Re: [Bf-committers] Let's Encrypt SSL certificates incident on the blender.org servers
That worked! Thanks, Danny. On Sat, Oct 2, 2021 at 12:10 PM Danny McGrath wrote: > Hi Howard, > > All I did was > > sudo apt update && sudo apt dist-upgrade > > The ca-certificates package was among the updates. After this package > update, it "just worked" (tm). > > On Sat, Oct 2, 2021 at 11:58 AM Howard Trickey > wrote: > >> Danny, >> >> I am running Ubuntu, version 20.04.02 LTS. >> I'm not sure how to update the ca-certificates. I tried: >> >> sudo update-ca-certificates >> >> and it didn't do anything. >> Then I tried >> >> sudo dpkg-reconfigure ca-certificates >> sudo update-ca-certificates >> >> and still no joy. Am I supposed to add some particular certificate to >> /etc/ca-certificates.conf ? >> >> >> On Sat, Oct 2, 2021 at 11:19 AM Danny McGrath wrote: >> >>> Hi Howard, >>> >>> I got the same on Ubuntu until I updated the ca-certificates to the >>> latest version. >>> >>> Does this also work for you? >>> >>> On Sat, Oct 2, 2021 at 9:50 AM Howard Trickey via Bf-committers < >>> bf-committers@blender.org> wrote: >>> I am getting this error on my Linux: $ git submodule foreach git pull Entering 'release/datafiles/locale' fatal: unable to access ' https://git.blender.org/blender-translations.git/': server certificate verification failed. CAfile: none CRLfile: none fatal: run_command returned non-zero status for release/datafiles/locale . On Sat, Oct 2, 2021 at 8:19 AM Danny McGrath via Bf-committers < bf-committers@blender.org> wrote: > Hi, > > Just a heads up that I think I might have solved this server side by > removing the expired CA from the certificate chain. > > I updated git, svn, builder, and developer scripts to remove the > problematic (expired) DST root CA from the web servers. I tried the certbot > --preferred-ca option as well, but it doesn't seem to work, compared to > just removing it from the chain.pem/fullchain.pem files. > > As a test on my Windows 10 machine with TortoiseSVN, it works without error > here. Let me know if it helps or breaks anything! > > On Thu, Sep 30, 2021 at 10:35 PM Ray Molenkamp via Bf-committers < > bf-committers@blender.org> wrote: > > > For people having ssl issues with arcanist, the easiest solution is > > > > 1) grab the latest cacert.pem from https://curl.se/docs/caextract.html > > 2) copy it to [arcanist_installation_folder]/resources/ssl/custom.pem > > > > Pay attention to the slightly different filename it *NEEDS* to be > > custom.pem the original filename cacert.pem will not work. > > > > This should do the trick on all platforms (but it's only been tested > > on Linux and Windows). > > > > --Ray > > On 2021-09-30 1:06 p.m., Sergey Sharybin via Bf-committers wrote: > > > Hi, > > > > > > Just a quick memo about the issue of expired Let's Encrypt > certificates. > > It > > > might be useful for developers who experience issues with HTTPS > > connection > > > to our servers. > > > > > > One of the root Let's Encrypt certificates did expire today which > > affected > > > parts of our development infrastructure. In all cases it doesn't seem > to > > be > > > an issue with the server configuration but is caused by quirks on the > > > client side. We are only aware of issues on Windows. > > > > > > The Subversion clients did not trust the SSL certificate of > > > https://svn.blender.org/. The work-around we did for the > > builder.blender.org > > > was to install the Let’s Encrypt R3 intermediate certificate [1]. This > > > "worked (tm)", although ideally intermediate certificates shouldn't > need > > to > > > be installed and the system should go by the root CA certificates from > > the > > > Windows Certificates Store. > > > > > > The Arcanist uses the CURL extension of PHP, and it does not use the > > > Windows Certificates Store. The way it was fixed on the buildbot > workers > > > was by creating a cacert.pem with the "ISRG Root X1" certificate which > > was > > > exported from the Store (and matched the one from Let's Encrypt > > information > > > page [1]). > > > > > > Our server administrator Danny McGrath also took the liberty of > disabling > > > TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided that > this > > > doesn't make matters worse, the changes are likely to be kept. > > > > > > [1] https://letsencrypt.org/certificates/ > > > > > > Best regards, > > > - Your Engineering Team Danny and Sergey - > > > > > > Sergey Sharybin -
