git does not trust new SSL certs

[strk]

Attempts to git-push via ​https://git.osgeo.org/ result in :

 fatal: unable to access 'https://git.osgeo.org/gogs/rttopo/librttopo.git/':                        
 server certificate verification failed.                                                            
 CAfile: /etc/ssl/certs/ca-certificates.crt                                                         
 CRLfile: none   

This started since the new SSL certificates were deployed.

[strk]

According to ​http://stackoverflow.com/a/16577227 there's a possibility that the intermediate cert file might benefit from a reordering, to work around a GnuTLS bug.

[strk]

The error occurs to me by just running:

git clone https://git.osgeo.org/gogs/rttopo/librttopo.git

But only with git versions 1.7.10.4 and 1.9.1, whereas git version 2.1.4 did not raise the error.

Maybe newer versions are not using GnuTLS (or are using a newer version of it)

[strk]

I confirm reordering the contents of /etc/ssl/osgeo/ca-bundle-client.crt fixed the issue. Now I guess all other machines should be updated.

[martin]

Indeed, the CA certificate chain ordering as delivered by the CA is 'unfortunate' (uncommon),

Martin.

[strk]

Can anyone take care of copying the reordered chain from git.osgeo.org to other machines ? I don't have sudo on the required ones

[strk]

Alex: was the copy over taken care of ?

[wildintellect]

I didn't do it, seemed a minor issue outside of the git service... also didn't want to rush in the event we decided to change certs again... Someone else is welcome to do this fix too.

[strk]

It looks like it was decided not to change certs again, so for the next 3 years we keep these. As it's not been easy to spot, it'd be nice to not hit this bug again in the future, if we decide to open more git services via https on other machines...

[strk]

Martin, did you spread the change onto other machines ?

[strk]

closing for lack of feedback, and assuming fixed.