SSL certificate from https://sgerrand.com/ has expired.

[m-hamashita]

The SSL certificate for sgerrand.com expired four days ago, which resulted in issues when checking alpine-pkgs.sgerrand.com due to the redirect.

[IKostrytsia]

confirm, faced the same issue

[IKostrytsia]

@sgerrand could you pls help us?

[sgerrand]

Thank you for raising this issue. Due to some strange configuration on my end, I hadn't received any notifications until this morning so sorry for a lack of action until now. It looks like the process I've been using to issue new SSL certificates for this internet domain and some others had been silently failing for a while. I'm working to fix this now. Once that's complete I'll also add additional monitoring to ensure awareness should it occur again.

[sgerrand]

This should be resolved now – apologies again for any and all inconvenience this may have caused you.

$ openssl s_client -connect alpine-pkgs.sgerrand.com:443 
CONNECTED(00000006)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X2
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E1
verify return:1
depth=0 CN = alpine-pkgs.sgerrand.com
verify return:1
---
Certificate chain
 0 s:CN = alpine-pkgs.sgerrand.com
   i:C = US, O = Let's Encrypt, CN = E1
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: May 11 03:41:21 2023 GMT; NotAfter: Aug  9 03:41:20 2023 GMT
 1 s:C = US, O = Let's Encrypt, CN = E1
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X2
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X2
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 3 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDyTCCA06gAwIBAgISA71IBdVjR4/Sqw4xSFJpnkuMMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
MTAeFw0yMzA1MTEwMzQxMjFaFw0yMzA4MDkwMzQxMjBaMCMxITAfBgNVBAMTGGFs
cGluZS1wa2dzLnNnZXJyYW5kLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
BPd9zJAg5bRFhe2dWBOJDpdhgGSJ0+t/AlUofqeW91lk5mcPu3p/4KzZUx3LTZLy
9VtAHjonjfwMNKte+A6jAvSjggJRMIICTTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
FAPt3xG5OPf0FDTMSFluXX5DE660MB8GA1UdIwQYMBaAFFrz7Sv8NsI3eblSMOpU
b89Vyy6sMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL2UxLm8u
bGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vZTEuaS5sZW5jci5vcmcvMCMG
A1UdEQQcMBqCGGFscGluZS1wa2dzLnNnZXJyYW5kLmNvbTBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1ALc++yTf
nE26dfI5xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAABiAkdFcwAAAQDAEYwRAIga7sy
1KgknrNwJftXnx7scUYnBWwt4NxQ7mruirMf78QCIDJnG8heECbe0bDNNMocuFKD
J84ckN2Vs0r5YvosaFlYAHUArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvc
gooAAAGICR0V3gAABAMARjBEAiB6ixpciXyboKOPDGV5Kwq/fsUXT7gvvv/MJjf9
3U3EYwIgPiUonhsnI439/EYJRy2Ijswc1YtyrspUESTjGd37xUIwCgYIKoZIzj0E
AwMDaQAwZgIxAOLkoaiEOAHYZhHLvCHALDs6za6bc8vNv/JAdAoxR3Qd/j7zjusj
tdGpA2fbTSmtpQIxANyl/LlYf37DS3qRJ2zl+MRdghAMyOIGAPC7zdUfn6jLe1WX
I7zC1EZ8csaTeNC6Mw==
-----END CERTIFICATE-----
subject=CN = alpine-pkgs.sgerrand.com
issuer=C = US, O = Let's Encrypt, CN = E1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4516 bytes and written 406 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

[sgerrand]

Apologies, I posted the SSL certificate details for alpine-pkgs.sgerrand.com instead of sgerrand.com. The following is for the latter.

