It works perfectly for me. Could it be that your CAfile lacks the root certificate of Let's Encrypt?
On 11/07/2016 09:45 PM, jah wrote: > On 07/11/16 17:40, Christian Grothoff wrote: >> I've just finished migrating the (active) GNUnet Subversion repositories >> to Git. You should be able to >> >> $ git clone git://gnunet.org/$REPONAME # read-only, insecure >> $ git clone https://gnunet.org/git/$REPONAME # read-only, secure >> $ git clone git+ssh://[email protected]/$REPONAME # dev-only > > It looks like there's an error with the HTTPS certificate chain that prevents > git clone:- > > $ git --version > git version 1.9.1 > $ git clone https://gnunet.org/git/gnunet.git > Cloning into 'gnunet'... > fatal: unable to access 'https://gnunet.org/git/gnunet.git/': server > certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt > > I see three certs in the chain(see bottom): the first is the server cert and > is good, the second is a duplicate of the first and the third is the Let's > Encrypt CA. > > From [chain-issues]: > > "According to the standard, certificates must be presented in the order in > which they are needed. The main, server, certificate must come first, > followed by the certificate that signed it, followed by the next certificate > in the chain, and so on. A small number of sites does not get this order > right. Most SSL clients will deal with this problem silently, but there is a > small number of platforms that will give up." > > jah > > [chain-issues]: https://community.qualys.com/docs/DOC-1931 > > > $ echo -n | openssl s_client -showcerts -connect gnunet.org:443 > CONNECTED(00000003) > --- > Certificate chain > 0 s:/CN=ng.gnunet.org > i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > -----BEGIN CERTIFICATE----- > MIIFKjCCBBKgAwIBAgISA0GOQGL/8S4uIjkBZaReP2ohMA0GCSqGSIb3DQEBCwUA > [snip] > dL7BqTW/HMh1X+rTv9dfRb3fCGsoDJcuUGVojf2s > -----END CERTIFICATE----- > 1 s:/CN=ng.gnunet.org > i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > -----BEGIN CERTIFICATE----- > MIIFKjCCBBKgAwIBAgISA0GOQGL/8S4uIjkBZaReP2ohMA0GCSqGSIb3DQEBCwUA > [snip] > dL7BqTW/HMh1X+rTv9dfRb3fCGsoDJcuUGVojf2s > -----END CERTIFICATE----- > 2 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > i:/O=Digital Signature Trust Co./CN=DST Root CA X3 > -----BEGIN CERTIFICATE----- > MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ > [snip] > KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== > -----END CERTIFICATE----- > --- > Server certificate > subject=/CN=ng.gnunet.org > issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > --- > No client certificate CA names sent > --- > SSL handshake has read 4523 bytes and written 421 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > [snip] > Verify return code: 20 (unable to get local issuer certificate) > --- > > > > > > _______________________________________________ > GNUnet-developers mailing list > [email protected] > https://lists.gnu.org/mailman/listinfo/gnunet-developers >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ GNUnet-developers mailing list [email protected] https://lists.gnu.org/mailman/listinfo/gnunet-developers
