Description of problem:[[BR]] Can't verify certificate for "keys.fedoraproject.org".
Version-Release number of selected component (if applicable):[[BR]] ca-certificates-2013.1.94-1.fc19.noarch
How reproducible:[[BR]] Always.
Steps to Reproduce:[[BR]] Use wget or curl to download https://keys.fedoraproject.org/.
Actual results:[[BR]] {{{
--2013-09-12 18:34:15-- https://keys.fedoraproject.org/ Resolving keys.fedoraproject.org (keys.fedoraproject.org)... 80.239.156.219 Connecting to keys.fedoraproject.org (keys.fedoraproject.org)|80.239.156.219|:443... connected. ERROR: cannot verify keys.fedoraproject.org's certificate, issued by '/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA': Unable to locally verify the issuer's authority. To connect to keys.fedoraproject.org insecurely, use `--no-check-certificate'. }}}
Expected results:[[BR]] Successful verification of certificate for "keys.fedoraproject.org".
Additional info:[[BR]] https://bugzilla.redhat.com/show_bug.cgi?id=1007473
Fixed.
Sorry for the trouble.
Thanks, kevin.
Looks like this issue also concerns to gpg: {{{
gpg: requesting key FB4B18E6 from hkps server keys.fedoraproject.org gpgkeys: HTTP fetch error 60: Peer's Certificate issuer is not recognized. gpg: no valid OpenPGP data found. gpg: Total number processed: 0 }}}
gpgkeys: HTTP fetch error 60: Peer's Certificate issuer is not recognized.
Suppose gpg problem is related to the initial issue and solution is incomplete, so I've decided to reopen the bug.
No, the original issues has been resolved (keys.fedoraproject.org now sends its complete certificate chain). If you could provide reproduction information (I can't find the a package containing the program gpgkeys), please provide this, as openssl deems the certificates correct now.
Replying to [comment:5 puiterwijk]:
No, the original issues has been resolved (keys.fedoraproject.org now sends its complete certificate chain).
That's true. In that case this bug can be closed.
I'd appreciate if you help me to figure out the reason of gpg-related issue. If it's a bug I'll open ticket in bugzilla.redhat.com.
If you could provide reproduction information (I can't find the a package containing the program gpgkeys), please provide this, as openssl deems the certificates correct now. This is gpg utility error message from gnupg package. {{{
ca-certificates-2013.1.94-1.fc19.noarch gnupg-1.4.14-1.fc19.x86_64 openssl-1.0.1e-4.fc19.x86_64
issuer= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA subject= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA SHA1 Fingerprint=DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12
gpg: requesting key FB4B18E6 from hkps server keys.fedoraproject.org gpg: key FB4B18E6: "Fedora (19) fedora@fedoraproject.org" not changed gpg: Total number processed: 1 gpg: unchanged: 1
This is a "known issue", and I think this should even be expected: GPG is a security tool trying to promote a decentralized security model. If it would automatically trust a centralized model, that would feel like a bug to me.
So if you think this is a bug, please report it as a bug upstream (http://www.gnupg.org/documentation/bts.en.html).
Login to comment on this ticket.