Opened 8 years ago

Closed 6 years ago

#1666 closed task (fixed)

git does not trust new SSL certs

Reported by: strk Owned by: sac@…
Priority: normal Milestone:
Component: SysAdmin Keywords: ssl, git
Cc: wildintellect


Attempts to git-push via result in :

 fatal: unable to access '':                        
 server certificate verification failed.                                                            
 CAfile: /etc/ssl/certs/ca-certificates.crt                                                         
 CRLfile: none   

This started since the new SSL certificates were deployed.

Change History (10)

comment:1 by strk, 8 years ago

According to there's a possibility that the intermediate cert file might benefit from a reordering, to work around a GnuTLS bug.

comment:2 by strk, 8 years ago

The error occurs to me by just running:

git clone

But only with git versions and 1.9.1, whereas git version 2.1.4 did not raise the error.

Maybe newer versions are not using GnuTLS (or are using a newer version of it)

comment:3 by strk, 8 years ago

I confirm reordering the contents of /etc/ssl/osgeo/ca-bundle-client.crt fixed the issue. Now I guess all other machines should be updated.

comment:4 by martin, 8 years ago

Indeed, the CA certificate chain ordering as delivered by the CA is 'unfortunate' (uncommon),


comment:5 by strk, 8 years ago

Can anyone take care of copying the reordered chain from to other machines ? I don't have sudo on the required ones

comment:6 by strk, 8 years ago

Alex: was the copy over taken care of ?

comment:7 by wildintellect, 8 years ago

I didn't do it, seemed a minor issue outside of the git service... also didn't want to rush in the event we decided to change certs again... Someone else is welcome to do this fix too.

comment:8 by strk, 8 years ago

It looks like it was decided not to change certs again, so for the next 3 years we keep these. As it's not been easy to spot, it'd be nice to not hit this bug again in the future, if we decide to open more git services via https on other machines...

comment:9 by strk, 8 years ago

Martin, did you spread the change onto other machines ?

comment:10 by strk, 6 years ago

Resolution: fixed
Status: newclosed

closing for lack of feedback, and assuming fixed.

Note: See TracTickets for help on using tickets.