You are not logged in.

#1 2020-12-13 09:20:11

abaumann
Administrator
From: Zurich
Registered: 2019-11-14
Posts: 366
Website

32.arlm.tyzoid.com

Certificate has expired, HTTPS is untrusted. HSTS is in place. Effectively also rendering the HTTP version useless.

Offline

#2 2020-12-19 07:16:35

abaumann
Administrator
From: Zurich
Registered: 2019-11-14
Posts: 366
Website

Re: 32.arlm.tyzoid.com

Chromium and firefox see a valid certificate, curl and php checks in the mirror not, I think, this is an openssl or certificate issue on
the testing side..

Offline

#3 2020-12-19 08:00:55

deep42thought
Administrator
From: Jena, Germany
Registered: 2017-06-17
Posts: 604

Re: 32.arlm.tyzoid.com

indeed,

curl -4 -s https://32.arlm.tyzoid.com/lastsync

and

curl -6 -s https://32.arlm.tyzoid.com/lastsync

return certificate errors. Why does curl use different certs than browsers?

Offline

#4 2020-12-20 07:53:04

abaumann
Administrator
From: Zurich
Registered: 2019-11-14
Posts: 366
Website

Re: 32.arlm.tyzoid.com

openssl s_client -connect 32.arlm.tyzoid.com:443

gives:

depth=0 CN = 32.arlm.tyzoid.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = 32.arlm.tyzoid.com
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:CN = 32.arlm.tyzoid.com
   i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGKzCCBROgAwIBAgISBJAugDXjLxZI0rjXAtyXJR+yMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMDEyMTIyMzE5NDFaFw0yMTAzMTIyMzE5NDFaMB0xGzAZBgNVBAMT
EjMyLmFybG0udHl6b2lkLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBANMAgx4VnWFqbpVLCa//iLHB03EYuVGVS7QFmmPgbXh6yKr+qL13sJO62DO0
fYxDMUC1zvzEW2MWPXKvtdu4Ezf+z2r+oW7Is9k6V9QuiHsANWt1KfW6EZYG/5zl
VzFbyIyg1lYY8C0qJEMcbnlVGuAnEXcyzYB5OkU8Ut0q6aNByXJaeKl/5ywyEysG
sPjAe+2rQSRVs+iOIsJO/3BzkzJA1/gkln4lFod+9cSJ2G26LqadJGvQro3lMc1I
Dbw0df0f/nRQZkxZ/Gos5sX4hE+ewM4KyE6UxM17RoHg8HYANPMisC7kUjH2Fi/x
ocy0QN+NhSMBxaMUVCy7pW75Olf2KxxY7tDFLF6ucJXp/mVUMPzcOl/NUyRDbLsi
K2rejKO4Y8DUUdEkIk6Tk5n9YVcsMd7WhGx0Xop7Ax0rCtc2CLzjz1wdx5FMnr2Y
gAaxNSu21RPan+Uwpdo4X/3hWGxcPompmAGH4ILsMQF0DpWJCcY8iKBKN7q0vL9g
/qLC7yTdE8h+EuxslzGm928sptOemV+DoeQP1O8WYyRKDu6F3Gzpm3Ci/eU2yIhC
dgKDyzk7dxBx1onCjNHtdNoavLC1U2lGjnqz60KSbDMc0Pvn8+lV0QSHHOiXBPf4
fOn/WeimX8h1Qhgm4pavz70GMlk3QjpZeWXH4BAUjRWYQIHfAgMBAAGjggJOMIIC
SjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGUs3BNmZiNTH6lyVxCU17bbhrv2MB8G
A1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAh
BggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZo
dHRwOi8vcjMuaS5sZW5jci5vcmcvMB0GA1UdEQQWMBSCEjMyLmFybG0udHl6b2lk
LmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsG
AQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkC
BAIEgfYEgfMA8QB2AESUZS6w7s6vxEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAAB
dll3pJ4AAAQDAEcwRQIhAKps/M/xqt+8G3A36DXrR1/8W2LmZ0fE227CgFt3V/YW
AiBHNsd3DdoMLQGBTGdY5OFKiHwMwU84XKfufS5x4OhotwB3AH0+8viP/4hVaCTC
wMqeUol5K8UOeAl/LmqXaJl+IvDXAAABdll3pMAAAAQDAEgwRgIhAMJKX4MOQFvK
0aQolWtJWepn/S3V/0XjP4/aNLSwmu5pAiEA/Qe0GbvH7jAdR2C0gov2AbM3KyFl
zIsXb5mXiHd8bOUwDQYJKoZIhvcNAQELBQADggEBALemIT5LZw9IKvis4yFFtbiO
NSAN/PdLuJdu2ExhlzMIig1qVJm1eeGKhlzp5426d/H8ywGZCw4YL12hZramgVF/
a+6JN0DGcvGAndyW1gCYlxgCFIxD83oexNuf/OvVJR6qb6YC5fNceT7PBDDoYxR7
hmGYnj7rOkLiVOSBv95c2OM5oemqzY2VNcgUIUhkUy3q3bqO1FtAmFV4spCbbHJD
LJxJ2L1Y4qNlK5q1vvLzO9J86TnQXMXgxIJRjz4Beb/rbO0rFDpWezJHiSUKfuab
FtompWqbgTGZhBpTU06IZo+FwUswxWq4MLBhtrp1Nywh5M5F94azYaEnUrVYvl4=
-----END CERTIFICATE-----
subject=CN = 32.arlm.tyzoid.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3722 bytes and written 446 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 69C063560555B2D03DB334AF9321B1C1501AD945A9A80F6F2D00A1B1D448EB2A
    Session-ID-ctx:
    Master-Key: 2C5F8D96D9CCA5064C2BB7E9B1E76C51162382974FD6BFF56E721C3A53708EE723C3BA964E11ECBA35E1CDAAB104C564
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e2 88 40 68 2b 17 10 58-95 2e 27 d6 02 fb a5 ab   ..@h+..X..'.....
    0010 - d5 fa 5b 08 93 e8 18 05-ee f4 07 55 68 df 0d 53   ..[........Uh..S
    0020 - dc 02 16 63 bb b2 65 93-9d 1a d4 5a d0 1a 43 fd   ...c..e....Z..C.
    0030 - f6 91 89 ff fe 42 2f 5e-d9 42 0e 2d 87 8a ee a9   .....B/^.B.-....
    0040 - 5a bf 2c 8c 76 e0 29 d1-d8 81 20 f8 52 c6 67 6d   Z.,.v.)... .R.gm
    0050 - d3 44 ac 07 61 da 40 16-3d bb 34 cf 71 7a fa 0f   .D..a.@.=.4.qz..
    0060 - f4 8a 76 e4 9e 32 26 40-d1 27 2d 0f 47 b4 07 8e   ..v..2&@.'-.G...
    0070 - 71 63 32 42 32 79 2e 1f-eb 02 e8 1b 61 88 52 a8   qc2B2y......a.R.
    0080 - 1c 24 7f 18 e0 82 3e d7-c6 4e 77 e9 13 80 56 26   .$....>..Nw...V&
    0090 - 5e df 18 8f 06 9b 90 00-44 0c e0 1f da e8 e7 61   ^.......D......a
    00a0 - b9 88 b2 bd 23 ba b5 31-34 e7 b4 1c 60 7c e7 37   ....#..14...`|.7
    00b0 - 1c a1 ba 64 d9 e1 cc d5-17 d7 a1 14 aa 18 29 d6   ...d..........).
    00c0 - 05 e8 54 8c 6b 84 32 86-17 f4 89 c4 24 31 4a 72   ..T.k.2.....$1Jr

    Start Time: 1608447083
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no

This sounds like intermediate certs missing? Sometimes browser already have
them built in while other CA chains not yet. I think, this is the case here.

See also:
https://www.sslshopper.com/ssl-checker. … tyzoid.com

Offline

#5 2020-12-20 09:17:36

levi
Moderator
From: Yorkshire, UK
Registered: 2018-06-16
Posts: 967

Re: 32.arlm.tyzoid.com

You can at the very least run curl with the -k option to disable cert checks.


Architecture: pentium4, Testing repos: Yes, Hardware: EeePC 901+2GB RAM+OS half on the SD card.

Offline

#6 2020-12-20 13:04:56

deep42thought
Administrator
From: Jena, Germany
Registered: 2017-06-17
Posts: 604

Re: 32.arlm.tyzoid.com

levi wrote:

You can at the very least run curl with the -k option to disable cert checks.

This is not, what we want: IIRC, pacman also uses curl to download stuff - and the status page should not assume, the mirror is ok, if there is actually something wrong with its certificate.
We should notify tyzoid of his broken mirror smile

Offline

#7 2021-09-15 19:09:38

abaumann
Administrator
From: Zurich
Registered: 2019-11-14
Posts: 366
Website

Re: 32.arlm.tyzoid.com

I see that lastsync and lastupdate are out of date:

lastsync 2021-04-11 05:08
lastupdate 2021-04-11 04:41

Offline

Board footer

Powered by FluxBB