website: https://tip.golang.org returns TLS alert{fatal, certificate_unknown} #21251
Comments
|
Confirmed using curl
lucky(~) % curl -v https://tip.golang.org/ >/dev/null
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0* Trying 130.211.180.236...
* Connected to tip.golang.org (130.211.180.236) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 704 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_ECDSA_AES_128_GCM_SHA256
* server certificate verification failed. CAfile:
/etc/ssl/certs/ca-certificates.crt CRLfile: none
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:--
0
* Closing connection 0
curl: (60) server certificate verification failed. CAfile:
/etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
However chrome doesn't have a problem with the cert.
…On Tue, Aug 1, 2017 at 1:58 PM, Mikio Hara ***@***.***> wrote:
Not sure when it started, right now a TLS handshake to tip.golang.org,
which means SNI=tip.golang.org, fails caused by TLS alert{fatal,
certificate_unknown}.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#21251>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAAcA_LinaGqqbZ6cBp3G0Xk1YjC0zkPks5sTqJbgaJpZM4OpM1m>
.
|
|
Chrome shows that the cert expired Monday, July 31, 2017 at 8:36:00 PM Eastern Daylight Time under devtools->Security->View Certificate.
|
|
[ insert dramatic chipmonk ]
…On Tue, Aug 1, 2017 at 2:38 PM, Akhil Indurti ***@***.***> wrote:
Chrome shows that the cert expired Monday, July 31, 2017 at 8:36:00 PM
Eastern Daylight Time under devtools->Security->View Certificate.
[image: image]
<https://user-images.githubusercontent.com/12636891/28809401-39988282-7651-11e7-8684-e5411cc1f7a1.png>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#21251 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAAcA-Nu7ac6CwIBvV8hCd9mCY8kKIM5ks5sTquqgaJpZM4OpM1m>
.
|
|
Well, that's interesting. @x1ddos, any known issues with golang.org/x/crypto/acme/autocert not auto-cert-ing? |
bradfitz
added
the
NeedsFix
|
Change https://golang.org/cl/52390 mentions this issue: |
|
In #20035, expired/invalid certs were never renewed, and golang/crypto@0e4becf fixed this by treating invalid entries as nonexistent. upspin/upspin#367 faced this issue but closed it b/c upstream was closed. |
|
@smasher164, thanks. That's probably what we just hit. |
|
@bradfitz sorry, I'm late but yeah, what @smasher164 said is probably it. I should've reminded you. Do you guys have an email in autocert config, registered with Let's Encrypt? I found it useful, some sort of a warning. If you get an email, something went wrong and the cert wasn't renewed in due time. upspin should be fine - they've rebuilt their binaries after that commit. |
Not sure when it started, right now a TLS handshake to tip.golang.org, which means SNI=tip.golang.org, fails caused by TLS alert{fatal, certificate_unknown}.
The text was updated successfully, but these errors were encountered: