Hello,
current TLSA DNS record for fedoraproject.org is invalid, probably as a consequence of the changed certificate.
Please, can you fix that? (I haven't checked other Fedora domains.)
{{{ $ openssl s_client -connect fedoraproject.org:443 -showcerts </dev/null > /tmp/fedora.certs $ danetool --check=fedoraproject.org --load-certificate /tmp/fedora.certs Querying fedoraproject.org (tcp:443)... _443._tcp.fedoraproject.org. IN TLSA ( 00 00 01 d4c4c99819f3a5f2c6261c9444c62a8b263b39bc6acce35cdcabe272d5037fb2 ) Certificate usage: CA (00) Certificate type: X.509 (00) Contents: SHA2-256 hash (01) Data: d4c4c99819f3a5f2c6261c9444c62a8b263b39bc6acce35cdcabe272d5037fb2
Verification: Verification failed. CA constrains were violated. }}}
please update to:
_443._tcp.fedoraproject.org. IN TLSA 0 0 1 19400be5b7a31fb733917700789d2f0a2471c0c9d506c0e504c06c16d7cb17c0
Updated.
Login to comment on this ticket.