Comments (9)
Grinnz
commented on August 15, 2024
Perhaps your openssl is the old version which doesn't like the letsencrypt workaround for the expired root cert. Tehre isn't much PAUSE can do except remove that workaround which will instead break different old clients that don't trust the new root cert.
from pause.
Grinnz
commented on August 15, 2024
See https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ for details of the problem with openssl 1.0.2.
from pause.
dankogai
commented on August 15, 2024
I do not think so. It runs on FreeBSD 12.2 with OpenSSL 1.1.x in base.
https://wiki.freebsd.org/OpenSSL
What is the Mozilla::CA version used by PAUSE (to fetch URL)? I duplicated the problem with 20200520 of MacPorts. When I use plenv with the latest 20211001 lwp-request worked all right.
dankogai@dan-imac151 Mozilla-CA-20211001 % /usr/bin/lwp-request -S -mHEAD https://letsencrypt.org
HEAD https://letsencrypt.org
500 Can't verify SSL peers without knowing which Certificate Authorities to trust
Content-Type: text/plain
Client-Date: Wed, 06 Oct 2021 04:42:05 GMT
Client-Warning: Internal responsedankogai@dan-imac151 Mozilla-CA-20211001 % /usr/bin/perl -Mblib /usr/bin/lwp-request -S -mHEAD https://letsencrypt.org
HEAD https://letsencrypt.org
200 OK
Cache-Control: public, max-age=0, must-revalidate
Date: Tue, 05 Oct 2021 21:21:35 GMT
Age: 26437
ETag: "d4df183f7758fd506fa0773d5b95b42a-ssl"
Server: Netlify
Content-Length: 32087
Content-Type: text/html; charset=UTF-8
Client-Date: Wed, 06 Oct 2021 04:42:12 GMT
Client-Peer: 104.248.158.121:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/O=Let's Encrypt/CN=R3
Client-SSL-Cert-Subject: /CN=lencr.org
Client-SSL-Cipher: ECDHE-ECDSA-AES256-GCM-SHA384
Client-SSL-Socket-Class: IO::Socket::SSL
Content-Security-Policy: default-src 'none'; font-src 'self'; style-src 'unsafe-inline' 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self' data: https://www.google-analytics.com https://www.googleadservices.com https://www.googletagmanager.com https://googleads.g.doubleclick.net https://donorbox.org https://js.stripe.com/v3/ https://sdks.shopifycdn.com ; img-src 'self' data: blob: https://www.google-analytics.com https://www.paypal.com https://www.paypalobjects.com https://ak2s.abmr.net https://ak1s.abmr.net https://www.google.com https://cdn.shopify.com https://v.shopify.com ; frame-src https://donorbox.org https://www.youtube.com https://www.youtube-nocookie.com https://bid.g.doubleclick.net https://js.stripe.com/v3/ https://js.stripe.com/v2/ ; connect-src 'self' https://d4twhgtvn0ff5.cloudfront.net/ https://letsencrypt-merch.myshopify.com https://monorail-edge.shopifysvc.com ;
Permissions-Policy: geolocation=(), midi=(), notifications=(), push=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), speaker=(self), vibrate=(), fullscreen=(self), interest-cohort=()
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Nf-Request-Id: 01FH9YHDMHGEF8CS0VHZ23YXJA
X-Xss-Protection: 1; mode=block
Almost all other web clients work fine. fetch of FreeBSD 12.2, wget of Ubuntu 20.04 LTS, curl of macOS Big Sur… They all work fine.
from pause.
Grinnz
commented on August 15, 2024
Oh I did not understand correctly your problem description. This is regarding the "fetch a file from an URL" option for PAUSE to download a tarball from another source. So it is the certificate of the domain you enter, and the openssl version on the PAUSE server (as it is acting as the HTTP client here), which cause the issue.
from pause.
Grinnz
commented on August 15, 2024
To be clearer this is not related to uploading releases to PAUSE either through the web interface or cpan-upload, it is specifically the download feature of the web interface.
from pause.
dankogai
commented on August 15, 2024
That is right. And I suspected it is related to Let's Encrypt because I had no problem with https till this month. And As I said other web clients had no problem with https://www.dan.co.jp .
from pause.
andk
commented on August 15, 2024
I tried a few potential solutions this morning but had no luck. PAUSE was and is not explicitely using Mozilla::CA. I tried a solution with current Mozilla::CA this morning but it did not work. I removed that code again but left current Mozilla::Ca (20211001) installed.
from pause.
rra
commented on August 15, 2024
This just bit me as well for the upload of App-DocKnot-6.00.tar.gz. Whatever CA database the current running PAUSE is using is out of date. Could it be using the system CA list, which perhaps has not been updated? There may be an OS update, or if you know where that certificate store is, you could import the ISRG Root X1 from https://letsencrypt.org/certificates/.
I may be able to help with more information about the OS on which PAUSE is running. Feel free to reach out to me privately ([email protected]) if I can help.
from pause.
Related Issues (20)
- Sometimes transferring first-come on a distribution won't result in you getting co-maint
- Remove old releases of a distribution from the index HOT 5
- Tell uploader if there are older releases for the distribution in the Index
- When an admin reindexes a release for another author, cc the admin on the emails HOT 3
- Add comaintainer to a distribution misses out permission on the distribution-derived package name
- Deleting a lot of old releases of the same distribution is tedious HOT 1
- Setting $VERSION to an unquoted v-string results in an indexing fail for new package names
- Please scan all uploads for viruses
- When a PAUSE admin changes someone's secret email address, the old one is revealed HOT 3
- Local:: namespace is not ignored HOT 7
- 02packages.details.txt not updated (or synced) anymore HOT 1
- If you upload a developer release that you don't have perms on, PAUSE could give an FYI
- PAUSE will sometimes drop co-maint(s) when a co-maint does a release HOT 7
- Show the new "Bus Factor" metric from MetaCPAN
- OpenPGP key for PAUSE has expired...? HOT 1
- Allow authors to upload their keys used for signing modules
- 02packages.details.txt does not have CLASS package anymore HOT 14
- Module not getting indexed (Paws 0.45) HOT 5
- Secondary packages in a file do not get the right VERSION in 02packages.details.txt HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pause.