$ openssl s_client -connect sgerrand.com:443       
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = sgerrand.com
verify return:1
---
Certificate chain
 0 s:CN = sgerrand.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May  5 02:55:08 2023 GMT; NotAfter: Aug  3 02:55:07 2023 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLzCCBBegAwIBAgISA6EoyF0jbqMGoXKOmNLocICcMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA1MDUwMjU1MDhaFw0yMzA4MDMwMjU1MDdaMBcxFTATBgNVBAMT
DHNnZXJyYW5kLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQp
N0baE6uy5mQA2layw3xGPOlIj96hcfw9+Cq2gsp9p3pxkfYLhJHWv8byvrOVgpww
zX+y6Gd7VAjVeBiz+XVcZXjTBE9BRKf7lvnyeEAPg0yUTOAJbxss5JdVp58sHMbe
vV1BSg/LJIMecvS7VKCH/CNRQ3gMGfap4c8WF+i8uUuJ7yLCWiVuaB3+zTqDHAxt
3Vp26YGEbRznTwU6HQrSWeyKlJK/s/y+AQgdzDh9/O6yA7FhTcIOJCtknwAIQKRn
XrHMWyBYdq083CFYOSBGjPBoyrPzzsOkfOUMgUwYL8zyB3gBlVfD4ERMi4YhaeTq
aUKkpBzRVmk0dK/745kCAwEAAaOCAlgwggJUMA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUUtV68Sy7AKxxxdfoAcS5zaCxPIkwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA
5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu
by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w
KQYDVR0RBCIwIIIMc2dlcnJhbmQuY29tghB3d3cuc2dlcnJhbmQuY29tMEwGA1Ud
IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0
dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDv
AHYAtz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0JgSXttJkAAAGH6gygeAAABAMA
RzBFAiBvNtTmlOCGSjPUAO/mN30jGu3dBaGjwhNt9MEVr0udqgIhAKWfncWrnaxd
08QTpdM0krCmWvCHAen9yeBAWHYbECOFAHUAejKMVNi3LbYg6jjgUh7phBZwMhOF
TTvSK8E6V6NS61IAAAGH6gygiwAABAMARjBEAiBsN19n7jQGhSvRrwhC+fmT/3z+
Aak+2tkrEy1E3HPXFAIgHWMudKnNNXyJeugLZMdCZ2yEBBzLeenFxXyZ2RJtPI0w
DQYJKoZIhvcNAQELBQADggEBALlJiBAXiM+RAPfjLkM+4HbXy501VIQGgFd+B6h0
q8LUB+OIaMPlGHFyZJbAZ9wS91BxysVFeiy1Cv5/YivwGafs6ugdLnIQsv+d9Fv9
UrBnytm80Wi1xNP7t8Vh0adtk3+hFrDPH1WkRPFTl/7wxU40bAPowVqUwm3oLwXu
BbPpqBUh5R0kSpdTPUYdBgd9X/nhu9oq8FWuOHBGKgbdLr2Ny+Ocg/G5E1r0bdMp
J4fo2qbUl0YxshHrgQxHcvSCTKYimKkLptSqTcZ1x1cCGjGi/Ho5YkawsX+n140u
Oi/nE49v3yAC9Bsq2Ikiqb+QuW98pKRT4u3VjF6hghLlQ2Q=
-----END CERTIFICATE-----
subject=CN = sgerrand.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4587 bytes and written 394 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

[IKostrytsia]

@sgerrand thanks for such a quick response! Could you pls advice - how to resolve the issue like: ERROR: glibc-2.31-r0.apk: UNTRUSTED signature . Is it require to re-create signature of the APK? My public key is from https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub

[sgerrand]

That should be the correct public key to use for verification. I'll check it myself to confirm this error shortly.

[IKostrytsia]

That should be the correct public key to use for verification. I'll check it myself to confirm this error shortly.

It happened ~ 1 week ago. So I suspect this issue is connected somehow. Thanks a lot in advance!

[sgerrand]

Can you explain how you're using the public key for this package as part of your installation? I can't reproduce your error using the following Dockerfile:

FROM alpine:3.17.2

RUN wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub
RUN wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.31-r0/glibc-2.31-r0.apk
RUN wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.31-r0/glibc-bin-2.31-r0.apk
RUN apk --no-cache --force-overwrite add glibc-2.31-r0.apk glibc-bin-2.31-r0.apk

$ docker build . --file Dockerfile-issue-201 --no-cache --progress plain --pull
#1 [internal] load .dockerignore
#1 transferring context: 2B done
#1 DONE 0.0s

#2 [internal] load build definition from Dockerfile-issue-201
#2 transferring dockerfile: 446B done
#2 DONE 0.0s

#3 [internal] load metadata for docker.io/library/alpine:3.17.2
#3 DONE 0.5s

#4 [1/5] FROM docker.io/library/alpine:3.17.2@sha256:ff6bdca1701f3a8a67e328815ff2346b0e4067d32ec36b7992c1fdc001dc8517
#4 resolve docker.io/library/alpine:3.17.2@sha256:ff6bdca1701f3a8a67e328815ff2346b0e4067d32ec36b7992c1fdc001dc8517 0.0s done
#4 CACHED

#5 [2/5] RUN wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub
#5 DONE 0.4s

#6 [3/5] RUN wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.31-r0/glibc-2.31-r0.apk
#0 0.126 Connecting to github.com (140.82.121.4:443)
#6 0.813 Connecting to objects.githubusercontent.com (185.199.109.133:443)
#6 1.280 saving to 'glibc-2.31-r0.apk'
#6 1.464 glibc-2.31-r0.apk      1% |                                | 85696  0:00:50 ETA
#6 2.509 glibc-2.31-r0.apk     18% |*****                           |  782k  0:00:09 ETA
#6 3.378 glibc-2.31-r0.apk     93% |*****************************   | 4007k  0:00:00 ETA
#6 3.409 glibc-2.31-r0.apk    100% |********************************| 4308k  0:00:00 ETA
#6 3.409 'glibc-2.31-r0.apk' saved
#6 DONE 3.4s