Re: [Bf-committers] Let's Encrypt SSL certificates incident on the blender.org servers
Hi Howard, All I did was sudo apt update && sudo apt dist-upgrade The ca-certificates package was among the updates. After this package update, it "just worked" (tm). On Sat, Oct 2, 2021 at 11:58 AM Howard Trickey wrote: > Danny, > > I am running Ubuntu, version 20.04.02 LTS. > I'm not sure how to update the ca-certificates. I tried: > > sudo update-ca-certificates > > and it didn't do anything. > Then I tried > > sudo dpkg-reconfigure ca-certificates > sudo update-ca-certificates > > and still no joy. Am I supposed to add some particular certificate to > /etc/ca-certificates.conf ? > > > On Sat, Oct 2, 2021 at 11:19 AM Danny McGrath wrote: > >> Hi Howard, >> >> I got the same on Ubuntu until I updated the ca-certificates to the >> latest version. >> >> Does this also work for you? >> >> On Sat, Oct 2, 2021 at 9:50 AM Howard Trickey via Bf-committers < >> bf-committers@blender.org> wrote: >> >>> I am getting this error on my Linux: >>> >>> $ git submodule foreach git pull >>> Entering 'release/datafiles/locale' >>> fatal: unable to access ' >>> https://git.blender.org/blender-translations.git/': >>> server certificate verification failed. CAfile: none CRLfile: none >>> fatal: run_command returned non-zero status for release/datafiles/locale >>> . >>> >>> On Sat, Oct 2, 2021 at 8:19 AM Danny McGrath via Bf-committers < >>> bf-committers@blender.org> wrote: >>> >>> > Hi, >>> > >>> > Just a heads up that I think I might have solved this server side by >>> > removing the expired CA from the certificate chain. >>> > >>> > I updated git, svn, builder, and developer scripts to remove the >>> > problematic (expired) DST root CA from the web servers. I tried the >>> certbot >>> > --preferred-ca option as well, but it doesn't seem to work, compared to >>> > just removing it from the chain.pem/fullchain.pem files. >>> > >>> > As a test on my Windows 10 machine with TortoiseSVN, it works without >>> error >>> > here. Let me know if it helps or breaks anything! >>> > >>> > On Thu, Sep 30, 2021 at 10:35 PM Ray Molenkamp via Bf-committers < >>> > bf-committers@blender.org> wrote: >>> > >>> > > For people having ssl issues with arcanist, the easiest solution is >>> > > >>> > > 1) grab the latest cacert.pem from >>> https://curl.se/docs/caextract.html >>> > > 2) copy it to [arcanist_installation_folder]/resources/ssl/custom.pem >>> > > >>> > > Pay attention to the slightly different filename it *NEEDS* to be >>> > > custom.pem the original filename cacert.pem will not work. >>> > > >>> > > This should do the trick on all platforms (but it's only been tested >>> > > on Linux and Windows). >>> > > >>> > > --Ray >>> > > On 2021-09-30 1:06 p.m., Sergey Sharybin via Bf-committers wrote: >>> > > > Hi, >>> > > > >>> > > > Just a quick memo about the issue of expired Let's Encrypt >>> > certificates. >>> > > It >>> > > > might be useful for developers who experience issues with HTTPS >>> > > connection >>> > > > to our servers. >>> > > > >>> > > > One of the root Let's Encrypt certificates did expire today which >>> > > affected >>> > > > parts of our development infrastructure. In all cases it doesn't >>> seem >>> > to >>> > > be >>> > > > an issue with the server configuration but is caused by quirks on >>> the >>> > > > client side. We are only aware of issues on Windows. >>> > > > >>> > > > The Subversion clients did not trust the SSL certificate of >>> > > > https://svn.blender.org/. The work-around we did for the >>> > > builder.blender.org >>> > > > was to install the Let’s Encrypt R3 intermediate certificate [1]. >>> This >>> > > > "worked (tm)", although ideally intermediate certificates shouldn't >>> > need >>> > > to >>> > > > be installed and the system should go by the root CA certificates >>> from >>> > > the >>> > > > Windows Certificates Store. >>> > > > >>> > > > The Arcanist uses the CURL extension of PHP, and it does not use >>> the >>> > > > Windows Certificates Store. The way it was fixed on the buildbot >>> > workers >>> > > > was by creating a cacert.pem with the "ISRG Root X1" certificate >>> which >>> > > was >>> > > > exported from the Store (and matched the one from Let's Encrypt >>> > > information >>> > > > page [1]). >>> > > > >>> > > > Our server administrator Danny McGrath also took the liberty of >>> > disabling >>> > > > TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided >>> that >>> > this >>> > > > doesn't make matters worse, the changes are likely to be kept. >>> > > > >>> > > > [1] https://letsencrypt.org/certificates/ >>> > > > >>> > > > Best regards, >>> > > > - Your Engineering Team Danny and Sergey - >>> > > > >>> >>> > > > Sergey Sharybin - ser...@blender.org - www.blender.org >>> > > > Principal Software Engineer, Blender >>> > > > Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands >>> > > > ___ >>> > > > Bf-committers mailing list >>> > > >
Re: [Bf-committers] Let's Encrypt SSL certificates incident on the blender.org servers
Danny, I am running Ubuntu, version 20.04.02 LTS. I'm not sure how to update the ca-certificates. I tried: sudo update-ca-certificates and it didn't do anything. Then I tried sudo dpkg-reconfigure ca-certificates sudo update-ca-certificates and still no joy. Am I supposed to add some particular certificate to /etc/ca-certificates.conf ? On Sat, Oct 2, 2021 at 11:19 AM Danny McGrath wrote: > Hi Howard, > > I got the same on Ubuntu until I updated the ca-certificates to the latest > version. > > Does this also work for you? > > On Sat, Oct 2, 2021 at 9:50 AM Howard Trickey via Bf-committers < > bf-committers@blender.org> wrote: > >> I am getting this error on my Linux: >> >> $ git submodule foreach git pull >> Entering 'release/datafiles/locale' >> fatal: unable to access ' >> https://git.blender.org/blender-translations.git/': >> server certificate verification failed. CAfile: none CRLfile: none >> fatal: run_command returned non-zero status for release/datafiles/locale >> . >> >> On Sat, Oct 2, 2021 at 8:19 AM Danny McGrath via Bf-committers < >> bf-committers@blender.org> wrote: >> >> > Hi, >> > >> > Just a heads up that I think I might have solved this server side by >> > removing the expired CA from the certificate chain. >> > >> > I updated git, svn, builder, and developer scripts to remove the >> > problematic (expired) DST root CA from the web servers. I tried the >> certbot >> > --preferred-ca option as well, but it doesn't seem to work, compared to >> > just removing it from the chain.pem/fullchain.pem files. >> > >> > As a test on my Windows 10 machine with TortoiseSVN, it works without >> error >> > here. Let me know if it helps or breaks anything! >> > >> > On Thu, Sep 30, 2021 at 10:35 PM Ray Molenkamp via Bf-committers < >> > bf-committers@blender.org> wrote: >> > >> > > For people having ssl issues with arcanist, the easiest solution is >> > > >> > > 1) grab the latest cacert.pem from >> https://curl.se/docs/caextract.html >> > > 2) copy it to [arcanist_installation_folder]/resources/ssl/custom.pem >> > > >> > > Pay attention to the slightly different filename it *NEEDS* to be >> > > custom.pem the original filename cacert.pem will not work. >> > > >> > > This should do the trick on all platforms (but it's only been tested >> > > on Linux and Windows). >> > > >> > > --Ray >> > > On 2021-09-30 1:06 p.m., Sergey Sharybin via Bf-committers wrote: >> > > > Hi, >> > > > >> > > > Just a quick memo about the issue of expired Let's Encrypt >> > certificates. >> > > It >> > > > might be useful for developers who experience issues with HTTPS >> > > connection >> > > > to our servers. >> > > > >> > > > One of the root Let's Encrypt certificates did expire today which >> > > affected >> > > > parts of our development infrastructure. In all cases it doesn't >> seem >> > to >> > > be >> > > > an issue with the server configuration but is caused by quirks on >> the >> > > > client side. We are only aware of issues on Windows. >> > > > >> > > > The Subversion clients did not trust the SSL certificate of >> > > > https://svn.blender.org/. The work-around we did for the >> > > builder.blender.org >> > > > was to install the Let’s Encrypt R3 intermediate certificate [1]. >> This >> > > > "worked (tm)", although ideally intermediate certificates shouldn't >> > need >> > > to >> > > > be installed and the system should go by the root CA certificates >> from >> > > the >> > > > Windows Certificates Store. >> > > > >> > > > The Arcanist uses the CURL extension of PHP, and it does not use the >> > > > Windows Certificates Store. The way it was fixed on the buildbot >> > workers >> > > > was by creating a cacert.pem with the "ISRG Root X1" certificate >> which >> > > was >> > > > exported from the Store (and matched the one from Let's Encrypt >> > > information >> > > > page [1]). >> > > > >> > > > Our server administrator Danny McGrath also took the liberty of >> > disabling >> > > > TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided that >> > this >> > > > doesn't make matters worse, the changes are likely to be kept. >> > > > >> > > > [1] https://letsencrypt.org/certificates/ >> > > > >> > > > Best regards, >> > > > - Your Engineering Team Danny and Sergey - >> > > > >> > > > Sergey Sharybin - ser...@blender.org - www.blender.org >> > > > Principal Software Engineer, Blender >> > > > Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands >> > > > ___ >> > > > Bf-committers mailing list >> > > > Bf-committers@blender.org >> > > > List details, subscription details or unsubscribe: >> > > > https://lists.blender.org/mailman/listinfo/bf-committers >> > > ___ >> > > Bf-committers mailing list >> > > Bf-committers@blender.org >> > > List details, subscription details or unsubscribe: >> > >
Re: [Bf-committers] Let's Encrypt SSL certificates incident on the blender.org servers
Hi Howard, I got the same on Ubuntu until I updated the ca-certificates to the latest version. Does this also work for you? On Sat, Oct 2, 2021 at 9:50 AM Howard Trickey via Bf-committers < bf-committers@blender.org> wrote: > I am getting this error on my Linux: > > $ git submodule foreach git pull > Entering 'release/datafiles/locale' > fatal: unable to access 'https://git.blender.org/blender-translations.git/ > ': > server certificate verification failed. CAfile: none CRLfile: none > fatal: run_command returned non-zero status for release/datafiles/locale > . > > On Sat, Oct 2, 2021 at 8:19 AM Danny McGrath via Bf-committers < > bf-committers@blender.org> wrote: > > > Hi, > > > > Just a heads up that I think I might have solved this server side by > > removing the expired CA from the certificate chain. > > > > I updated git, svn, builder, and developer scripts to remove the > > problematic (expired) DST root CA from the web servers. I tried the > certbot > > --preferred-ca option as well, but it doesn't seem to work, compared to > > just removing it from the chain.pem/fullchain.pem files. > > > > As a test on my Windows 10 machine with TortoiseSVN, it works without > error > > here. Let me know if it helps or breaks anything! > > > > On Thu, Sep 30, 2021 at 10:35 PM Ray Molenkamp via Bf-committers < > > bf-committers@blender.org> wrote: > > > > > For people having ssl issues with arcanist, the easiest solution is > > > > > > 1) grab the latest cacert.pem from https://curl.se/docs/caextract.html > > > 2) copy it to [arcanist_installation_folder]/resources/ssl/custom.pem > > > > > > Pay attention to the slightly different filename it *NEEDS* to be > > > custom.pem the original filename cacert.pem will not work. > > > > > > This should do the trick on all platforms (but it's only been tested > > > on Linux and Windows). > > > > > > --Ray > > > On 2021-09-30 1:06 p.m., Sergey Sharybin via Bf-committers wrote: > > > > Hi, > > > > > > > > Just a quick memo about the issue of expired Let's Encrypt > > certificates. > > > It > > > > might be useful for developers who experience issues with HTTPS > > > connection > > > > to our servers. > > > > > > > > One of the root Let's Encrypt certificates did expire today which > > > affected > > > > parts of our development infrastructure. In all cases it doesn't seem > > to > > > be > > > > an issue with the server configuration but is caused by quirks on the > > > > client side. We are only aware of issues on Windows. > > > > > > > > The Subversion clients did not trust the SSL certificate of > > > > https://svn.blender.org/. The work-around we did for the > > > builder.blender.org > > > > was to install the Let’s Encrypt R3 intermediate certificate [1]. > This > > > > "worked (tm)", although ideally intermediate certificates shouldn't > > need > > > to > > > > be installed and the system should go by the root CA certificates > from > > > the > > > > Windows Certificates Store. > > > > > > > > The Arcanist uses the CURL extension of PHP, and it does not use the > > > > Windows Certificates Store. The way it was fixed on the buildbot > > workers > > > > was by creating a cacert.pem with the "ISRG Root X1" certificate > which > > > was > > > > exported from the Store (and matched the one from Let's Encrypt > > > information > > > > page [1]). > > > > > > > > Our server administrator Danny McGrath also took the liberty of > > disabling > > > > TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided that > > this > > > > doesn't make matters worse, the changes are likely to be kept. > > > > > > > > [1] https://letsencrypt.org/certificates/ > > > > > > > > Best regards, > > > > - Your Engineering Team Danny and Sergey - > > > > > > > > Sergey Sharybin - ser...@blender.org - www.blender.org > > > > Principal Software Engineer, Blender > > > > Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands > > > > ___ > > > > Bf-committers mailing list > > > > Bf-committers@blender.org > > > > List details, subscription details or unsubscribe: > > > > https://lists.blender.org/mailman/listinfo/bf-committers > > > ___ > > > Bf-committers mailing list > > > Bf-committers@blender.org > > > List details, subscription details or unsubscribe: > > > https://lists.blender.org/mailman/listinfo/bf-committers > > > > > > > > > -- > > Cheers, > > Danny > > > > - > > Danny McGrath - d...@blender.org - www.blender.org > > System Administrator at Blender > > GPG key: 0x696871CA > > ___ > > Bf-committers mailing list > > Bf-committers@blender.org > > List details, subscription details or unsubscribe: > > https://lists.blender.org/mailman/listinfo/bf-committers > > > ___ > Bf-committers mailing
Re: [Bf-committers] Let's Encrypt SSL certificates incident on the blender.org servers
I am getting this error on my Linux: $ git submodule foreach git pull Entering 'release/datafiles/locale' fatal: unable to access 'https://git.blender.org/blender-translations.git/': server certificate verification failed. CAfile: none CRLfile: none fatal: run_command returned non-zero status for release/datafiles/locale . On Sat, Oct 2, 2021 at 8:19 AM Danny McGrath via Bf-committers < bf-committers@blender.org> wrote: > Hi, > > Just a heads up that I think I might have solved this server side by > removing the expired CA from the certificate chain. > > I updated git, svn, builder, and developer scripts to remove the > problematic (expired) DST root CA from the web servers. I tried the certbot > --preferred-ca option as well, but it doesn't seem to work, compared to > just removing it from the chain.pem/fullchain.pem files. > > As a test on my Windows 10 machine with TortoiseSVN, it works without error > here. Let me know if it helps or breaks anything! > > On Thu, Sep 30, 2021 at 10:35 PM Ray Molenkamp via Bf-committers < > bf-committers@blender.org> wrote: > > > For people having ssl issues with arcanist, the easiest solution is > > > > 1) grab the latest cacert.pem from https://curl.se/docs/caextract.html > > 2) copy it to [arcanist_installation_folder]/resources/ssl/custom.pem > > > > Pay attention to the slightly different filename it *NEEDS* to be > > custom.pem the original filename cacert.pem will not work. > > > > This should do the trick on all platforms (but it's only been tested > > on Linux and Windows). > > > > --Ray > > On 2021-09-30 1:06 p.m., Sergey Sharybin via Bf-committers wrote: > > > Hi, > > > > > > Just a quick memo about the issue of expired Let's Encrypt > certificates. > > It > > > might be useful for developers who experience issues with HTTPS > > connection > > > to our servers. > > > > > > One of the root Let's Encrypt certificates did expire today which > > affected > > > parts of our development infrastructure. In all cases it doesn't seem > to > > be > > > an issue with the server configuration but is caused by quirks on the > > > client side. We are only aware of issues on Windows. > > > > > > The Subversion clients did not trust the SSL certificate of > > > https://svn.blender.org/. The work-around we did for the > > builder.blender.org > > > was to install the Let’s Encrypt R3 intermediate certificate [1]. This > > > "worked (tm)", although ideally intermediate certificates shouldn't > need > > to > > > be installed and the system should go by the root CA certificates from > > the > > > Windows Certificates Store. > > > > > > The Arcanist uses the CURL extension of PHP, and it does not use the > > > Windows Certificates Store. The way it was fixed on the buildbot > workers > > > was by creating a cacert.pem with the "ISRG Root X1" certificate which > > was > > > exported from the Store (and matched the one from Let's Encrypt > > information > > > page [1]). > > > > > > Our server administrator Danny McGrath also took the liberty of > disabling > > > TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided that > this > > > doesn't make matters worse, the changes are likely to be kept. > > > > > > [1] https://letsencrypt.org/certificates/ > > > > > > Best regards, > > > - Your Engineering Team Danny and Sergey - > > > > > > Sergey Sharybin - ser...@blender.org - www.blender.org > > > Principal Software Engineer, Blender > > > Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands > > > ___ > > > Bf-committers mailing list > > > Bf-committers@blender.org > > > List details, subscription details or unsubscribe: > > > https://lists.blender.org/mailman/listinfo/bf-committers > > ___ > > Bf-committers mailing list > > Bf-committers@blender.org > > List details, subscription details or unsubscribe: > > https://lists.blender.org/mailman/listinfo/bf-committers > > > > > -- > Cheers, > Danny > > - > Danny McGrath - d...@blender.org - www.blender.org > System Administrator at Blender > GPG key: 0x696871CA > ___ > Bf-committers mailing list > Bf-committers@blender.org > List details, subscription details or unsubscribe: > https://lists.blender.org/mailman/listinfo/bf-committers > ___ Bf-committers mailing list Bf-committers@blender.org List details, subscription details or unsubscribe: https://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Let's Encrypt SSL certificates incident on the blender.org servers
Hi, Just a heads up that I think I might have solved this server side by removing the expired CA from the certificate chain. I updated git, svn, builder, and developer scripts to remove the problematic (expired) DST root CA from the web servers. I tried the certbot --preferred-ca option as well, but it doesn't seem to work, compared to just removing it from the chain.pem/fullchain.pem files. As a test on my Windows 10 machine with TortoiseSVN, it works without error here. Let me know if it helps or breaks anything! On Thu, Sep 30, 2021 at 10:35 PM Ray Molenkamp via Bf-committers < bf-committers@blender.org> wrote: > For people having ssl issues with arcanist, the easiest solution is > > 1) grab the latest cacert.pem from https://curl.se/docs/caextract.html > 2) copy it to [arcanist_installation_folder]/resources/ssl/custom.pem > > Pay attention to the slightly different filename it *NEEDS* to be > custom.pem the original filename cacert.pem will not work. > > This should do the trick on all platforms (but it's only been tested > on Linux and Windows). > > --Ray > On 2021-09-30 1:06 p.m., Sergey Sharybin via Bf-committers wrote: > > Hi, > > > > Just a quick memo about the issue of expired Let's Encrypt certificates. > It > > might be useful for developers who experience issues with HTTPS > connection > > to our servers. > > > > One of the root Let's Encrypt certificates did expire today which > affected > > parts of our development infrastructure. In all cases it doesn't seem to > be > > an issue with the server configuration but is caused by quirks on the > > client side. We are only aware of issues on Windows. > > > > The Subversion clients did not trust the SSL certificate of > > https://svn.blender.org/. The work-around we did for the > builder.blender.org > > was to install the Let’s Encrypt R3 intermediate certificate [1]. This > > "worked (tm)", although ideally intermediate certificates shouldn't need > to > > be installed and the system should go by the root CA certificates from > the > > Windows Certificates Store. > > > > The Arcanist uses the CURL extension of PHP, and it does not use the > > Windows Certificates Store. The way it was fixed on the buildbot workers > > was by creating a cacert.pem with the "ISRG Root X1" certificate which > was > > exported from the Store (and matched the one from Let's Encrypt > information > > page [1]). > > > > Our server administrator Danny McGrath also took the liberty of disabling > > TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided that this > > doesn't make matters worse, the changes are likely to be kept. > > > > [1] https://letsencrypt.org/certificates/ > > > > Best regards, > > - Your Engineering Team Danny and Sergey - > > > > Sergey Sharybin - ser...@blender.org - www.blender.org > > Principal Software Engineer, Blender > > Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands > > ___ > > Bf-committers mailing list > > Bf-committers@blender.org > > List details, subscription details or unsubscribe: > > https://lists.blender.org/mailman/listinfo/bf-committers > ___ > Bf-committers mailing list > Bf-committers@blender.org > List details, subscription details or unsubscribe: > https://lists.blender.org/mailman/listinfo/bf-committers > -- Cheers, Danny - Danny McGrath - d...@blender.org - www.blender.org System Administrator at Blender GPG key: 0x696871CA ___ Bf-committers mailing list Bf-committers@blender.org List details, subscription details or unsubscribe: https://lists.blender.org/mailman/listinfo/bf-committers
Re: [Bf-committers] Let's Encrypt SSL certificates incident on the blender.org servers
For people having ssl issues with arcanist, the easiest solution is 1) grab the latest cacert.pem from https://curl.se/docs/caextract.html 2) copy it to [arcanist_installation_folder]/resources/ssl/custom.pem Pay attention to the slightly different filename it *NEEDS* to be custom.pem the original filename cacert.pem will not work. This should do the trick on all platforms (but it's only been tested on Linux and Windows). --Ray On 2021-09-30 1:06 p.m., Sergey Sharybin via Bf-committers wrote: > Hi, > > Just a quick memo about the issue of expired Let's Encrypt certificates. It > might be useful for developers who experience issues with HTTPS connection > to our servers. > > One of the root Let's Encrypt certificates did expire today which affected > parts of our development infrastructure. In all cases it doesn't seem to be > an issue with the server configuration but is caused by quirks on the > client side. We are only aware of issues on Windows. > > The Subversion clients did not trust the SSL certificate of > https://svn.blender.org/. The work-around we did for the builder.blender.org > was to install the Let’s Encrypt R3 intermediate certificate [1]. This > "worked (tm)", although ideally intermediate certificates shouldn't need to > be installed and the system should go by the root CA certificates from the > Windows Certificates Store. > > The Arcanist uses the CURL extension of PHP, and it does not use the > Windows Certificates Store. The way it was fixed on the buildbot workers > was by creating a cacert.pem with the "ISRG Root X1" certificate which was > exported from the Store (and matched the one from Let's Encrypt information > page [1]). > > Our server administrator Danny McGrath also took the liberty of disabling > TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided that this > doesn't make matters worse, the changes are likely to be kept. > > [1] https://letsencrypt.org/certificates/ > > Best regards, > - Your Engineering Team Danny and Sergey - > > Sergey Sharybin - ser...@blender.org - www.blender.org > Principal Software Engineer, Blender > Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands > ___ > Bf-committers mailing list > Bf-committers@blender.org > List details, subscription details or unsubscribe: > https://lists.blender.org/mailman/listinfo/bf-committers ___ Bf-committers mailing list Bf-committers@blender.org List details, subscription details or unsubscribe: https://lists.blender.org/mailman/listinfo/bf-committers