SSL issue on www.lightbend.com affecting the Dotty CLA check
smarter opened this issue · 8 comments
(Reporting here as requested by @SethTisue)
The CLA check is failing in https://github.com/lampepfl/dotty/actions/runs/6442154587/job/17493043000?pr=18663 for example.
Running curl locally I see:
% curl https://www.lightbend.com/contribute/cla/scala/check/johnduffell
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.According to https://www.ssllabs.com/ssltest/analyze.html?d=www.lightbend.com :
This server's certificate chain is incomplete.
This can also be checked with openssl:
% openssl s_client -connect www.lightbend.com:443
...
Verification error: unable to verify the first certificate
...I strongly suspect that the problem is that the Sectigo Intermediate certificate is not delivered by the server (server chain reply see here: scala-js/scala-js#4909 (comment)). When looking at how Chrome validates the full chain, the top level certificate is valid. Probably Chrome just has the intermediate in its own store.
I've asked Lightbend IT to take a look.
Hi @smarter - could you please try again. We had some hiccups in our servers and I believe this may have been related to that. Otherwise we can dig a bit deeper as I cannot reproduce it currently.
Hi. Thanks for looking into it. It appears to still be broken at least in this job, which I just reran:
https://github.com/scala-js/scala-js/actions/runs/6446814222/job/17517368491
Yes, thanks - I realized now that the CA chain is messed up. We are looking into that and will update once this is resolved.
OK, please try now
Thank you. It's working now. ✔️
Working in dotty too!