2023-10-24 14:15:38 |
John A Meinel |
description |
We were getting a failure with some clients not liking the connection to api.charmhub.io, and trying to look at the certs seems to say it has a "Not After Aug 21 2024".
I would guess this affects both snapcraft and charmhub. I'm not sure why we aren't seeing failures more often, since it does seem pretty serious.
$ openssl s_client -showcerts api.charmhub.io:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = GB, L = London, O = CANONICAL GROUP LIMITED, CN = api.snapcraft.io
verify return:1
---
Certificate chain
0 s:C = GB, L = London, O = CANONICAL GROUP LIMITED, CN = api.snapcraft.io
i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 22 00:00:00 2023 GMT; NotAfter: Aug 21 23:59:59 2024 GMT
-----BEGIN CERTIFICATE----- |
We were getting a failure with some clients not liking the connection to api.charmhub.io, and trying to look at the certs seems to say it has a "Not After Aug 21 2024".
I would guess this affects both snapcraft and charmhub. I'm not sure why we aren't seeing failures more often, since it does seem pretty serious.
$ openssl s_client -showcerts api.charmhub.io:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = GB, L = London, O = CANONICAL GROUP LIMITED, CN = api.snapcraft.io
verify return:1
---
Certificate chain
0 s:C = GB, L = London, O = CANONICAL GROUP LIMITED, CN = api.snapcraft.io
i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 22 00:00:00 2023 GMT; NotAfter: Aug 21 23:59:59 2024 GMT
-----BEGIN CERTIFICATE-----
It may be that this is handled by the second certificate, which doesn't expire before 2031
1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Apr 14 00:00:00 2021 GMT; NotAfter: Apr 13 23:59:59 2031 GMT
-----BEGIN CERTIFICATE-----
However, they are still running into failures to connect with an error that says there are no valid names. |
|