[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-users] Savannah https SSL certificates updated
From: |
Bob Proulx |
Subject: |
Re: [Savannah-users] Savannah https SSL certificates updated |
Date: |
Wed, 25 Mar 2015 04:16:18 -0600 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
Ineiev wrote:
> It looks like this disabled some of my cron jobs on fencepost.gnu.org;
> it used to wget https://...savannah.gnu.org/...; now it says
> ERROR: cannot verify savannah.gnu.org's certificate, issued by
> `/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2':
> Unable to locally verify the issuer's authority.
I figured out the problem with Savannah's certificate chain. The
Gandi certificates apparently have two different trust paths in
parallel. Only one of them was satisfied by the provided chain file.
Browsers are fine with having one path trusted. But apparently wget
needs both paths trusted.
I downloaded the additional chaining certificate needed for the second
trust path and installed it into the apache chain file. With that
wget is now happy with the second trust path.
I also tweaked up the cipher suite to remove some of the recently
vulnerable ciphers.
Bob