r-project.org SSL certificate issues
On Sat, May 30, 2020 at 11:40 PM Duncan Murdoch
<murdoch.duncan at gmail.com> wrote:
On 30/05/2020 5:23 p.m., Bob Rudis wrote:
I've updated the dashboard (https://rud.is/r-project-cert-status/) script and my notifier script to account for the entire chain in each cert.
You never posted which certificate has expired. Your dashboard shows they're all valid, but the download still fails, presumably because something not shown has expired.
To see the problem in R:
certs <- openssl::download_ssl_cert('cran.r-project.org')
as.list(certs[[3]])
Shows the root cert expires today.
Hopefully someone who can actually act on this can figure out what needs doing.
The apache server will have a config entry SSLCertificateFile which points to a cert bundle (in nginx servers this is called "ssl_certificate"). If you open this in a text editor it contains the 3 certs, in PEM format, so 3 entires like this: -----BEGIN CERTIFICATE----- [base64 cert] -----END CERTIFICATE----- What you need to do is replace the final certificate with this one (just copy-paste the base64 cert): https://crt.sh/?d=1720081 .Then restart the server. See here for details: https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 . This site talks about "For business processes that depend on very old systems...." but the reality is that this affects everything that uses openssl for https, including curl, svn, etc.