[Dune] certificate problems?
Steffen Müthing
steffen.muething at iwr.uni-heidelberg.de
Thu Jun 18 13:11:00 CEST 2015
Ah, good to know.
dune-project.org uses a wildcard certificate for *.dune-project.org. We cannot use SNI because
the current (old) conan still runs Apache 2.2, which doesn’t support SNI. That certificate is signed
by GlobalSign, because GlobalSign has a program that hands out free SSL wildcard certificates
to open source projects (normally, wildcard certificates cost several hundred dollars per year).
conan.iwr.uni-heidelberg runs on a regular DFN-signed certificate, and the DFN root certificate is
cross signed by Deutsche Telekom, so there shouldn’t be a problem.
Gitlab on conan2 currently runs in unencrypted mode because we lack a certificate, that will change
as soon as conan completely moves over to the new server.
I recently had some problems with git.dune-project.org on my Mac because homebrew shipped both
a current and an outdated GlobalSign root certificate, and OpenSSL insisted on picking the expired
certificate - but that’s just a Mac issue.
Steffen
> Am 14.06.2015 um 21:22 schrieb Christian Engwer <christian.engwer at uni-muenster.de>:
>
> OK, I just received a debian update of my glutls installation and now
> everything works again.
>
> Christian
>
>
> On Sun, Jun 14, 2015 at 09:11:23PM +0200, Christian Engwer wrote:
>> Hi Jö,
>>
>>> I thought that maybe the server is using a DFN-signed certificate, and I
>>> remember I had to install that at some point. However, accordings to my
>>> browser, it is signed by "GlobalSign nv-sa". Is the line
>>>
>>> mozilla/GlobalSign_Root_CA.crt
>>>
>>> present and enabled in your /etc/ca-certificates.conf?
>>
>> yes it is
>>
>> I think the problem is a combination of the recent gnutls upgrade on
>> debian-testing and (perhaps9 the latest changes of the apache ssl
>> configuration on conan (may 20th).
>>
>> I didn't manage to really find the reason, but ssllabs also complain a
>> lot about the ssl configuration of git.dune-project.org. conan2
>> works. On bugs.debian.org was as bug report about recent git problems
>> with SNI-enabled servers (which migth be the problem in this case as
>> we have virtual hosts).
>>
>> Furthermore I failed to quickly switch conan to gnutls, which might improve
>> the situation...
>>
>> Christian
>>
>> _______________________________________________
>> Dune mailing list
>> Dune at dune-project.org
>> http://lists.dune-project.org/mailman/listinfo/dune
>>
>
> --
> Prof. Dr. Christian Engwer
> Institut für Numerische und Angewandte Mathematik
> Fachbereich Mathematik und Informatik der Universität Münster
> Einsteinstrasse 62
> 48149 Münster
>
> E-Mail christian.engwer at uni-muenster.de
> Telefon +49 251 83-35067
> FAX +49 251 83-32729
>
> _______________________________________________
> Dune mailing list
> Dune at dune-project.org
> http://lists.dune-project.org/mailman/listinfo/dune
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dune-project.org/pipermail/dune/attachments/20150618/57792979/attachment.sig>
More information about the Dune
mailing list