Certificate chain issue for cvmfs repo

Infrastructure, Package Repositories and Websites
1

https://ecsft.cern.ch/dist/ seems to be serving an incomplete certificate chain since the certs were renewed on Jan 20th. The site can still be accessed by web browsers (which fill in the missing certs), but means the cern repos don’t work for client installs, e.g. via a package manager.

openssl s_client -connect ecsft.cern .ch:443 -showcerts -servername ecsft.cern .ch < /dev/null shows:

0 s:C=CH, ST=Genève, O=CERN Organisation Européenne pour la Recherche Nucléaire, CN=cernvm.cern .ch
i:C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication CA OV R36

1 s:C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA
i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority

skipping the intermediary Sectigo CA part of the chain.

2

Right, apologies for that. I think that’s now fixed, can you retry?

Also note that for package installs I’d recommend to use the cvmrepo.s3.cern.ch url , see my comment on TLS certificate issue on https://ecsft.cern.ch - #2 by vavolkl

3

Thanks for the quick response! Seems to be working now. FYI server is still providing the unused intermediary cert, but it doesn’t have any functional impact on the chain verification:

1: CN=Sectigo RSA Organization Validation Secure Server CA, issuer CN=USERTrust RSA Certification Authority

I’ll see if I can update our system to use the s3 url, thanks for the heads up!