
indeed looks to be broken, even though my browser still doesn't complain
the openssl command sure does:

    $ openssl s_client -showcerts -verify_return_error -4 -connect 
gitlab.haskell.org:443 < /dev/null                                    
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify return:1
    depth=0 CN = gitlab.haskell.org
    verify error:num=10:certificate has expired
    notAfter=Feb 14 23:21:04 2021 GMT
routines:tls_process_server_certificate:certificate verify 
    no peer certificate available
    No client certificate CA names sent
    Server Temp Key: X25519, 253 bits
    SSL handshake has read 2594 bytes and written 317 bytes
    Verification error: certificate has expired
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 10 (certificate has expired)

FYI I wrote a super simple monitoring script using faketime+openssl to
prevent this sort of thing from happening in case you guys are interested:


The description is in German unfortunately, but the script itself is
commented in English of course ;)

We install this as a cron.daily job and use a cron monitoring make sure the
script runs, but I suspect if you're not worried about the "it actually
ran" part cron's default emails would work just as well.


On Sun, Feb 14, 2021 at 11:37:45PM +0000, Richard Eisenberg wrote:
> Hi Ben,
> It looks like the Let's Encrypt certificate for gitlab.haskell.org 
> <http://gitlab.haskell.org/> has expired, as of about 15 minutes ago. I guess 
> it's time to renew.
> Thanks,
> Richard
ghc-devs mailing list

Reply via email to