Hi, Just a quick memo about the issue of expired Let's Encrypt certificates. It might be useful for developers who experience issues with HTTPS connection to our servers.
One of the root Let's Encrypt certificates did expire today which affected parts of our development infrastructure. In all cases it doesn't seem to be an issue with the server configuration but is caused by quirks on the client side. We are only aware of issues on Windows. The Subversion clients did not trust the SSL certificate of https://svn.blender.org/. The work-around we did for the builder.blender.org was to install the Let’s Encrypt R3 intermediate certificate [1]. This "worked (tm)", although ideally intermediate certificates shouldn't need to be installed and the system should go by the root CA certificates from the Windows Certificates Store. The Arcanist uses the CURL extension of PHP, and it does not use the Windows Certificates Store. The way it was fixed on the buildbot workers was by creating a cacert.pem with the "ISRG Root X1" certificate which was exported from the Store (and matched the one from Let's Encrypt information page [1]). Our server administrator Danny McGrath also took the liberty of disabling TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided that this doesn't make matters worse, the changes are likely to be kept. [1] https://letsencrypt.org/certificates/ Best regards, - Your Engineering Team Danny and Sergey - -------------------------------------------------------------------- Sergey Sharybin - ser...@blender.org - www.blender.org Principal Software Engineer, Blender Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands _______________________________________________ Bf-committers mailing list Bf-committers@blender.org List details, subscription details or unsubscribe: https://lists.blender.org/mailman/listinfo/bf-committers