Hi Klaus!
* Klaus Ethgen <[email protected]>, 2015-05-29, 09:46:
See the following:
~> bts -m show XXXXXX
bts: couldn't download http://bugs.debian.org/762709:
500 Can't connect to bugs.debian.org:443 (certificate verify failed)
The following certificates (and only them) are enabled in
ca-certificates:
- CAcert/class3.crt
- CAcert/root.crt
- mozilla/USERTrust_RSA_Certification_Authority.crt
There is several stuff wrong with bts here:
1. The URL in the error message should not be http when it really uses
https. With http, that error makes no sense.
bts(1) connects to to bugs.d.o via HTTP, which only then redirects to
HTTPS. This is something we should fix.
In the mean time, you can put
BTS_SERVER=https://bugs.debian.org
in your ~/.devscripts.
2. Looking at bugs.debian.org via gnutls-cli shows that the
certificate-tree is:
- O=The USERTRUST Network,CN=USERTrust RSA Certification Authority
- O=Gandi,CN=Gandi Standard SSL CA 2
- CN=bugs.debian.org
There is no Gandi certificate in ca-certificates but as the root
certificate is valid, it should not fail
No, that's not right. The root CA for bugs.d.o is AddTrust_External_Root.
3. All Debian domains already utilizing DANE, so there is no reason to
not use it.
Heh, patches welcome. Have fun implementing DANE validation. ;-)
--
Jakub Wilk
_______________________________________________
devscripts-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
