CA file outdated #3450
Comments
|
You forgot to search the closed issues (the issue search annoyingly provides the #3375 "Add the Let's Encrypt Root & Intermediate certificates to the installer" discussion is worth a review. I think It has the answer, though it's not my area. HTH. |
|
Our certificate bundle includes the self-signed openssl s_client -connect valid-isrgrootx1.letsencrypt.org:443Is your server potentially configured to distribute the cross-signed |
|
Lets Encrypt will continue to serve the cross-signed chain as a default until Jan 11th ( https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html ). I see that users with DST Root X3 still in their CA bundle does have connectivity issues with connecting to services that use the default chain. This is one of the reasons why it is removed from the ca-certificates packages ( https://ubuntu.com/security/notices/USN-5089-1 ). I think it is wise to update the CA file in git-for-windows as well. |
|
Ok, taking a closer look at this, the changes to |
That is January 11th 2021, though. |
|
The The changes to |
Oh, my bad. I guess I found a bad/old reference. I was observing DST in the chain and went out find a reason for why :) guess I found a wrong one. Sorry. This might be a better reference: https://community.letsencrypt.org/t/providing-a-longer-certificate-chain-by-default/148738 What I am observing is that users using git with https on the default Lets Encrypt chain are hitting ssl cert expiry errors. Seeing it on git-for-windows and on Ubuntu. On ubuntu it was solved by updating CA certificates to get rid of the DST root. |
Thanks for the quick turnaround :) |
Seems it was merged 6h ago, and |
|
@rimrul what's your plan regarding |
|
Pulling it up to 20210119 and patching out DST X3, so that it's basically the same as |
Thank you for your untiring efforts! It was a good feeling to know you'd be holding down the fort while I was away. |
|
And here's the PR for |
The CI picked it up for |
Upstream no longer builds MSYS packages for i686. If we want it, we have to build it ourselves. But I'm not really sure we need to do that: the MSYS version is only relevant in workflows involving MSYS software such as Perl (used in Having said that, in ARM64 setups, this might be relevant. |
And the reason is that that was the last and only time in 2021 any packages where uploaded to https://repo.msys2.org/msys/i686/. I guess that means we'll have to keep track of all Msys2-Packages in the SDK in |
I am loathe to do that: it would mean that we now have to maintain all of them, even the x86_64 variants. That'd add substantially to my maintenance burden. Maybe we just keep it at |
|
I don't like it either, but the mess is much bigger than |
Is there any "any" package? I don't think so...
True. I hope we can abandon i686 soon. Visual Studio's support for i686 will end in 2025 or something like that. |
I'll try to generate a list in a few hours.
That'll be some work to get ARM64 into shape to not require it as a fallback anymore. Doable, but definitely work.
And Portable Git 2.33.0(2) includes different versions of less, depending on bitness. |
|
You know what? It occurred to me that we can set up a new GitHub workflow to specifically build and upload i686 packages, without trying to upgrade their definitions to the latest component version. That way, we could sync, say, |
|
Yes, that sounds like a reasonable idea. Most of the upstream packages probably build fine on i686, so that should work fairly well. |
|
I generated an overview of the diverging packages. It's all relatively close together, for now:
I have a prototype of an action to sync some packages from MSYS2 in my repo, but I'll need to review the list of packages we need to sync. I don't think we need all 200+ packages I currently have on my list (looking at those 11 versions of |
Quite honestly, I hope we can do with a more manual approach. But your workflow looks pretty good to me even so, so if you want to go for it, I'll merge it once you're ready. I'd just like to caution that |
|
Yes, I don't think I'll add
I'm just thinking the semi-automatic approach can help us keep the package-maintenance burden reasonably low while also keeping the 32bit and 64bit releases as similar as possible, to prevent issues that only affect one version. |
|
@rimrul okay, let's go for it. |
|
The newest snapshot has the fix. |
|
Issue is still existent
|
No, DST X3 is not in the ca bundle for that version. |
hi.
after installing git for windows I try to access my git via https with letsencrypt certificate.
I got:
fatal: unable to access 'https://gitserver.test.de/repo': SSL certificate problem: certificate has expired
ssllabs confirmed that my certificate is valid. For me it looks like: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ is the problem.
after switching to schannel all workes fine. So please update the ca file
The text was updated successfully, but these errors were encountered: