3

I'm seeing this on a few recent Ubuntu 20.04 installs and trying to see if this is still my fault in some way, as the Internet is (yet) still silent about this..

root@hz-hel1-1-ci1:/tmp# GIT_CURL_VERBOSE=1 git clone https://gitlab.gnome.org/GNOME/gnome-2048.git
Cloning into 'gnome-2048'...
* Couldn't find host gitlab.gnome.org in the .netrc file; using defaults
*   Trying 8.43.85.27:443...
* TCP_NODELAY set
* Connected to gitlab.gnome.org (8.43.85.27) port 443 (#0)
* found 387 certificates in /etc/ssl/certs
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification failed. CAfile: none CRLfile: none
* Closing connection 0
fatal: unable to access 'https://gitlab.gnome.org/GNOME/gnome-2048.git/': server certificate verification failed. CAfile: none CRLfile: none

git can't even connect. I see this on all https hosts who have a letsencrypt certificate. I suspect this is related to the root certificate expiry today, but as far as I understood it should affect things like Centos 7 and other older devices, not Ubuntu.

curl itself works fine, i'm still chasing down git's dependencies here to narrow it down.

unilynx
  • 456
  • 3
  • 10
  • 2
    If it's not a git repo, why are you cloning it? I don't understand what Git has to do with their cert expiring. – mason Sep 30 '21 at 15:13
  • 1
    Not only is `https://www.letsencrypt.org/x/` not a git repo, it redirects to `https://letsencrypt.org/x/` which in turn is a 404 page. So it's an odd example. If this is just an attempt to investigate, could you explain what your *actual* problem is? – IMSoP Sep 30 '21 at 15:20
  • Try git clone https://gitlab.gnome.org/GNOME/gnome-2048.git Cloning into 'gnome-2048'... fatal: unable to access 'https://gitlab.gnome.org/GNOME/gnome-2048.git/': server certificate verification failed. CAfile: none CRLfile: none I'll update the question to refer to a public GIT server - I think this problem applies to all letsencrypt certified git servers – unilynx Sep 30 '21 at 15:28
  • Okay so you think the Let's Encrypt cert has expired. So they'll need to replace it with a new cert. I don't see what the actual question is here. – mason Sep 30 '21 at 15:42
  • gitlab.gnome.org works fine if you curl or wget the same https URL. there's something else going on here. – unilynx Sep 30 '21 at 15:43
  • Major clue: if you run `curl -v https://gitlab.gnome.org/GNOME/gnome-2048.git`, the debug includes "CAfile: /etc/ssl/certs/ca-certificates.crt" rather than "CAfile: none". – IMSoP Sep 30 '21 at 15:53
  • 1
    Thinking about it, https://askubuntu.com would probably be a more appropriate place for this question. – IMSoP Sep 30 '21 at 15:53
  • 1
    See: https://stackoverflow.com/questions/21181231/server-certificate-verification-failed-cafile-etc-ssl-certs-ca-certificates-c – slebetman Sep 30 '21 at 15:54
  • 1
    It sounds like it's not a problem with the server certificate or Letsencrypt's root certificate. It sounds like the problem is with your truststore (the database of trusted root certificate in your OS/browser/app). When was the last time you updated your OS? – slebetman Sep 30 '21 at 15:56
  • updates were exactly the issue. the OS install and docker images were brand new so seeing the same error at multiple locations, and git's embedded libcurl breaking but not curl itself, put me on the wrong track. – unilynx Sep 30 '21 at 18:30

1 Answers1

3

Thanks for the hints, an apt-get update/upgrade cycle fixed it.

I guess today's lesson is that even though you created that VM yesterday or that docker image you pulled was updated just today, doesn't mean the images they were created from were actually up to date.

unilynx
  • 456
  • 3
  • 10