Snap Store Server

  1. Bug #2040282
  2. Activity log

Activity log for bug #2040282

Date Who What changed Old value New value Message
2023-10-24 14:13:57 John A Meinel bug added bug
2023-10-24 14:15:38 John A Meinel description We were getting a failure with some clients not liking the connection to api.charmhub.io, and trying to look at the certs seems to say it has a "Not After Aug 21 2024". I would guess this affects both snapcraft and charmhub. I'm not sure why we aren't seeing failures more often, since it does seem pretty serious. $ openssl s_client -showcerts api.charmhub.io:443 CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 verify return:1 depth=0 C = GB, L = London, O = CANONICAL GROUP LIMITED, CN = api.snapcraft.io verify return:1 --- Certificate chain 0 s:C = GB, L = London, O = CANONICAL GROUP LIMITED, CN = api.snapcraft.io i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Aug 22 00:00:00 2023 GMT; NotAfter: Aug 21 23:59:59 2024 GMT -----BEGIN CERTIFICATE----- We were getting a failure with some clients not liking the connection to api.charmhub.io, and trying to look at the certs seems to say it has a "Not After Aug 21 2024". I would guess this affects both snapcraft and charmhub. I'm not sure why we aren't seeing failures more often, since it does seem pretty serious. $ openssl s_client -showcerts api.charmhub.io:443 CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 verify return:1 depth=0 C = GB, L = London, O = CANONICAL GROUP LIMITED, CN = api.snapcraft.io verify return:1 --- Certificate chain  0 s:C = GB, L = London, O = CANONICAL GROUP LIMITED, CN = api.snapcraft.io    i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256    v:NotBefore: Aug 22 00:00:00 2023 GMT; NotAfter: Aug 21 23:59:59 2024 GMT -----BEGIN CERTIFICATE----- It may be that this is handled by the second certificate, which doesn't expire before 2031 1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Apr 14 00:00:00 2021 GMT; NotAfter: Apr 13 23:59:59 2031 GMT -----BEGIN CERTIFICATE----- However, they are still running into failures to connect with an error that says there are no valid names.
2023-10-24 15:25:25 Przemysław Suliga bug added subscriber Przemysław Suliga