On 07/11/16 17:40, Christian Grothoff wrote: > I've just finished migrating the (active) GNUnet Subversion repositories > to Git. You should be able to > > $ git clone git://gnunet.org/$REPONAME # read-only, insecure > $ git clone https://gnunet.org/git/$REPONAME # read-only, secure > $ git clone git+ssh://[email protected]/$REPONAME # dev-only
It looks like there's an error with the HTTPS certificate chain that prevents git clone:- $ git --version git version 1.9.1 $ git clone https://gnunet.org/git/gnunet.git Cloning into 'gnunet'... fatal: unable to access 'https://gnunet.org/git/gnunet.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt I see three certs in the chain(see bottom): the first is the server cert and is good, the second is a duplicate of the first and the third is the Let's Encrypt CA. >From [chain-issues]: "According to the standard, certificates must be presented in the order in which they are needed. The main, server, certificate must come first, followed by the certificate that signed it, followed by the next certificate in the chain, and so on. A small number of sites does not get this order right. Most SSL clients will deal with this problem silently, but there is a small number of platforms that will give up." jah [chain-issues]: https://community.qualys.com/docs/DOC-1931 $ echo -n | openssl s_client -showcerts -connect gnunet.org:443 CONNECTED(00000003) --- Certificate chain 0 s:/CN=ng.gnunet.org i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 -----BEGIN CERTIFICATE----- MIIFKjCCBBKgAwIBAgISA0GOQGL/8S4uIjkBZaReP2ohMA0GCSqGSIb3DQEBCwUA [snip] dL7BqTW/HMh1X+rTv9dfRb3fCGsoDJcuUGVojf2s -----END CERTIFICATE----- 1 s:/CN=ng.gnunet.org i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 -----BEGIN CERTIFICATE----- MIIFKjCCBBKgAwIBAgISA0GOQGL/8S4uIjkBZaReP2ohMA0GCSqGSIb3DQEBCwUA [snip] dL7BqTW/HMh1X+rTv9dfRb3fCGsoDJcuUGVojf2s -----END CERTIFICATE----- 2 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ [snip] KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE----- --- Server certificate subject=/CN=ng.gnunet.org issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent --- SSL handshake has read 4523 bytes and written 421 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE [snip] Verify return code: 20 (unable to get local issuer certificate) --- _______________________________________________ GNUnet-developers mailing list [email protected] https://lists.gnu.org/mailman/listinfo/gnunet-developers
