R devel - May 2020 - r-project.org SSL certificate issues

On macOS 10.15.5 and R-devel:
> download.file("https://www.r-project.org", tempfile())
trying URL 'https://www.r-project.org'
Error in download.file("https://www.r-project.org", tempfile()) :
  cannot open URL 'https://www.r-project.org'
In addition: Warning message:
In download.file("https://www.r-project.org", tempfile()) :
  URL 'https://www.r-project.org': status was 'SSL peer certificate
or
SSH remote key was not OK'

https://www.ssllabs.com/ssltest says:

COMODO RSA Certification Authority
Fingerprint SHA256:
4f32d5dc00f715250abcc486511e37f501a899deb3bf7ea8adbbd3aef1c412da
Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRMEValid untilSat, 30 May
2020 10:48:38 UTC (expired 8 hours and 51
minutes ago)   EXPIRED

AFAICT this is the reason:
https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020

FYI,
Gabor

Yep. It should switch to Let's Encrypt with the automated cert renewals
ASAP.

On Sat, May 30, 2020 at 4:17 PM G?bor Cs?rdi <csardi.gabor at gmail.com>
wrote:
>
> On macOS 10.15.5 and R-devel:
>
> > download.file("https://www.r-project.org", tempfile())
> trying URL 'https://www.r-project.org'
> Error in download.file("https://www.r-project.org", tempfile()) :
>   cannot open URL 'https://www.r-project.org'
> In addition: Warning message:
> In download.file("https://www.r-project.org", tempfile()) :
>   URL 'https://www.r-project.org': status was 'SSL peer
certificate or
> SSH remote key was not OK'
>
> https://www.ssllabs.com/ssltest says:
>
> COMODO RSA Certification Authority
> Fingerprint SHA256:
> 4f32d5dc00f715250abcc486511e37f501a899deb3bf7ea8adbbd3aef1c412da
> Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME> Valid untilSat,
30 May 2020 10:48:38 UTC (expired 8 hours and 51
> minutes ago)   EXPIRED
>
> AFAICT this is the reason:
>
https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020
>
> FYI,
> Gabor
>
> ______________________________________________
> R-devel at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel

Odd. Safari has no problem and says certificate expires August 16 2020, but I
also see the download.file issue with 4.0.1 beta:
> download.file("https://www.r-project.org", tempfile())
trying URL 'https://www.r-project.org'
Error in download.file("https://www.r-project.org", tempfile()) : 
  cannot open URL 'https://www.r-project.org'
In addition: Warning message:
In download.file("https://www.r-project.org", tempfile()) :
  URL 'https://www.r-project.org/': status was 'Peer certificate
cannot be authenticated with given CA certificates'

(note slightly different error message).

svn is also affected:

Peters-MacBook-Air:R pd$ svn up
Updating '.':
Error validating server certificate for 'https://svn.r-project.org:443':
 - The certificate has expired.
Certificate information:
 - Hostname: *.r-project.org
 - Valid: from Aug 16 00:00:00 2018 GMT until Aug 15 23:59:59 2020 GMT
 - Issuer: COMODO RSA Domain Validation Secure Server CA, COMODO CA Limited,
Salford, Greater Manchester, GB
 - Fingerprint: 93:B8:AF:9F:0A:67:2F:3A:C9:BA:FF:86:BB:2C:08:47:02:7F:1D:8D
(R)eject, accept (t)emporarily or accept (p)ermanently? t
U    src/library/grid/R/grob.R
....

ssltest shows two certificates of which only one is expired?

