GNOME OS: ostree repo TLS certificate error
Summary
The OSTree repo used by GNOME OS seems to have invalid TLS certificates.
Steps to reproduce
$ sudo ostree admin upgrade -v
OT: Deployment e32285fb35aca2f12dfb71b1624fdb1009e1247d957f70f341bce72db4efc45e.0 unlocked=0
OT: Deployment 91c8004453aa4658b387ae46046f7d11bcd165f5da073ee81358fd0ec891a8a7.0 unlocked=0
OT: _ostree_fetcher_should_retry_request: error: 399:2 Unacceptable TLS certificate, n_retries_remaining: 5
What is the current bug behavior?
ostree
can't upgrade the system due to a TLS error.
What is the expected correct behavior?
ostree
should successfully connect to the repo to retrieve upgrades.
Relevant logs and/or screenshots
$ gnutls-cli ostree.gnome.org
Processed 160 CA certificate(s).
Resolving 'ostree.gnome.org:443'...
Connecting to '212.102.56.142:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `CN=1029332277.rsc.cdn77.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04be4561721b0a1897c2327b2effd3b4908d, EC/ECDSA key 256 bits, signed using RSA-SHA256, activated `2022-08-19 18:45:29 UTC', expires `2022-11-17 18:45:28 UTC', pin-sha256="xzi7OFkGh/iguyr0KUnwft8VX+VjzxjGMfgRv+2nW/I="
Public Key ID:
sha1:f00170d9073a035ae5788d11349167a36a76ab68
sha256:c738bb38590687f8a0bb2af42949f07edf155fe563cf18c631f811bfeda75bf2
Public Key PIN:
pin-sha256:xzi7OFkGh/iguyr0KUnwft8VX+VjzxjGMfgRv+2nW/I=
- Certificate[1] info:
- subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[2] info:
- subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
|<1>| There is a newer OCSP response but was not provided by the server
- Status: The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
/cc @averi @barthalion