You are not logged in.

#1 2020-12-24 20:19:49

twoion
ほやほや
Registered: 2015-08-10
Posts: 3,248

PSA: Fixed intermittent issues with SSL for BunsenLabs repositories

Apparently we can't catch a break on Christmas Eve! You may have noticed package updates and installs to fail on BunsenLabs repositories today with a message similar to Certificate verification failed: The certificate is NOT trusted. Likewise, if you consumed BunsenLabs APIs such as the Atom feed from forums.bunsenlabs.org or www.bunsenlabs.org in any software that runs on Debian and doesn't have its own up-to-date certificate store, your software may have failed with a message such as certificate verify failed: unable to get local issuer certificate. These problems were introduced due to our Let's Encrypt certificates renewing on the 24th, introducing a major change in the Let's Encrypt chain of trust consisting of a CA root transition.

Fix upcoming. Users do not have to take any action.

As you may have noticed, using the BunsenLabs websites through browsers like Firefox and Chromium didn't result in any errors, because those browsers ship their own CA stores which already are updated.


Nassdachs

Offline

#2 2020-12-25 02:01:33

phuturism
Member
From: Melbourne
Registered: 2016-07-15
Posts: 179

Re: PSA: Fixed intermittent issues with SSL for BunsenLabs repositories

Update at 02.07 UTC worked fine.

Offline

#3 2020-12-25 15:07:05

twoion
ほやほや
Registered: 2015-08-10
Posts: 3,248

Re: PSA: Fixed intermittent issues with SSL for BunsenLabs repositories

After adjusting the server certificate bundle (fullchain) that it presents as the certificate, the issue appears to have been resolved. While Debian ca-certificates still does not include the LE roots directly as other distros like Arch do, by including the full chain (which for this issue was still including the old chain of trust instead of the new one (courtesy of 6 year old custom scripts predating almost any mainstream ACME clients)), the issue appears to be resolved. It is likely that SSL might stop working for pre-Lithium releases.

I've rolled out the new certificates to www.bunsenlabs.org and forums.bunsenlabs.org and will continue slowly with our other endpoints. The package domains will be updated only after careful testing.


Nassdachs

Offline

#4 2020-12-25 21:31:22

DeepDayze
Like sands through an hourglass...
From: In Linux Land
Registered: 2017-05-28
Posts: 1,278

Re: PSA: Fixed intermittent issues with SSL for BunsenLabs repositories

twoion wrote:

After adjusting the server certificate bundle (fullchain) that it presents as the certificate, the issue appears to have been resolved. While Debian ca-certificates still does not include the LE roots directly as other distros like Arch do, by including the full chain (which for this issue was still including the old chain of trust instead of the new one (courtesy of 6 year old custom scripts predating almost any mainstream ACME clients)), the issue appears to be resolved. It is likely that SSL might stop working for pre-Lithium releases.

I've rolled out the new certificates to www.bunsenlabs.org and forums.bunsenlabs.org and will continue slowly with our other endpoints. The package domains will be updated only after careful testing.

So for at least Helium will there be a fix for this as well?

As this is a major change to CA's hopefully there will be a fixed ca-certs package made available to older releases of Debian to allow SSL on older releases to continue to work.

Have't seen any Debian bug reports on this.

Last edited by DeepDayze (2020-12-25 21:43:38)


Real Men Use Linux

Offline

#5 2021-01-02 11:35:21

twoion
ほやほや
Registered: 2015-08-10
Posts: 3,248

Re: PSA: Fixed intermittent issues with SSL for BunsenLabs repositories

The repository certificates have all been updated and seem to work well (for Lithium).

If there are any issues in older BL releases, switch to plain HTTP:// repository URLs. This is not a big issue because the chain of trust is still unbroken as our repositories are signed with a PGP key, which is validated against before trusting anything from the repos.


Nassdachs

Offline

#6 2021-01-02 17:16:45

DeepDayze
Like sands through an hourglass...
From: In Linux Land
Registered: 2017-05-28
Posts: 1,278

Re: PSA: Fixed intermittent issues with SSL for BunsenLabs repositories

twoion wrote:

The repository certificates have all been updated and seem to work well (for Lithium).

If there are any issues in older BL releases, switch to plain HTTP:// repository URLs. This is not a big issue because the chain of trust is still unbroken as our repositories are signed with a PGP key, which is validated against before trusting anything from the repos.

Cool and I might try a Helium live session USB stick I still have and attempt updating repos in live session to see what happens. Most likely I'll have to update the BL key package in the live session first however to make sure the key is current.


Real Men Use Linux

Offline

Board footer

Powered by FluxBB