Hi Howard, All I did was
sudo apt update && sudo apt dist-upgrade The ca-certificates package was among the updates. After this package update, it "just worked" (tm). On Sat, Oct 2, 2021 at 11:58 AM Howard Trickey <howard.tric...@gmail.com> wrote: > Danny, > > I am running Ubuntu, version 20.04.02 LTS. > I'm not sure how to update the ca-certificates. I tried: > > sudo update-ca-certificates > > and it didn't do anything. > Then I tried > > sudo dpkg-reconfigure ca-certificates > sudo update-ca-certificates > > and still no joy. Am I supposed to add some particular certificate to > /etc/ca-certificates.conf ? > > > On Sat, Oct 2, 2021 at 11:19 AM Danny McGrath <d...@blender.org> wrote: > >> Hi Howard, >> >> I got the same on Ubuntu until I updated the ca-certificates to the >> latest version. >> >> Does this also work for you? >> >> On Sat, Oct 2, 2021 at 9:50 AM Howard Trickey via Bf-committers < >> bf-committers@blender.org> wrote: >> >>> I am getting this error on my Linux: >>> >>> $ git submodule foreach git pull >>> Entering 'release/datafiles/locale' >>> fatal: unable to access ' >>> https://git.blender.org/blender-translations.git/': >>> server certificate verification failed. CAfile: none CRLfile: none >>> fatal: run_command returned non-zero status for release/datafiles/locale >>> . >>> >>> On Sat, Oct 2, 2021 at 8:19 AM Danny McGrath via Bf-committers < >>> bf-committers@blender.org> wrote: >>> >>> > Hi, >>> > >>> > Just a heads up that I think I might have solved this server side by >>> > removing the expired CA from the certificate chain. >>> > >>> > I updated git, svn, builder, and developer scripts to remove the >>> > problematic (expired) DST root CA from the web servers. I tried the >>> certbot >>> > --preferred-ca option as well, but it doesn't seem to work, compared to >>> > just removing it from the chain.pem/fullchain.pem files. >>> > >>> > As a test on my Windows 10 machine with TortoiseSVN, it works without >>> error >>> > here. Let me know if it helps or breaks anything! >>> > >>> > On Thu, Sep 30, 2021 at 10:35 PM Ray Molenkamp via Bf-committers < >>> > bf-committers@blender.org> wrote: >>> > >>> > > For people having ssl issues with arcanist, the easiest solution is >>> > > >>> > > 1) grab the latest cacert.pem from >>> https://curl.se/docs/caextract.html >>> > > 2) copy it to [arcanist_installation_folder]/resources/ssl/custom.pem >>> > > >>> > > Pay attention to the slightly different filename it *NEEDS* to be >>> > > custom.pem the original filename cacert.pem will not work. >>> > > >>> > > This should do the trick on all platforms (but it's only been tested >>> > > on Linux and Windows). >>> > > >>> > > --Ray >>> > > On 2021-09-30 1:06 p.m., Sergey Sharybin via Bf-committers wrote: >>> > > > Hi, >>> > > > >>> > > > Just a quick memo about the issue of expired Let's Encrypt >>> > certificates. >>> > > It >>> > > > might be useful for developers who experience issues with HTTPS >>> > > connection >>> > > > to our servers. >>> > > > >>> > > > One of the root Let's Encrypt certificates did expire today which >>> > > affected >>> > > > parts of our development infrastructure. In all cases it doesn't >>> seem >>> > to >>> > > be >>> > > > an issue with the server configuration but is caused by quirks on >>> the >>> > > > client side. We are only aware of issues on Windows. >>> > > > >>> > > > The Subversion clients did not trust the SSL certificate of >>> > > > https://svn.blender.org/. The work-around we did for the >>> > > builder.blender.org >>> > > > was to install the Let’s Encrypt R3 intermediate certificate [1]. >>> This >>> > > > "worked (tm)", although ideally intermediate certificates shouldn't >>> > need >>> > > to >>> > > > be installed and the system should go by the root CA certificates >>> from >>> > > the >>> > > > Windows Certificates Store. >>> > > > >>> > > > The Arcanist uses the CURL extension of PHP, and it does not use >>> the >>> > > > Windows Certificates Store. The way it was fixed on the buildbot >>> > workers >>> > > > was by creating a cacert.pem with the "ISRG Root X1" certificate >>> which >>> > > was >>> > > > exported from the Store (and matched the one from Let's Encrypt >>> > > information >>> > > > page [1]). >>> > > > >>> > > > Our server administrator Danny McGrath also took the liberty of >>> > disabling >>> > > > TLSv1.0 and TLSv1.1 on some of the sites during tests. Provided >>> that >>> > this >>> > > > doesn't make matters worse, the changes are likely to be kept. >>> > > > >>> > > > [1] https://letsencrypt.org/certificates/ >>> > > > >>> > > > Best regards, >>> > > > - Your Engineering Team Danny and Sergey - >>> > > > >>> -------------------------------------------------------------------- >>> > > > Sergey Sharybin - ser...@blender.org - www.blender.org >>> > > > Principal Software Engineer, Blender >>> > > > Buikslotermeerplein 161, 1025 ET Amsterdam, the Netherlands >>> > > > _______________________________________________ >>> > > > Bf-committers mailing list >>> > > > Bf-committers@blender.org >>> > > > List details, subscription details or unsubscribe: >>> > > > https://lists.blender.org/mailman/listinfo/bf-committers >>> > > _______________________________________________ >>> > > Bf-committers mailing list >>> > > Bf-committers@blender.org >>> > > List details, subscription details or unsubscribe: >>> > > https://lists.blender.org/mailman/listinfo/bf-committers >>> > > >>> > >>> > >>> > -- >>> > Cheers, >>> > Danny >>> > >>> > ------------------------------------------------- >>> > Danny McGrath - d...@blender.org - www.blender.org >>> > System Administrator at Blender >>> > GPG key: 0x696871CA >>> > _______________________________________________ >>> > Bf-committers mailing list >>> > Bf-committers@blender.org >>> > List details, subscription details or unsubscribe: >>> > https://lists.blender.org/mailman/listinfo/bf-committers >>> > >>> _______________________________________________ >>> Bf-committers mailing list >>> Bf-committers@blender.org >>> List details, subscription details or unsubscribe: >>> https://lists.blender.org/mailman/listinfo/bf-committers >>> >> >> >> -- >> Cheers, >> Danny >> >> ------------------------------------------------- >> Danny McGrath - d...@blender.org - www.blender.org >> System Administrator at Blender >> GPG key: 0x696871CA >> > -- Cheers, Danny ------------------------------------------------- Danny McGrath - d...@blender.org - www.blender.org System Administrator at Blender GPG key: 0x696871CA _______________________________________________ Bf-committers mailing list Bf-committers@blender.org List details, subscription details or unsubscribe: https://lists.blender.org/mailman/listinfo/bf-committers