I've updated the dashboard (https://rud.is/r-project-cert-status/) script and my notifier script to account for the entire chain in each cert. On Sat, May 30, 2020 at 5:16 PM Bob Rudis <bob at rud.is> wrote:> > # A tibble: 13 x 1 > site > <chr> > 1 beta.r-project.org > 2 bugs.r-project.org > 3 cran-archive.r-project.org > 4 cran.r-project.org > 5 developer.r-project.org > 6 ess.r-project.org > 7 ftp.cran.r-project.org > 8 journal.r-project.org > 9 r-project.org > 10 svn.r-project.org > 11 user2011.r-project.org > 12 www.cran.r-project.org > 13 www.r-project.org > > is the whole list b/c of the wildcard cert. > > On Sat, May 30, 2020 at 5:07 PM Bob Rudis <bob at rud.is> wrote: > > > > It's the top of chain CA cert, so browsers are being lazy and helpful > > to humans by (incorrectly, albeit) relying on the existing trust > > relationship. > > > > libcurl (et al) is not nearly as forgiving. > > > > On Sat, May 30, 2020 at 5:01 PM peter dalgaard <pdalgd at gmail.com> wrote: > > > > > > Odd. Safari has no problem and says certificate expires August 16 2020, but I also see the download.file issue with 4.0.1 beta: > > > > > > > download.file("https://www.r-project.org", tempfile()) > > > trying URL 'https://www.r-project.org' > > > Error in download.file("https://www.r-project.org", tempfile()) : > > > cannot open URL 'https://www.r-project.org' > > > In addition: Warning message: > > > In download.file("https://www.r-project.org", tempfile()) : > > > URL 'https://www.r-project.org/': status was 'Peer certificate cannot be authenticated with given CA certificates' > > > > > > (note slightly different error message). > > > > > > svn is also affected: > > > > > > Peters-MacBook-Air:R pd$ svn up > > > Updating '.': > > > Error validating server certificate for 'https://svn.r-project.org:443': > > > - The certificate has expired. > > > Certificate information: > > > - Hostname: *.r-project.org > > > - Valid: from Aug 16 00:00:00 2018 GMT until Aug 15 23:59:59 2020 GMT > > > - Issuer: COMODO RSA Domain Validation Secure Server CA, COMODO CA Limited, Salford, Greater Manchester, GB > > > - Fingerprint: 93:B8:AF:9F:0A:67:2F:3A:C9:BA:FF:86:BB:2C:08:47:02:7F:1D:8D > > > (R)eject, accept (t)emporarily or accept (p)ermanently? t > > > U src/library/grid/R/grob.R > > > .... > > > > > > ssltest shows two certificates of which only one is expired? > > > > > > -pd > > > > > > > > > > > > > On 30 May 2020, at 22:17 , G?bor Cs?rdi <csardi.gabor at gmail.com> wrote: > > > > > > > > On macOS 10.15.5 and R-devel: > > > > > > > >> download.file("https://www.r-project.org", tempfile()) > > > > trying URL 'https://www.r-project.org' > > > > Error in download.file("https://www.r-project.org", tempfile()) : > > > > cannot open URL 'https://www.r-project.org' > > > > In addition: Warning message: > > > > In download.file("https://www.r-project.org", tempfile()) : > > > > URL 'https://www.r-project.org': status was 'SSL peer certificate or > > > > SSH remote key was not OK' > > > > > > > > https://www.ssllabs.com/ssltest says: > > > > > > > > COMODO RSA Certification Authority > > > > Fingerprint SHA256: > > > > 4f32d5dc00f715250abcc486511e37f501a899deb3bf7ea8adbbd3aef1c412da > > > > Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME> > > > Valid untilSat, 30 May 2020 10:48:38 UTC (expired 8 hours and 51 > > > > minutes ago) EXPIRED > > > > > > > > AFAICT this is the reason: > > > > https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020 > > > > > > > > FYI, > > > > Gabor > > > > > > > > ______________________________________________ > > > > R-devel at r-project.org mailing list > > > > https://stat.ethz.ch/mailman/listinfo/r-devel > > > > > > -- > > > Peter Dalgaard, Professor, > > > Center for Statistics, Copenhagen Business School > > > Solbjerg Plads 3, 2000 Frederiksberg, Denmark > > > Phone: (+45)38153501 > > > Office: A 4.23 > > > Email: pd.mes at cbs.dk Priv: PDalgd at gmail.com > > > > > > ______________________________________________ > > > R-devel at r-project.org mailing list > > > https://stat.ethz.ch/mailman/listinfo/r-devel
