gitlab.haskell.org certificate expired?

[Richard Eisenberg]

Hi Ben,

It looks like the Let's Encrypt certificate for gitlab.haskell.org 
 has expired, as of about 15 minutes ago. I guess 
it's time to renew.

Thanks,
Richard___
ghc-devs mailing list
ghc-devs@haskell.org
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs

Re: gitlab.haskell.org certificate expired?

[Daniel Gröber]

Hi,

indeed looks to be broken, even though my browser still doesn't complain
the openssl command sure does:

$ openssl s_client -showcerts -verify_return_error -4 -connect 
gitlab.haskell.org:443 < /dev/null
CONNECTED(0003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = gitlab.haskell.org
verify error:num=10:certificate has expired
notAfter=Feb 14 23:21:04 2021 GMT
140217764021376:error:1416F086:SSL 
routines:tls_process_server_certificate:certificate verify 
failed:../ssl/statem/statem_clnt.c:1915:
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2594 bytes and written 317 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---

FYI I wrote a super simple monitoring script using faketime+openssl to
prevent this sort of thing from happening in case you guys are interested:

https://meta.it-syndikat.org/t/tls-monitoring-fur-unsere-infrastruktur/2492

The description is in German unfortunately, but the script itself is
commented in English of course ;)

We install this as a cron.daily job and use a cron monitoring make sure the
script runs, but I suspect if you're not worried about the "it actually
ran" part cron's default emails would work just as well.

--Daniel

On Sun, Feb 14, 2021 at 11:37:45PM +, Richard Eisenberg wrote:
> Hi Ben,
> 
> It looks like the Let's Encrypt certificate for gitlab.haskell.org 
>  has expired, as of about 15 minutes ago. I guess 
> it's time to renew.
> 
> Thanks,
> Richard
___
ghc-devs mailing list
ghc-devs@haskell.org
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs

Re: gitlab.haskell.org certificate expired?

[Ben Gamari]

Richard Eisenberg  writes:

> Hi Ben,
>
> It looks like the Let's Encrypt certificate for gitlab.haskell.org 
>  has expired, as of about 15 minutes ago. I guess 
> it's time to renew.
>
Thanks for the ping. In principle this happens automatically but it
seems that we were hit by a NixOS bug [1]. Anyways, I've worked around
it for now and things should be back to normal.

Cheers,

- Ben

[1] https://github.com/NixOS/nixpkgs/issues/101445


signature.asc
Description: PGP signature
___
ghc-devs mailing list
ghc-devs@haskell.org
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs

Re: gitlab.haskell.org certificate expired?

[Ben Gamari]

Daniel Gröber  writes:

> Hi,
>
> indeed looks to be broken, even though my browser still doesn't complain
> the openssl command sure does:
>
For the record, the problem was a NixOS bug [1] which resulted in the
automated renewal failing. The problem has been worked around for now
and should be fixed upstream soon.

Cheers,

- Ben

[1] https://github.com/NixOS/nixpkgs/issues/101445


signature.asc
Description: PGP signature
___
ghc-devs mailing list
ghc-devs@haskell.org
http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs