On Sat, May 30, 2020 at 11:40 PM Duncan Murdoch
<murdoch.dun...@gmail.com> wrote:
>
> On 30/05/2020 5:23 p.m., Bob Rudis wrote:
> > I've updated the dashboard (https://rud.is/r-project-cert-status/)
> > script and my notifier script to account for the entire chain in each
> > cert.
>
> You never posted which certificate has expired. Your dashboard shows
> they're all valid, but the download still fails, presumably because
> something not shown has expired.
To see the problem in R:
certs <- openssl::download_ssl_cert('cran.r-project.org')
as.list(certs[[3]])
Shows the root cert expires today.
> Hopefully someone who can actually act on this can figure out what needs
> doing.
The apache server will have a config entry SSLCertificateFile which
points to a cert bundle (in nginx servers this is called
"ssl_certificate"). If you open this in a text editor it contains the
3 certs, in PEM format, so 3 entires like this:
-----BEGIN CERTIFICATE-----
[base64 cert]
-----END CERTIFICATE-----
What you need to do is replace the final certificate with this one
(just copy-paste the base64 cert): https://crt.sh/?d=1720081 .Then
restart the server.
See here for details:
https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
. This site talks about "For business processes that depend on very
old systems...." but the reality is that this affects everything that
uses openssl for https, including curl, svn, etc.
______________________________________________
R-devel@r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