-pd


> On 30 May 2020, at 22:17 , G?bor Cs?rdi <csardi.gabor at gmail.com>
wrote:
> 
> On macOS 10.15.5 and R-devel:
> 
>> download.file("https://www.r-project.org", tempfile())
> trying URL 'https://www.r-project.org'
> Error in download.file("https://www.r-project.org", tempfile()) :
>  cannot open URL 'https://www.r-project.org'
> In addition: Warning message:
> In download.file("https://www.r-project.org", tempfile()) :
>  URL 'https://www.r-project.org': status was 'SSL peer
certificate or
> SSH remote key was not OK'
> 
> https://www.ssllabs.com/ssltest says:
> 
> COMODO RSA Certification Authority
> Fingerprint SHA256:
> 4f32d5dc00f715250abcc486511e37f501a899deb3bf7ea8adbbd3aef1c412da
> Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME> Valid untilSat,
30 May 2020 10:48:38 UTC (expired 8 hours and 51
> minutes ago)   EXPIRED
> 
> AFAICT this is the reason:
>
https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020
> 
> FYI,
> Gabor
> 
> ______________________________________________
> R-devel at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
-- 
Peter Dalgaard, Professor,
Center for Statistics, Copenhagen Business School
Solbjerg Plads 3, 2000 Frederiksberg, Denmark
Phone: (+45)38153501
Office: A 4.23
Email: pd.mes at cbs.dk  Priv: PDalgd at gmail.com

It's the top of chain CA cert, so browsers are being lazy and helpful
to humans by (incorrectly, albeit) relying on the existing trust
relationship.

libcurl (et al) is not nearly as forgiving.

On Sat, May 30, 2020 at 5:01 PM peter dalgaard <pdalgd at gmail.com>
wrote:
>
> Odd. Safari has no problem and says certificate expires August 16 2020, but
I also see the download.file issue with 4.0.1 beta:
>
> > download.file("https://www.r-project.org", tempfile())
> trying URL 'https://www.r-project.org'
> Error in download.file("https://www.r-project.org", tempfile()) :
>   cannot open URL 'https://www.r-project.org'
> In addition: Warning message:
> In download.file("https://www.r-project.org", tempfile()) :
>   URL 'https://www.r-project.org/': status was 'Peer
certificate cannot be authenticated with given CA certificates'
>
> (note slightly different error message).
>
> svn is also affected:
>
> Peters-MacBook-Air:R pd$ svn up
> Updating '.':
> Error validating server certificate for
'https://svn.r-project.org:443':
>  - The certificate has expired.
> Certificate information:
>  - Hostname: *.r-project.org
>  - Valid: from Aug 16 00:00:00 2018 GMT until Aug 15 23:59:59 2020 GMT
>  - Issuer: COMODO RSA Domain Validation Secure Server CA, COMODO CA
Limited, Salford, Greater Manchester, GB
>  - Fingerprint: 93:B8:AF:9F:0A:67:2F:3A:C9:BA:FF:86:BB:2C:08:47:02:7F:1D:8D
> (R)eject, accept (t)emporarily or accept (p)ermanently? t
> U    src/library/grid/R/grob.R
> ....
>
> ssltest shows two certificates of which only one is expired?
>
> -pd
>
>
>
> > On 30 May 2020, at 22:17 , G?bor Cs?rdi <csardi.gabor at
gmail.com> wrote:
> >
> > On macOS 10.15.5 and R-devel:
> >
> >> download.file("https://www.r-project.org", tempfile())
> > trying URL 'https://www.r-project.org'
> > Error in download.file("https://www.r-project.org",
tempfile()) :
> >  cannot open URL 'https://www.r-project.org'
> > In addition: Warning message:
> > In download.file("https://www.r-project.org", tempfile()) :
> >  URL 'https://www.r-project.org': status was 'SSL peer
certificate or
> > SSH remote key was not OK'
> >
> > https://www.ssllabs.com/ssltest says:
> >
> > COMODO RSA Certification Authority
> > Fingerprint SHA256:
> > 4f32d5dc00f715250abcc486511e37f501a899deb3bf7ea8adbbd3aef1c412da
> > Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME> > Valid
untilSat, 30 May 2020 10:48:38 UTC (expired 8 hours and 51
> > minutes ago)   EXPIRED
> >
> > AFAICT this is the reason:
> >
https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020
> >
> > FYI,
> > Gabor
> >
> > ______________________________________________
> > R-devel at r-project.org mailing list
> > https://stat.ethz.ch/mailman/listinfo/r-devel
>
> --
> Peter Dalgaard, Professor,
> Center for Statistics, Copenhagen Business School
> Solbjerg Plads 3, 2000 Frederiksberg, Denmark
> Phone: (+45)38153501
> Office: A 4.23
> Email: pd.mes at cbs.dk  Priv: PDalgd at gmail.com
>
> ______________________________________________
> R-devel at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel

