TLS certificate issue on https://ecsft.cern.ch

Infrastructure, Package Repositories and Websites
1

Hello,

We have discovered an issue with the TLS configuration for https://ecsft.cern.ch. In some environments, TLS validation fails:

curl: (60) SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)

I believe the server is sending the wrong intermediary certificate:

s:C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA
i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
a:PKEY: RSA, 2048 (bit); sigalg: sha384WithRSAEncryption
v:NotBefore: Nov  2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT

Instead, it should be using the OV TLS Intermediate (After May 15, 2025) from Sectigo: https://crt.sh/?d=4267304698

2

Hello Pierre, thanks for bringing this up and for the investigating the right certificate! I think this time I got the right CA chain, could you check again?

Also note that all packages are available also on cvmrepo.web.cern.ch (browseable mirror on eos) and cvmrepo.s3.cern.ch (direct link to s3). I’m recommending to use

yum install -y https://cvmrepo.s3.cern.ch/cvmrepo/yum/cvmfs-release-latest.noarch.rpm

or

wget https://cvmrepo.s3.cern.ch/cvmrepo/apt/cvmfs-release-latest_all.deb
sudo dpkg -i cvmfs-release-latest_all.deb

in production.

Cheers,
Valentin

Certificate chain issue for cvmfs repo
3

Many thanks for the quick fix!

I have also forwarded your advice to my colleagues managing this code.