Date: Fri, 17 Jun 2016 12:49:38 +0200 From: Dimitry Andric <dim@FreeBSD.org> To: Wolfgang Zenker <wolfgang@lyxys.ka.sub.org> Cc: freebsd-stable@freebsd.org Subject: Re: new certificate for svn.freebsd.org? Message-ID: <64B427C8-47EE-4453-8A4A-BEA13D548EC7@FreeBSD.org> In-Reply-To: <20160616232110.GA47529@lyxys.ka.sub.org> References: <20160616232110.GA47529@lyxys.ka.sub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_B53991F2-9CB6-409D-A256-E1FC62C5C6DD Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii On 17 Jun 2016, at 01:21, Wolfgang Zenker <wolfgang@lyxys.ka.sub.org> wrote: > > I'm getting presented a new SSL certificate for svn.freebsd.org. > Like the previous one, it can not be verified by svnlite on any > of my 10-STABLE machines, though ca_root_nss is installed. But > the previous certificate at least matched the fingerprint given > on https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/svn.html > > Trying to update: > # svnlite up /usr/src > Updating '/usr/src': > Error validating server certificate for 'https://svn.freebsd.org:443': > - The certificate is not issued by a trusted authority. Use the > fingerprint to validate the certificate manually! > Certificate information: > - Hostname: svn.freebsd.org > - Valid: from Jun 15 00:00:00 2016 GMT until Jun 29 23:59:59 2017 GMT > - Issuer: Gandi Standard SSL CA 2, Gandi, Paris, Paris, FR > - Fingerprint: 86:5C:C5:84:F5:2D:40:FA:C6:F9:F0:D9:F5:40:D0:D5:6B:90:CB:CE The fingerprint looks good. > (R)eject, accept (t)emporarily or accept (p)ermanently? > > Is it just me? No, probably everybody who doesn't have ca_root_nss installed. Make sure you have that package installed, and a symlink /etc/ssl/cert.pem pointing to /usr/local/share/certs/ca-root-nss.crt. Alternatively, manually append the following certificate (CN=AddTrust External CA Root) to /etc/ssl/cert.pem: -----BEGIN CERTIFICATE----- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -----END CERTIFICATE----- -Dimitry --Apple-Mail=_B53991F2-9CB6-409D-A256-E1FC62C5C6DD Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.30 iEYEARECAAYFAldj1csACgkQsF6jCi4glqNG0ACg5Lrg1YwZirLuA7AS025bA17q YOIAoKmbXfyRZUYYJD64EkBjdCr1W0LU =mTOQ -----END PGP SIGNATURE----- --Apple-Mail=_B53991F2-9CB6-409D-A256-E1FC62C5C6DD--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?64B427C8-47EE-4453-8A4A-BEA13D548EC7>