[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensuse-buildservice
Subject:    Re: OSCP server for download.opensuse.org down?
From:       Philipp Wagner <mail () philipp-wagner ! com>
Date:       2021-06-09 12:05:43
Message-ID: b80ccda7-a742-15c2-8b23-d1dff09e8c72 () philipp-wagner ! com
[Download RAW message or body]

Hi,

Seems like this is resolved now, but now the mirrors are out of sync 
(gwdg is serving badly outdated things). I saw 
https://progress.opensuse.org/issues/93686 and will report back if 
things don't go back to normal in the next couple of hours.

Thanks!

Philipp

On 09.06.21 10:27, Philipp Wagner wrote:
> Hi,
> 
> Could it be that the OSCP (SSL cert revocation) server for 
> download.opensuse.org is down?
> 
> apt, by default, requires OSCP responses and fails to install otherwise 
> (in contrast to browsers, for example), making the repository 
> unavailable for me.
> 
> This started this morning (Europe):
> 
> Apt error message:
> 
> Err:9 
> https://download.opensuse.org/repositories/home:/phiwag:/edatools/xUbuntu_18.04 
> Release
> Certificate verification failed: The certificate is NOT trusted. The 
> received OCSP status response is invalid.  Could not handshake: Error in 
> the certificate verification. [IP: 195.135.221.134 443]
> 
> 
> Curl agrees with apt (note the "Invalid OCSP response status: trylater"):
> 
> ❯ curl --cert-status -sLO --verbose 
> https://download.opensuse.org/repositories/home:/phiwag:/edatools/xUbuntu_18.04/verilator-4.100_4.100.orig.tar.gz \
>  
> *   Trying 195.135.221.134:443...
> * Connected to download.opensuse.org (195.135.221.134) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> } [5 bytes data]
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> } [512 bytes data]
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> { [122 bytes data]
> * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
> { [19 bytes data]
> * TLSv1.3 (IN), TLS handshake, Certificate (11):
> { [2744 bytes data]
> * TLSv1.3 (IN), TLS handshake, CERT verify (15):
> { [520 bytes data]
> * TLSv1.3 (IN), TLS handshake, Finished (20):
> { [52 bytes data]
> * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
> } [1 bytes data]
> * TLSv1.3 (OUT), TLS handshake, Finished (20):
> } [52 bytes data]
> * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
> * ALPN, server accepted to use h2
> * Server certificate:
> *  subject: CN=opensuse.org
> *  start date: Apr 27 00:52:15 2021 GMT
> *  expire date: Jul 26 00:52:15 2021 GMT
> *  subjectAltName: host "download.opensuse.org" matched cert's 
> "*.opensuse.org"
> *  issuer: C=US; O=Let's Encrypt; CN=R3
> *  SSL certificate verify ok.
> * Invalid OCSP response status: trylater (3)
> * Closing connection 0
> } [5 bytes data]
> * TLSv1.3 (OUT), TLS alert, close notify (256):
> } [2 bytes data]
> 
> 
> What's the best way to inform someone who can fix this?
> 
> Thanks!
> 
> Philipp


[prev in list] [next in list] [prev in thread] [next in thread]