[MacPorts] #42718: certsync fails to verify macports.org certificate

MacPorts noreply at macports.org
Tue Mar 4 09:44:11 PST 2014 

#42718: certsync fails to verify macports.org certificate
--------------------------+-----------------------
 Reporter:  ryandesign@…  |      Owner:  landonf@…
     Type:  defect        |     Status:  new
 Priority:  Normal        |  Milestone:
Component:  ports         |    Version:  2.2.1
 Keywords:                |       Port:  certsync
--------------------------+-----------------------
 We recently got a new SSL certificate for macports.org, from a different
 organization, and certsync fails to verify it confirmed on multiple
 machines and OS X versions:

 {{{
 $ sudo port -v sync
 --->  Updating the ports tree
 Synchronizing local ports tree from file:///Users/rschmidt/macports/dports
 Updating '/Users/rschmidt/macports/dports':
 svn: E230001: Unable to connect to a repository at URL
 'https://svn.macports.org/repository/macports/trunk'
 svn: E230001: Server SSL certificate verification failed: certificate has
 expired
 Command failed: /opt/local/bin/svn update --non-interactive
 /Users/rschmidt/macports/dports
 Exit code: 1
 }}}

 {{{
 $ curl https://www.macports.org/
 curl: (60) SSL certificate problem: certificate has expired
 More details here: http://curl.haxx.se/docs/sslcerts.html

 curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
 If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
 If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
 }}}

 {{{
 $ openssl s_client -connect www.macports.org:443 -CAfile
 /opt/local/etc/openssl/cert.pem
 CONNECTED(00000004)
 depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root
 CA
 verify error:num=10:certificate has expired
 notAfter=Jan 28 12:00:00 2014 GMT
 verify return:0
 }}}

 Using curl-ca-bundle instead of certsync, there is no problem.

 Analysis from Rainer:

 > I see in Keychain there are two certificates named "GlobalSign Root CA",
 and the one used here expired in January 2014, while the other one would
 be valid until January 2028. It's certainly using the wrong certificate,
 but I don't know yet why that happens.
 >
 > Maybe certsync compares them by name in a dictionary instead of using a
 unique key identifier and that mixes them up?

-- 
Ticket URL: <https://trac.macports.org/ticket/42718>
MacPorts <http://www.macports.org/>
Ports system for OS X

More information about the macports-tickets mailing list