just amended the ca-bundle file with the R3 certificate to get it working.

Not sure what I need to change on the gogs server side to get a certificate signed by the ISRG Root X1... I'll do some investigation though...

[mfriedrich74]

As per this page https://letsencrypt.org/certificates/ X3 to R3 seems to be retired and inactive. You may just have to renew. Best regards, Mike

…

On Fri, Aug 20, 2021, 2:52 PM tom-11880 ***@***.***> wrote: Thanks for the clarification. The certificate path of the server certificate looks like this: [image: 2021-08-20 20_42_48-Zertifikat] <https://user-images.githubusercontent.com/20478537/130279526-663a6186-e69f-4892-8776-a0dd85de8c29.png> As I wrote, I just amended the ca-bundle file with the R3 certificate to get it working. Not sure what I need to change on the gogs server side to get a certificate signed by the ISRG Root X1... I'll do some investigation though... — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#3375 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABZH5SH6LWU7OYFPCU62BJLT52P6HANCNFSM5CORPFTQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> .

[tom-11880]

The certificate is brand new --- I set up the server 3 days ago.

[tom-11880]

According to the page you referenced:

"Under normal circumstances, certificates issued by Let’s Encrypt will come from “R3”, an RSA intermediate."

The certificates for stackoverflow.com or letsencrypt.org are coming from R3 as well.

I just renewed the cert and it does come from R3

And according to https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ the R3 root expires on September 30.

[mfriedrich74]

R3 itself is not the problem, the problem is with what root CA that cert is signed with. R3 needs to be signed by the X1 root CA as per that webpage. If you downloaded the R3 cert yourself and put together the chain, then you picked the wrong R3 cert (if that's possible, sorry should I be wrong here). If the one you have was provided to you with chain, then the chain is not right. The chain needs to lead up to the X1 root CA. I have no idea when you request a cert whether you can choose the chain or if that's simply a mistake by letsencrypt. If you used scripts/tools to request the cert, check whether they can be updated.

…

On Fri, Aug 20, 2021, 8:07 PM tom-11880 ***@***.***> wrote: According to the page you referenced: "Under normal circumstances, certificates issued by Let’s Encrypt will come from “R3”, an RSA intermediate." The certificates for stackoverflow.com or letsencrypt.org are coming from R3 as well. I just renewed the cert and it does come from R3 And according to https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ the R3 root expires on September 30. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#3375 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABZH5SCW5HBFRRA2FJ4ZO4TT53U4RANCNFSM5CORPFTQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> .

[rimrul]

Our RSA intermediates are signed by ISRG Root X1. ISRG Root X1 is widely trusted at this point, but our RSA intermediates are still cross-signed by IdenTrust’s “DST Root CA X3” (now called “TrustID X3 Root”) for additional client compatibility. The IdenTrust root has been around longer and thus has better compatibility with older devices and operating systems (e.g. Windows XP, Android 7).

So it's probably just windows displaying only one of multiple certificate chains.

[tom-11880]

Confusing - but thanks for your support anyways :-)

I'm using a powershell module named "Posh-ACME", which (as I just learned) has a -PreferredChain parameter... I will test this on Monday and come back later with any findings ...

[tom-11880]

I fixed the problem.

Instead of fiddling around with the local ca-bundle.crt, I added the intermediate R3 certificate to the end of the server certificate file and restarted gogs.