The certificate itself is ok, but some other certificate higher up in
the chain is not. It is possible to have multiple certificate chains,
and only one needs to be successful for to accept the certificate.
Some clients are able to use an alternate chain, so they are fine, but
other clients do not accept some cert(s) for the alternate chain to
work. This is why you get errors only with some clients.

Even Safari works on the same machine, but R does not, probably
because libcurl uses openssl which uses a different set of CA certs.

Gabor

On Sat, May 30, 2020 at 10:01 PM peter dalgaard <pdalgd at gmail.com>
wrote:
>
> Odd. Safari has no problem and says certificate expires August 16 2020, but
I also see the download.file issue with 4.0.1 beta:
>
> > download.file("https://www.r-project.org", tempfile())
> trying URL 'https://www.r-project.org'
> Error in download.file("https://www.r-project.org", tempfile()) :
>   cannot open URL 'https://www.r-project.org'
> In addition: Warning message:
> In download.file("https://www.r-project.org", tempfile()) :
>   URL 'https://www.r-project.org/': status was 'Peer
certificate cannot be authenticated with given CA certificates'
>
> (note slightly different error message).
>
> svn is also affected:
>
> Peters-MacBook-Air:R pd$ svn up
> Updating '.':
> Error validating server certificate for
'https://svn.r-project.org:443':
>  - The certificate has expired.
> Certificate information:
>  - Hostname: *.r-project.org
>  - Valid: from Aug 16 00:00:00 2018 GMT until Aug 15 23:59:59 2020 GMT
>  - Issuer: COMODO RSA Domain Validation Secure Server CA, COMODO CA
Limited, Salford, Greater Manchester, GB
>  - Fingerprint: 93:B8:AF:9F:0A:67:2F:3A:C9:BA:FF:86:BB:2C:08:47:02:7F:1D:8D
> (R)eject, accept (t)emporarily or accept (p)ermanently? t
> U    src/library/grid/R/grob.R
> ....
>
> ssltest shows two certificates of which only one is expired?
>
> -pd
>
>
>
> > On 30 May 2020, at 22:17 , G?bor Cs?rdi <csardi.gabor at
gmail.com> wrote:
> >
> > On macOS 10.15.5 and R-devel:
> >
> >> download.file("https://www.r-project.org", tempfile())
> > trying URL 'https://www.r-project.org'
> > Error in download.file("https://www.r-project.org",
tempfile()) :
> >  cannot open URL 'https://www.r-project.org'
> > In addition: Warning message:
> > In download.file("https://www.r-project.org", tempfile()) :
> >  URL 'https://www.r-project.org': status was 'SSL peer
certificate or
> > SSH remote key was not OK'
> >
> > https://www.ssllabs.com/ssltest says:
> >
> > COMODO RSA Certification Authority
> > Fingerprint SHA256:
> > 4f32d5dc00f715250abcc486511e37f501a899deb3bf7ea8adbbd3aef1c412da
> > Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME> > Valid
untilSat, 30 May 2020 10:48:38 UTC (expired 8 hours and 51
> > minutes ago)   EXPIRED
> >
> > AFAICT this is the reason:
> >
https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020
> >
> > FYI,
> > Gabor
> >
> > ______________________________________________
> > R-devel at r-project.org mailing list
> > https://stat.ethz.ch/mailman/listinfo/r-devel
>
> --
> Peter Dalgaard, Professor,
> Center for Statistics, Copenhagen Business School
> Solbjerg Plads 3, 2000 Frederiksberg, Denmark
> Phone: (+45)38153501
> Office: A 4.23
> Email: pd.mes at cbs.dk  Priv: PDalgd at gmail.com
>
>
>
>
>
>
>
>
>