#21386 closed task (wontfix)
SVN certificate expired?
| Reported by: | GerdP | Owned by: | team |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Core | Version: | |
| Keywords: | SVN | Cc: | Don-vip, stoecker |
Description
I get error message when using svn up:
C:\josm\core>svn up Updating '.': Error validating server certificate for 'https://josm.openstreetmap.de:443': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! - The certificate has expired. Certificate information: - Hostname: josm.openstreetmap.de - Valid: from Aug 16 09:41:21 2021 GMT until Nov 14 09:41:19 2021 GMT - Issuer: R3, Let's Encrypt, US - Fingerprint: E1:32:FC:BA:51:27:C9:EB:ED:19:7F:FE:D4:D8:5A:37:47:70:2F:79 (R)eject, accept (t)emporarily or accept (p)ermanently?
Attachments (1)
Change History (14)
comment:2 by , 3 years ago
Something similar "The certificate has expired." happening with Oracle WebStart as well.
by , 3 years ago
follow-up: 7 comment:4 by , 3 years ago
| Milestone: | → 21.09 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
I've updated the dehydrated script and renewed the certificates. Seems to work now.
@Dirk can you please check if the new script is ok? I've kept a copy of the old one.
comment:5 by , 3 years ago
new certificate produces the same warning for me:
C:\josm\core>svn up Updating '.': Error validating server certificate for 'https://josm.openstreetmap.de:443': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! Certificate information: - Hostname: josm.openstreetmap.de - Valid: from Oct 1 22:03:43 2021 GMT until Dec 30 22:03:42 2021 GMT - Issuer: R3, Let's Encrypt, US - Fingerprint: 3A:9B:F0:73:12:96:27:28:4B:50:00:18:86:24:D3:8B:A1:E1:F8:E0 (R)eject, accept (t)emporarily or accept (p)ermanently?
comment:6 by , 3 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
comment:7 by , 3 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | reopened → closed |
Replying to Don-vip:
I've updated the dehydrated script and renewed the certificates. Seems to work now.
@Dirk can you please check if the new script is ok? I've kept a copy of the old one.
Updating dehydrated does no harm but also is not necessary :-)
I already adapted the hook script to drop the outdated cert some days ago, but didn't renew as the cert shouldn't do any harm (after you renewal that's no issue anymore).
As cross-signing ended I can only recommend everybody who has trouble to update their system certificate store so that includes "ISRG Root X1".
There is not much which we can do for the older systems except encouraging them to update. Sorry.
comment:8 by , 3 years ago
| Milestone: | 21.09 |
|---|
comment:9 by , 3 years ago
See also reference list of Let's Encrypt: https://letsencrypt.org/docs/certificate-compatibility/
comment:10 by , 3 years ago
Recent Let's Encrypt notice: https://letsencrypt.org/2021/10/01/cert-chaining-help.html
follow-up: 12 comment:11 by , 3 years ago
There is not much which we can do for the older systems except encouraging them to update. Sorry.
I see this problem with the latest version of TortoiseSVN on two different Computers, both running Win 10 21H1. I'd say my systems are up to date. I also have the issue with wget but that program is quite old.
update their system certificate store so that includes "ISRG Root X1"
How?
comment:12 by , 3 years ago
Replying to GerdP:
There is not much which we can do for the older systems except encouraging them to update. Sorry.
I see this problem with the latest version of TortoiseSVN on two different Computers, both running Win 10 21H1. I'd say my systems are up to date. I also have the issue with wget but that program is quite old.
update their system certificate store so that includes "ISRG Root X1"
How?
Windows 10 should support the Let's Encrypt cert. In this case maybe you need to follow the OpenSSL 1.0.2 guideline and drop the "DST Root CA X3" which is no longer valid.
See https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
Do you use the software under Cygwin or something similar which has own certificate stores?
comment:13 by , 3 years ago
Hmm, no idea what's different on my machines. At the moment I cannot reproduce the problem with svn because I accepted the new certificate "permanently". No idea how or where to undo that.
I used mmc (Management Console) to check the certificate store. I did not find the "ISRG Root X1" certificate, only the "DST Root CA X3". I've now disabled the latter and rebooted but svn still works and wget still doesn't.
I don't use cygwin now but it was installed on my machine in the past. No idea if that has any impact now because several Windows updates happened since.
I use wget in a script which updates josm-tested.jar, so not a big problem for me as I can do that manually as well.
I've seen some stuff in the news about lets encrypt dropping a cross-chained root. I don't know where Windows svn gets its cert information, but that might be the problem.
EDIT: I don't see this on Mac.