Bug#787157: [bts] bts show fails completly due to ssl issue
Jakub Wilk
jwilk at debian.org
Fri May 29 09:04:41 UTC 2015
Hi Klaus!
* Klaus Ethgen <Klaus at Ethgen.de>, 2015-05-29, 09:46:
>See the following:
> ~> bts -m show XXXXXX
> bts: couldn't download http://bugs.debian.org/762709:
> 500 Can't connect to bugs.debian.org:443 (certificate verify failed)
>
>The following certificates (and only them) are enabled in
>ca-certificates:
>- CAcert/class3.crt
>- CAcert/root.crt
>- mozilla/USERTrust_RSA_Certification_Authority.crt
>
>There is several stuff wrong with bts here:
>1. The URL in the error message should not be http when it really uses
>https. With http, that error makes no sense.
bts(1) connects to to bugs.d.o via HTTP, which only then redirects to
HTTPS. This is something we should fix.
In the mean time, you can put
BTS_SERVER=https://bugs.debian.org
in your ~/.devscripts.
>2. Looking at bugs.debian.org via gnutls-cli shows that the
>certificate-tree is:
> - O=The USERTRUST Network,CN=USERTrust RSA Certification Authority
> - O=Gandi,CN=Gandi Standard SSL CA 2
> - CN=bugs.debian.org
>There is no Gandi certificate in ca-certificates but as the root
>certificate is valid, it should not fail
No, that's not right. The root CA for bugs.d.o is AddTrust_External_Root.
>3. All Debian domains already utilizing DANE, so there is no reason to
>not use it.
Heh, patches welcome. Have fun implementing DANE validation. ;-)
--
Jakub Wilk
More information about the devscripts-devel
mailing list