The browsers still shouldn't trust it. The CA cert is expired. On Sat, May 30, 2020 at 5:23 PM Bob Rudis <bob at rud.is> wrote:> > I've updated the dashboard (https://rud.is/r-project-cert-status/) > script and my notifier script to account for the entire chain in each > cert. > > On Sat, May 30, 2020 at 5:16 PM Bob Rudis <bob at rud.is> wrote: > > > > # A tibble: 13 x 1 > > site > > <chr> > > 1 beta.r-project.org > > 2 bugs.r-project.org > > 3 cran-archive.r-project.org > > 4 cran.r-project.org > > 5 developer.r-project.org > > 6 ess.r-project.org > > 7 ftp.cran.r-project.org > > 8 journal.r-project.org > > 9 r-project.org > > 10 svn.r-project.org > > 11 user2011.r-project.org > > 12 www.cran.r-project.org > > 13 www.r-project.org > > > > is the whole list b/c of the wildcard cert. > > > > On Sat, May 30, 2020 at 5:07 PM Bob Rudis <bob at rud.is> wrote: > > > > > > It's the top of chain CA cert, so browsers are being lazy and helpful > > > to humans by (incorrectly, albeit) relying on the existing trust > > > relationship. > > > > > > libcurl (et al) is not nearly as forgiving. > > > > > > On Sat, May 30, 2020 at 5:01 PM peter dalgaard <pdalgd at gmail.com> wrote: > > > > > > > > Odd. Safari has no problem and says certificate expires August 16 2020, but I also see the download.file issue with 4.0.1 beta: > > > > > > > > > download.file("https://www.r-project.org", tempfile()) > > > > trying URL 'https://www.r-project.org' > > > > Error in download.file("https://www.r-project.org", tempfile()) : > > > > cannot open URL 'https://www.r-project.org' > > > > In addition: Warning message: > > > > In download.file("https://www.r-project.org", tempfile()) : > > > > URL 'https://www.r-project.org/': status was 'Peer certificate cannot be authenticated with given CA certificates' > > > > > > > > (note slightly different error message). > > > > > > > > svn is also affected: > > > > > > > > Peters-MacBook-Air:R pd$ svn up > > > > Updating '.': > > > > Error validating server certificate for 'https://svn.r-project.org:443': > > > > - The certificate has expired. > > > > Certificate information: > > > > - Hostname: *.r-project.org > > > > - Valid: from Aug 16 00:00:00 2018 GMT until Aug 15 23:59:59 2020 GMT > > > > - Issuer: COMODO RSA Domain Validation Secure Server CA, COMODO CA Limited, Salford, Greater Manchester, GB > > > > - Fingerprint: 93:B8:AF:9F:0A:67:2F:3A:C9:BA:FF:86:BB:2C:08:47:02:7F:1D:8D > > > > (R)eject, accept (t)emporarily or accept (p)ermanently? t > > > > U src/library/grid/R/grob.R > > > > .... > > > > > > > > ssltest shows two certificates of which only one is expired? > > > > > > > > -pd > > > > > > > > > > > > > > > > > On 30 May 2020, at 22:17 , G?bor Cs?rdi <csardi.gabor at gmail.com> wrote: > > > > > > > > > > On macOS 10.15.5 and R-devel: > > > > > > > > > >> download.file("https://www.r-project.org", tempfile()) > > > > > trying URL 'https://www.r-project.org' > > > > > Error in download.file("https://www.r-project.org", tempfile()) : > > > > > cannot open URL 'https://www.r-project.org' > > > > > In addition: Warning message: > > > > > In download.file("https://www.r-project.org", tempfile()) : > > > > > URL 'https://www.r-project.org': status was 'SSL peer certificate or > > > > > SSH remote key was not OK' > > > > > > > > > > https://www.ssllabs.com/ssltest says: > > > > > > > > > > COMODO RSA Certification Authority > > > > > Fingerprint SHA256: > > > > > 4f32d5dc00f715250abcc486511e37f501a899deb3bf7ea8adbbd3aef1c412da > > > > > Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME> > > > > Valid untilSat, 30 May 2020 10:48:38 UTC (expired 8 hours and 51 > > > > > minutes ago) EXPIRED > > > > > > > > > > AFAICT this is the reason: > > > > > https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020 > > > > > > > > > > FYI, > > > > > Gabor > > > > > > > > > > ______________________________________________ > > > > > R-devel at r-project.org mailing list > > > > > https://stat.ethz.ch/mailman/listinfo/r-devel > > > > > > > > -- > > > > Peter Dalgaard, Professor, > > > > Center for Statistics, Copenhagen Business School > > > > Solbjerg Plads 3, 2000 Frederiksberg, Denmark > > > > Phone: (+45)38153501 > > > > Office: A 4.23 > > > > Email: pd.mes at cbs.dk Priv: PDalgd at gmail.com > > > > > > > > ______________________________________________ > > > > R-devel at r-project.org mailing list > > > > https://stat.ethz.ch/mailman/listinfo/r-devel
