Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mQ9Ut-0004cJ-27 for pgsql-pkg-debian@arkaria.postgresql.org; Tue, 14 Sep 2021 14:33:19 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1mQ9Ur-0000Mx-VG for pgsql-pkg-debian@arkaria.postgresql.org; Tue, 14 Sep 2021 14:33:17 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mQ9Ur-0000Mp-Q8 for pgsql-pkg-debian@lists.postgresql.org; Tue, 14 Sep 2021 14:33:17 +0000 Received: from mail-lj1-x229.google.com ([2a00:1450:4864:20::229]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1mQ9Up-00070Y-8Z for pgsql-pkg-debian@postgresql.org; Tue, 14 Sep 2021 14:33:16 +0000 Received: by mail-lj1-x229.google.com with SMTP id f2so24283834ljn.1 for ; Tue, 14 Sep 2021 07:33:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hagander-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Ur4YnyicHms1rQ0WBGAInNU5aayl/4OBGoQ86F7zkgQ=; b=mDSBfBa5Pc14oehjj/fPu7vtLy+49OYMWwnVHdlqKj3ZDJK2qsJzn7jDqjWEFMxzFu TGSrfucUTnf3H9Hz9SLXhBI7E/wG42Qx0xF0NObj4GLGFTU1QTzkP0UW9OQOD/QfPbr9 02yUqU6cWdTEjUnD4uehs5WTj9VCTFOSLbrfYPvq7+em6ZOMrw284prBx7Y2yYSvLa1a qQJyGWdX5zKt7v/1ulfR2yBbEKw+4duMnrkyutf3McaAz/HnvalQFr8Modn1xUdOAHbc 6DRs6RUhkJISAwakoNYWcY4ivnLOg3LYgXdnv8FLhSFvNdFYIe2VG7pQL+hzDVjYKuKD pPQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Ur4YnyicHms1rQ0WBGAInNU5aayl/4OBGoQ86F7zkgQ=; b=uB8uNWq0bI2hMKzPqRwY7q9pJgncdHumory/AQubxm9Q7YXo63Tl0fNBGCDVEIAI7E N/u2Kod1MYk/GabvFjXwivK/p+jPEFaz2s2Gb+2gtiv/WFV/6oD2X+g/7SiwUv17jjzu z/22wfVroIHqTLsprWOBHH5AvYT3s4+t3rpQCowxp6310ROkQ6M9ds0WPlPmHLf9GA2D EgAljua7cYSvrWtT+s1jb24/rCCSd70f6oQ/rRi5kUGSSMXmQ65k82T3a9UxXTD49krQ tF8obmdwmqtdoz77n1G76IjYi9wtzYjnfOiCt4TndkqpluaSKufD0NjCda0NL2kxCu/o WadA== X-Gm-Message-State: AOAM530gv+UctdW3x54e6jZ7bo7Bur7saCb2uunLm6WlXlFEitcjX6TK nxOf4WTzierhFWmwhG6v5pV+8blYQOmF+ctS3kYHyA== X-Google-Smtp-Source: ABdhPJz/xvpuumFOTTaRkyfR7q2A0FbEOnRkZcCf792dDm4j/97Qrsma8dI7V2rW2sysuY4nRyR1AwUAmZ9CxtgVl7I= X-Received: by 2002:a2e:87c4:: with SMTP id v4mr15190157ljj.444.1631629993476; Tue, 14 Sep 2021 07:33:13 -0700 (PDT) MIME-Version: 1.0 References: <20210908164806.GC6114@huehner.biz> In-Reply-To: <20210908164806.GC6114@huehner.biz> From: Magnus Hagander Date: Tue, 14 Sep 2021 16:33:01 +0200 Message-ID: Subject: Re: apt.postgresql.org repo via https will fail will some users starting 2021-10-01 To: Stefan Huehner Cc: pgsql-pkg-debian@postgresql.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Wed, Sep 8, 2021 at 6:42 PM Stefan Huehner wrote: > > Hello, > > sending this here as looks like https://apt.postgresql.org is affected by= this so this could trigger some support/user questions. > > Note this only (!) happens when using https:// in sources.list for the pg= dg repo. > > Benefit of that is debatable (see recent debian-devel discussion) but i w= ould not be surprised if some/many people use it. > > Trigger: > https://community.letsencrypt.org/t/openssl-client-compatibility-changes-= for-let-s-encrypt-certificates/143816 > > End of this month some CA cert will expire related to Let's Encrypt which= will trigger an bug in clients using old openssl/gnutls. > > apt is using gnutls backend and at least the version in Ubuntu <=3D 18.04= are affected and "apt update" will already fail for people starting that d= ate. > > Note that canonical is working in patching gnutls so if that finishes in = time and (!) if people update before that date all good. > > If not they will get error similar to: > Err:9 https://apt.postgresql.org/pub/repos/apt focal-pgdg Release > Certificate verification failed: The certificate is NOT trusted. The re= vocation or OCSP data are old and have been superseded. The certificate cha= in uses expired certificate. Could not handshake: Error in the certificate= verification. [IP: 87.238.57.227 443] > > Can be triggered today i.e. with: > > faketime "2021-10-01" apt update > > Ideas: > - Do nothing apt.postgresql suggest http:// in the instructions > - Some on the website > - Think on reconfiguring certbot/Let's Encrypt on the server to switch to= the alternative chain (avoiding this bug but breaking compatibility with o= ld Android > > - Raise as bug to debian also (against openssl/gnutls) to maybe patch bot= h in stable also to avoid this ? > - Not sure if that is a interesting/acceptable material for stable/old-= stable? Hi! We've started looking into what can and should be done on the infra side to see if we can get this working. One question though. In my attempts to reproduce, it seems that *wget* on Ubuntu 18.04 has no problem with the current chain, just apt-get, does that match with your testing? So if one follows our instructions of getting the gpg key with https but the actual repo with http, it never actually presents a problem? That's not saying we don't need to do anything about it, just to reconfirm our tests. For example, this appears to also break RedHat 6 as well... --=20 Magnus Hagander Me: https://www.hagander.net/ Work: https://www.redpill-linpro.com/