#7 [4/5] RUN wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.31-r0/glibc-bin-2.31-r0.apk
#7 0.218 Connecting to github.com (140.82.121.4:443)
#7 0.336 Connecting to objects.githubusercontent.com (185.199.109.133:443)
#7 0.479 saving to 'glibc-bin-2.31-r0.apk'
#7 0.566 glibc-bin-2.31-r0.ap 100% |********************************|  983k  0:00:00 ETA
#7 0.566 'glibc-bin-2.31-r0.apk' saved
#7 DONE 0.6s

#8 [5/5] RUN apk --no-cache --force-overwrite add glibc-2.31-r0.apk glibc-bin-2.31-r0.apk
#8 0.294 fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/aarch64/APKINDEX.tar.gz
#8 0.452 fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/aarch64/APKINDEX.tar.gz
#8 0.689 (1/3) Installing glibc (2.31-r0)
#8 0.690 WARNING: glibc-2.31-r0: overwriting etc/nsswitch.conf owned by alpine-baselayout-data-3.4.0-r0.
#8 0.732 (2/3) Installing libgcc (12.2.1_git20220924-r4)
#8 0.748 (3/3) Installing glibc-bin (2.31-r0)
#8 0.760 Executing glibc-bin-2.31-r0.trigger
#8 0.776 /usr/glibc-compat/sbin/ldconfig: /usr/glibc-compat/lib/ld-linux-x86-64.so.2 is not a symbolic link
#8 0.776 
#8 0.777 /usr/glibc-compat/sbin/ldconfig: /usr/lib/libcrypto.so.3 is for unknown machine 183.
#8 0.777 
#8 0.777 /usr/glibc-compat/sbin/ldconfig: /usr/lib/libssl.so.3 is for unknown machine 183.
#8 0.777 
#8 0.777 /usr/glibc-compat/sbin/ldconfig: /usr/lib/libgcc_s.so.1 is for unknown machine 183.
#8 0.777 
#8 0.778 /usr/glibc-compat/sbin/ldconfig: /lib/libcrypto.so.3 is for unknown machine 183.
#8 0.778 
#8 0.778 /usr/glibc-compat/sbin/ldconfig: /lib/libz.so.1.2.13 is for unknown machine 183.
#8 0.778 
#8 0.778 /usr/glibc-compat/sbin/ldconfig: /lib/ld-musl-aarch64.so.1 is for unknown machine 183.
#8 0.778 
#8 0.778 /usr/glibc-compat/sbin/ldconfig: /lib/libssl.so.3 is for unknown machine 183.
#8 0.778 
#8 0.778 /usr/glibc-compat/sbin/ldconfig: /lib/libc.musl-aarch64.so.1 is for unknown machine 183.
#8 0.778 
#8 0.778 /usr/glibc-compat/sbin/ldconfig: /lib/libapk.so.3.12.0 is for unknown machine 183.
#8 0.778 
#8 0.778 /usr/glibc-compat/sbin/ldconfig: /lib/libz.so.1 is for unknown machine 183.
#8 0.778 
#8 0.783 OK: 19 MiB in 18 packages
#8 DONE 0.8s

#9 exporting to image
#9 exporting layers
#9 exporting layers 0.4s done
#9 exporting manifest sha256:08b2d2a4c525d71226cf9b1063139b4658855329be828afa77de4dbd831fcc47 done
#9 exporting config sha256:4c633de6aeeda62a1e2907975f9cee4da03c3adb3dd695bf1ea5355b35da6f9c done
#9 exporting attestation manifest sha256:910153eff83df0b966dc378e8279e3822d19d4ea6a1fe9dacd0efe8a65d8ea57 0.0s done
#9 exporting manifest list sha256:70392b6aafb90cc328187d5adb29629acec3cb8973cadccd088083cf291a7f02 done
#9 naming to moby-dangling@sha256:70392b6aafb90cc328187d5adb29629acec3cb8973cadccd088083cf291a7f02 done
#9 unpacking to moby-dangling@sha256:70392b6aafb90cc328187d5adb29629acec3cb8973cadccd088083cf291a7f02
#9 unpacking to moby-dangling@sha256:70392b6aafb90cc328187d5adb29629acec3cb8973cadccd088083cf291a7f02 0.1s done
#9 DONE 0.5s

[IKostrytsia]

@sgerrand UNTRUSTED signature error Resolved when Alpine OS ver. was updated VERSION_ID 3.7.1 -> 3.13.7 Thanks for your support!

[sgerrand]

You're very welcome.