Opened 11 years ago

Closed 10 years ago

#43205 closed defect (worksforme)

curl-ca-bundle: fails to verify macports.org certificate

Reported by: mojca (Mojca Miklavec) Owned by: ryandesign (Ryan Carsten Schmidt)
Priority: Normal Milestone:
Component: ports Version: 2.2.99
Keywords: Cc: landonf (Landon Fuller), neverpanic (Clemens Lang), cooljeanius (Eric Gallager)
Port: curl-ca-bundle

Description

I'm having basically the same problem as described #42718, except that I have curl-ca-bundle installed and no certsync. 

$ sudo port -v sync
--->  Updating the ports tree
Synchronizing local ports tree from file:///Users/me/macports/svn/macports/trunk/dports
Updating '/Users/me/macports/svn/macports/trunk/dports':
svn: E230001: Unable to connect to a repository at URL 'https://svn.macports.org/repository/macports/trunk'
svn: E230001: Server SSL certificate verification failed: certificate has expired
Command failed: /opt/local/bin/svn update --non-interactive /Users/me/macports/svn/macports/trunk/dports
Exit code: 1
Error: Synchronization of the local ports tree failed doing an svn update
...

$ curl https://www.macports.org/
<?xml version="1.0" encoding="utf-8"?>
... works ...

$ openssl s_client -connect www.macports.org:443 -CAfile /opt/local/etc/openssl/cert.pem
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify error:num=10:certificate has expired
notAfter=Jan 28 12:00:00 2014 GMT
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.macports.org
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
...

$ port provides /opt/local/etc/openssl/cert.pem
/opt/local/etc/openssl/cert.pem is provided by: curl-ca-bundle

When using certsync instead of curl-ca-bundle it works. When replacing 

/opt/local/bin/svn update --non-interactive /Users/me/macports/svn/macports/trunk/dports

by 

/usr/bin/svn update --non-interactive /Users/me/macports/svn/macports/trunk/dports

in macports.tcl or when running that command manually (rather than inside macports.tcl) it works as well.

Change History (4)

comment:1 Changed 11 years ago by ryandesign (Ryan Carsten Schmidt)

Is this only since upgrading to version @7.36.0? Does @7.35.0 work better?

comment:2 Changed 11 years ago by mojca (Mojca Miklavec)

I uninstalled curl-ca-bundle, installed certsync and it started working.

Then I uninstalled certsync, installed curl-ca-bundle 7.35 and it worked. Then I installed 7.36 again and it worked as well.

The behaviour doesn't seem consistent, so sadly I'm unable to answer your question.

comment:3 Changed 10 years ago by cooljeanius (Eric Gallager)

Cc: egall@… added

Cc Me!

comment:4 Changed 10 years ago by neverpanic (Clemens Lang)

Resolution: worksforme
Status: newclosed

Since we can not reproduce this, and it hasn't come up since, I'm closing this as worksforme.

Note: See TracTickets for help on using tickets.