On 30/05/2020 5:23 p.m., Bob Rudis wrote:> I've updated the dashboard (https://rud.is/r-project-cert-status/) > script and my notifier script to account for the entire chain in each > cert.You never posted which certificate has expired. Your dashboard shows they're all valid, but the download still fails, presumably because something not shown has expired. Hopefully someone who can actually act on this can figure out what needs doing. Duncan Murdoch> > On Sat, May 30, 2020 at 5:16 PM Bob Rudis <bob at rud.is> wrote: >> >> # A tibble: 13 x 1 >> site >> <chr> >> 1 beta.r-project.org >> 2 bugs.r-project.org >> 3 cran-archive.r-project.org >> 4 cran.r-project.org >> 5 developer.r-project.org >> 6 ess.r-project.org >> 7 ftp.cran.r-project.org >> 8 journal.r-project.org >> 9 r-project.org >> 10 svn.r-project.org >> 11 user2011.r-project.org >> 12 www.cran.r-project.org >> 13 www.r-project.org >> >> is the whole list b/c of the wildcard cert. >> >> On Sat, May 30, 2020 at 5:07 PM Bob Rudis <bob at rud.is> wrote: >>> >>> It's the top of chain CA cert, so browsers are being lazy and helpful >>> to humans by (incorrectly, albeit) relying on the existing trust >>> relationship. >>> >>> libcurl (et al) is not nearly as forgiving. >>> >>> On Sat, May 30, 2020 at 5:01 PM peter dalgaard <pdalgd at gmail.com> wrote: >>>> >>>> Odd. Safari has no problem and says certificate expires August 16 2020, but I also see the download.file issue with 4.0.1 beta: >>>> >>>>> download.file("https://www.r-project.org", tempfile()) >>>> trying URL 'https://www.r-project.org' >>>> Error in download.file("https://www.r-project.org", tempfile()) : >>>> cannot open URL 'https://www.r-project.org' >>>> In addition: Warning message: >>>> In download.file("https://www.r-project.org", tempfile()) : >>>> URL 'https://www.r-project.org/': status was 'Peer certificate cannot be authenticated with given CA certificates' >>>> >>>> (note slightly different error message). >>>> >>>> svn is also affected: >>>> >>>> Peters-MacBook-Air:R pd$ svn up >>>> Updating '.': >>>> Error validating server certificate for 'https://svn.r-project.org:443': >>>> - The certificate has expired. >>>> Certificate information: >>>> - Hostname: *.r-project.org >>>> - Valid: from Aug 16 00:00:00 2018 GMT until Aug 15 23:59:59 2020 GMT >>>> - Issuer: COMODO RSA Domain Validation Secure Server CA, COMODO CA Limited, Salford, Greater Manchester, GB >>>> - Fingerprint: 93:B8:AF:9F:0A:67:2F:3A:C9:BA:FF:86:BB:2C:08:47:02:7F:1D:8D >>>> (R)eject, accept (t)emporarily or accept (p)ermanently? t >>>> U src/library/grid/R/grob.R >>>> .... >>>> >>>> ssltest shows two certificates of which only one is expired? >>>> >>>> -pd >>>> >>>> >>>> >>>>> On 30 May 2020, at 22:17 , G?bor Cs?rdi <csardi.gabor at gmail.com> wrote: >>>>> >>>>> On macOS 10.15.5 and R-devel: >>>>> >>>>>> download.file("https://www.r-project.org", tempfile()) >>>>> trying URL 'https://www.r-project.org' >>>>> Error in download.file("https://www.r-project.org", tempfile()) : >>>>> cannot open URL 'https://www.r-project.org' >>>>> In addition: Warning message: >>>>> In download.file("https://www.r-project.org", tempfile()) : >>>>> URL 'https://www.r-project.org': status was 'SSL peer certificate or >>>>> SSH remote key was not OK' >>>>> >>>>> https://www.ssllabs.com/ssltest says: >>>>> >>>>> COMODO RSA Certification Authority >>>>> Fingerprint SHA256: >>>>> 