[Rd] r-project.org SSL certificate issues

Bob Rudis bob @end|ng |rom rud@|@
Sat May 30 23:24:48 CEST 2020 

The browsers still shouldn't trust it. The CA cert is expired.

On Sat, May 30, 2020 at 5:23 PM Bob Rudis <bob using rud.is> wrote:
>
> I've updated the dashboard (https://rud.is/r-project-cert-status/)
> script and my notifier script to account for the entire chain in each
> cert.
>
> On Sat, May 30, 2020 at 5:16 PM Bob Rudis <bob using rud.is> wrote:
> >
> > # A tibble: 13 x 1
> >    site
> >    <chr>
> >  1 beta.r-project.org
> >  2 bugs.r-project.org
> >  3 cran-archive.r-project.org
> >  4 cran.r-project.org
> >  5 developer.r-project.org
> >  6 ess.r-project.org
> >  7 ftp.cran.r-project.org
> >  8 journal.r-project.org
> >  9 r-project.org
> > 10 svn.r-project.org
> > 11 user2011.r-project.org
> > 12 www.cran.r-project.org
> > 13 www.r-project.org
> >
> > is the whole list b/c of the wildcard cert.
> >
> > On Sat, May 30, 2020 at 5:07 PM Bob Rudis <bob using rud.is> wrote:
> > >
> > > It's the top of chain CA cert, so browsers are being lazy and helpful
> > > to humans by (incorrectly, albeit) relying on the existing trust
> > > relationship.
> > >
> > > libcurl (et al) is not nearly as forgiving.
> > >
> > > On Sat, May 30, 2020 at 5:01 PM peter dalgaard <pdalgd using gmail.com> wrote:
> > > >
> > > > Odd. Safari has no problem and says certificate expires August 16 2020, but I also see the download.file issue with 4.0.1 beta:
> > > >
> > > > > download.file("https://www.r-project.org", tempfile())
> > > > trying URL 'https://www.r-project.org'
> > > > Error in download.file("https://www.r-project.org", tempfile()) :
> > > >   cannot open URL 'https://www.r-project.org'
> > > > In addition: Warning message:
> > > > In download.file("https://www.r-project.org", tempfile()) :
> > > >   URL 'https://www.r-project.org/': status was 'Peer certificate cannot be authenticated with given CA certificates'
> > > >
> > > > (note slightly different error message).
> > > >
> > > > svn is also affected:
> > > >
> > > > Peters-MacBook-Air:R pd$ svn up
> > > > Updating '.':
> > > > Error validating server certificate for 'https://svn.r-project.org:443':
> > > >  - The certificate has expired.
> > > > Certificate information:
> > > >  - Hostname: *.r-project.org
> > > >  - Valid: from Aug 16 00:00:00 2018 GMT until Aug 15 23:59:59 2020 GMT
> > > >  - Issuer: COMODO RSA Domain Validation Secure Server CA, COMODO CA Limited, Salford, Greater Manchester, GB
> > > >  - Fingerprint: 93:B8:AF:9F:0A:67:2F:3A:C9:BA:FF:86:BB:2C:08:47:02:7F:1D:8D
> > > > (R)eject, accept (t)emporarily or accept (p)ermanently? t
> > > > U    src/library/grid/R/grob.R
> > > > ....
> > > >
> > > > ssltest shows two certificates of which only one is expired?
> > > >
> > > > -pd
> > > >
> > > >
> > > >
> > > > > On 30 May 2020, at 22:17 , Gábor Csárdi <csardi.gabor using gmail.com> wrote:
> > > > >
> > > > > On macOS 10.15.5 and R-devel:
> > > > >
> > > > >> download.file("https://www.r-project.org", tempfile())
> > > > > trying URL 'https://www.r-project.org'
> > > > > Error in download.file("https://www.r-project.org", tempfile()) :
> > > > >  cannot open URL 'https://www.r-project.org'
> > > > > In addition: Warning message:
> > > > > In download.file("https://www.r-project.org", tempfile()) :
> > > > >  URL 'https://www.r-project.org': status was 'SSL peer certificate or
> > > > > SSH remote key was not OK'
> > > > >
> > > > > https://www.ssllabs.com/ssltest says:
> > > > >
> > > > > COMODO RSA Certification Authority
> > > > > Fingerprint SHA256:
> > > > > 4f32d5dc00f715250abcc486511e37f501a899deb3bf7ea8adbbd3aef1c412da
> > > > > Pin SHA256: grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=
> > > > > Valid untilSat, 30 May 2020 10:48:38 UTC (expired 8 hours and 51
> > > > > minutes ago)   EXPIRED
> > > > >
> > > > > AFAICT this is the reason:
> > > > > https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020
> > > > >
> > > > > FYI,
> > > > > Gabor
> > > > >
> > > > > ______________________________________________
> > > > > R-devel using r-project.org mailing list
> > > > > https://stat.ethz.ch/mailman/listinfo/r-devel
> > > >
> > > > --
> > > > Peter Dalgaard, Professor,
> > > > Center for Statistics, Copenhagen Business School
> > > > Solbjerg Plads 3, 2000 Frederiksberg, Denmark
> > > > Phone: (+45)38153501
> > > > Office: A 4.23
> > > > Email: pd.mes using cbs.dk  Priv: PDalgd using gmail.com
> > > >
> > > > ______________________________________________
> > > > R-devel using r-project.org mailing list
> > > > https://stat.ethz.ch/mailman/listinfo/r-devel

More information about the R-devel mailing list