Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mO0eR-00015X-1E for pgsql-pkg-debian@arkaria.postgresql.org; Wed, 08 Sep 2021 16:42:19 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1mO0eP-0004Bg-R6 for pgsql-pkg-debian@arkaria.postgresql.org; Wed, 08 Sep 2021 16:42:17 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mO0eP-0004BY-M5 for pgsql-pkg-debian@lists.postgresql.org; Wed, 08 Sep 2021 16:42:17 +0000 Received: from mx.huehner.biz ([52.29.210.130]) by magus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mO0eL-0007yU-O2 for pgsql-pkg-debian@postgresql.org; Wed, 08 Sep 2021 16:42:17 +0000 Received: from huehner.biz (unknown [52.28.21.226]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.huehner.biz (Postfix) with ESMTPSA id 7157821300 for ; Wed, 8 Sep 2021 16:42:43 +0000 (UTC) Received: by huehner.biz (Postfix, from userid 1001) id 3C4A561D30; Wed, 8 Sep 2021 16:48:06 +0000 (UTC) Date: Wed, 8 Sep 2021 16:48:06 +0000 From: Stefan Huehner To: pgsql-pkg-debian@postgresql.org Subject: apt.postgresql.org repo via https will fail will some users starting 2021-10-01 Message-ID: <20210908164806.GC6114@huehner.biz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hello, sending this here as looks like https://apt.postgresql.org is affected by this so this could trigger some support/user questions. Note this only (!) happens when using https:// in sources.list for the pgdg repo. Benefit of that is debatable (see recent debian-devel discussion) but i would not be surprised if some/many people use it. Trigger: https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816 End of this month some CA cert will expire related to Let's Encrypt which will trigger an bug in clients using old openssl/gnutls. apt is using gnutls backend and at least the version in Ubuntu <= 18.04 are affected and "apt update" will already fail for people starting that date. Note that canonical is working in patching gnutls so if that finishes in time and (!) if people update before that date all good. If not they will get error similar to: Err:9 https://apt.postgresql.org/pub/repos/apt focal-pgdg Release Certificate verification failed: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 87.238.57.227 443] Can be triggered today i.e. with: faketime "2021-10-01" apt update Ideas: - Do nothing apt.postgresql suggest http:// in the instructions - Some on the website - Think on reconfiguring certbot/Let's Encrypt on the server to switch to the alternative chain (avoiding this bug but breaking compatibility with old Android - Raise as bug to debian also (against openssl/gnutls) to maybe patch both in stable also to avoid this ? - Not sure if that is a interesting/acceptable material for stable/old-stable? Please CC me on replies i'm not on the list Stefan