4f32d5dc00f715250abcc486511e37f501a899deb3bf7ea8adbbd3aef1c412da >>>>> Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME>>>>> Valid untilSat, 30 May 2020 10:48:38 UTC (expired 8 hours and 51 >>>>> minutes ago) EXPIRED >>>>> >>>>> AFAICT this is the reason: >>>>> https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020 >>>>> >>>>> FYI, >>>>> Gabor >>>>> >>>>> ______________________________________________ >>>>> R-devel at r-project.org mailing list >>>>> https://stat.ethz.ch/mailman/listinfo/r-devel >>>> >>>> -- >>>> Peter Dalgaard, Professor, >>>> Center for Statistics, Copenhagen Business School >>>> Solbjerg Plads 3, 2000 Frederiksberg, Denmark >>>> Phone: (+45)38153501 >>>> Office: A 4.23 >>>> Email: pd.mes at cbs.dk Priv: PDalgd at gmail.com >>>> >>>> ______________________________________________ >>>> R-devel at r-project.org mailing list >>>> https://stat.ethz.ch/mailman/listinfo/r-devel > > ______________________________________________ > R-devel at r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-devel >
On Sat, May 30, 2020 at 11:40 PM Duncan Murdoch <murdoch.duncan at gmail.com> wrote:> > On 30/05/2020 5:23 p.m., Bob Rudis wrote: > > I've updated the dashboard (https://rud.is/r-project-cert-status/) > > script and my notifier script to account for the entire chain in each > > cert. > > You never posted which certificate has expired. Your dashboard shows > they're all valid, but the download still fails, presumably because > something not shown has expired.To see the problem in R: certs <- openssl::download_ssl_cert('cran.r-project.org') as.list(certs[[3]]) Shows the root cert expires today.> Hopefully someone who can actually act on this can figure out what needs > doing.The apache server will have a config entry SSLCertificateFile which points to a cert bundle (in nginx servers this is called "ssl_certificate"). If you open this in a text editor it contains the 3 certs, in PEM format, so 3 entires like this: -----BEGIN CERTIFICATE----- [base64 cert] -----END CERTIFICATE----- What you need to do is replace the final certificate with this one (just copy-paste the base64 cert): https://crt.sh/?d=1720081 .Then restart the server. See here for details: https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 . This site talks about "For business processes that depend on very old systems...." but the reality is that this affects everything that uses openssl for https, including curl, svn, etc.
The expired cert was in my initial email. This is a CA cert. If you go to https://www.ssllabs.com/ssltest/analyze.html?d=svn.r-project.org and wait for the analysis, and then expand the certification paths, then you'll see three possible paths. (For most simulated clients.) Two are trusted, one is not. The browsers can use a trusted one, e.g. my Chrome uses the first, you can see this if you click on the lock before the URL, and then on "Certificate". You'll see a chain of three certs, just like on the ssllabs page. Apparently, R / libcurl / openssl cannot use them, I am not entirely sure why. Gabor On Sat, May 30, 2020 at 10:40 PM Duncan Murdoch <murdoch.duncan at gmail.com> wrote:> > On 30/05/2020 5:23 p.m., Bob Rudis wrote: > > I've updated the dashboard (https://rud.is/r-project-cert-status/) > > script and my notifier script to account for the entire chain in each > > cert. > > You never posted which certificate has expired. Your dashboard shows > they're all valid, but the download still fails, presumably because > something not shown has expired. > > Hopefully someone who can actually act on this can figure out what needs > doing. > > Duncan Murdoch > > > > > On Sat, May 30, 2020 at 5:16 PM Bob Rudis <bob at rud.is> wrote: > >> > >> # A tibble: 13 x 1 > >> site > >> <chr> > >> 1 beta.r-project.org > >> 2 bugs.r-project.org > >> 3 cran-archive.r-project.org > >> 4 cran.r-project.org > >> 5 developer.r-project.org > >> 6 ess.r-project.org > >> 7 ftp.cran.r-project.org > >> 8 journal.r-project.org > >> 9 r-project.org > >> 10 svn.r-project.org > >> 11 user2011.r-project.org > >> 12 www.cran.r-project.org > >> 13 www.r-project.org > >> > >> is the whole list b/c of the wildcard cert. > >> > >> On Sat, May 30, 2020 at 5:07 PM Bob Rudis <bob at rud.is> wrote: > >>> > >>> It's the top of chain CA cert, so browsers are being lazy and helpful > >>> to humans by (incorrectly, albeit) relying on the existing trust > >>> relationship. > >>> > >>> libcurl (et al) is not nearly as forgiving. > >>> > >>> On Sat, May 30, 2020 at 5:01 PM peter dalgaard <pdalgd at gmail.com> wrote: > >>>> > >>>> Odd. Safari has no problem and says certificate expires August 16 2020, but I also see the download.file issue with 4.0.1 beta: > >>>> > >>>>> download.file("https://www.r-project.org", tempfile()) > >>>> trying URL 'https://www.r-project.org' > >>>> Error in download.file("https://www.r-project.org", tempfile()) : > >>>> cannot open URL 'https://www.r-project.org' > >>>> In addition: Warning message: > >>>> In download.file("https://www.r-project.org", tempfile()) : > >>>> URL 'https://www.r-project.org/': status was 'Peer certificate cannot be authenticated with given CA certificates' > >>>> > >>>> (note slightly different error message). > >>>> > >>>> svn is also affected: > >>>> > >>>> Peters-MacBook-Air:R pd$ svn up > >>>> Updating '.': > >>>> Error validating server certificate for 'https://svn.r-project.org:443': > >>>> - The certificate has expired. > >>>> Certificate information: > >>>> - Hostname: *.r-project.org > >>>> - Valid: from Aug 16 00:00:00 2018 GMT until Aug 15 23:59:59 2020 GMT > >>>> - Issuer: COMODO RSA Domain Validation Secure Server CA, COMODO CA Limited, Salford, Greater Manchester, GB > >>>> - Fingerprint: 93:B8:AF:9F:0A:67:2F:3A:C9:BA:FF:86:BB:2C:08:47:02:7F:1D:8D > >>>> (R)eject, accept (t)emporarily or accept (p)ermanently? t > >>>> U src/library/grid/R/grob.R > >>>> .... > >>>> > >>>> ssltest shows two certificates of which only one is expired? > >>>> > >>>> -pd > >>>> > >>>> > >>>> > >>>>> On 30 May 2020, at 22:17 , G?bor Cs?rdi <csardi.gabor at gmail.com> wrote: > >>>>> > >>>>> On macOS 10.15.5 and R-devel: > >>>>> > >>>>>> download.file("https://www.r-project.org", tempfile()) > >>>>> trying URL 'https://www.r-project.org' > >>>>> Error in download.file("https://www.r-project.org", tempfile()) : > >>>>> cannot open URL 'https://www.r-project.org' > >>>>> In addition: Warning message: > >>>>> In download.file("https://www.r-project.org", tempfile()) : > >>>>> URL 'https://www.r-project.org': status was 'SSL peer certificate or > >>>>> SSH remote key was not OK' > >>>>> > >>>>> https://www.ssllabs.com/ssltest says: > >>>>> > >>>>> COMODO RSA Certification Authority > >>>>> Fingerprint SHA256: > >>>>> 4f32d5dc00f715250abcc486511e37f501a899deb3bf7ea8adbbd3aef1c412da > >>>>> Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME> >>>>> Valid untilSat, 30 May 2020 10:48:38 UTC (expired 8 hours and 51 > >>>>> minutes ago) EXPIRED > >>>>> > >>>>> AFAICT this is the reason: > >>>>> https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020 > >>>>> > >>>>> FYI, > >>>>> Gabor > >>>>> > >>>>> ______________________________________________ > >>>>> R-devel at r-project.org mailing list > >>>>> https://stat.ethz.ch/mailman/listinfo/r-devel > >>>> > >>>> -- > >>>> Peter Dalgaard, Professor, > >>>> Center for Statistics, Copenhagen Business School > >>>> Solbjerg Plads 3, 2000 Frederiksberg, Denmark > >>>> Phone: (+45)38153501 > >>>> Office: A 4.23 > >>>> Email: pd.mes at cbs.dk Priv: PDalgd at gmail.com > >>>> > >>>> ______________________________________________ > >>>> R-devel at r-project.org mailing list > >>>> https://stat.ethz.ch/mailman/listinfo/r-devel > > > > ______________________________________________ > > R-devel at r-project.org mailing list > > https://stat.ethz.ch/mailman/listinfo/r-devel > > > > ______________________________________________ > R-devel at r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-devel