Hi, Just a heads up that I think I might have solved this server side by removing the expired CA from the certificate chain.
I updated git, svn, builder, and developer scripts to remove the problematic (expired) DST root CA from the web servers. I tried the certbot --preferred-ca option as well, but it doesn't seem to work, compared to just removing it from the chain.pem/fullchain.pem files. As a test on my Windows 10 machine with TortoiseSVN, it works without error here. Let me know if it helps or breaks anything! On Thu, Sep 30, 2021 at 10:35 PM Ray Molenkamp via Bf-committers < bf-committers@blender.org> wrote: > For people having ssl issues with arcanist, the easiest solution is > > 1) grab the latest cacert.pem from https://curl.se/docs/caextract.html > 2) copy it to [arcanist_installation_folder]/resources/ssl/custom.pem > > Pay attention to the slightly different filename it *NEEDS* to be > custom.pem the original filename cacert.pem will not work. > > This should do the trick on all platforms (but it's only been tested > on Linux and Windows). > > --Ray > On 2021-09-30 1:06 p.m., Sergey Sharybin via Bf-committers wrote: > > Hi, > > > > Just a quick memo about the issue of expired Let's Encrypt certificates. > It > > might be useful for developers who experience issues with HTTPS > connection > > to our servers. > > > > One of the root Let's Encrypt certificates did expire today which > affected > > parts of our development infrastructure. In all cases it doesn't seem to > be > > an issue with the server configuration but is caused by quirks on the > > client side. We are only aware of issues on Windows. > > > > The Subversion clients did not trust the SSL certificate of > > https://svn.blender.org/. The work-around we did for the > builder.blender.org > > was to install the Let’s Encrypt R3 intermediate certificate [1]. This > > "worked (tm)", although ideally intermediate certificates shouldn't need > to > > be installed and the system should go by the root CA certificates from > the > > Windows Certificates Store. > > > > The Arcanist uses the CURL extension of PHP, and it does not use the > > Windows Certificates Store. The way it was fixed on the buildbot workers > > was by creating a cacert.pem with the "ISRG Root X1" certificate which > was > > exported from the Store (and matched the one from Let's Encrypt > information > > page [1]). > > > > Our server administrator Danny McGrath also took the liberty of disabling > > TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided that this > > doesn't make matters worse, the changes are likely to be kept. > > > > [1] https://letsencrypt.org/certificates/ > > > > Best regards, > > - Your Engineering Team Danny and Sergey - > > -------------------------------------------------------------------- > > Sergey Sharybin - ser...@blender.org - www.blender.org > > Principal Software Engineer, Blender > > Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands > > _______________________________________________ > > Bf-committers mailing list > > Bf-committers@blender.org > > List details, subscription details or unsubscribe: > > https://lists.blender.org/mailman/listinfo/bf-committers > _______________________________________________ > Bf-committers mailing list > Bf-committers@blender.org > List details, subscription details or unsubscribe: > https://lists.blender.org/mailman/listinfo/bf-committers > -- Cheers, Danny ------------------------------------------------- Danny McGrath - d...@blender.org - www.blender.org System Administrator at Blender GPG key: 0x696871CA _______________________________________________ Bf-committers mailing list Bf-committers@blender.org List details, subscription details or unsubscribe: https://lists.blender.org/mailman/listinfo/bf-committers