Re: [tor-relays] Debian is not allowing tor to update despite it being listed as a trusted respritory

To: "tor-relays" <tor-relays@xxxxxxxxxxxxxxxxxxxx>

Subject: Re: [tor-relays] Debian is not allowing tor to update despite it being listed as a trusted respritory

Date: Tue, 03 May 2022 08:31:40 +0100

Arc-authentication-results: i=1; mx.zohomail.eu; dkim=pass header.i=bentasker.co.uk; spf=pass smtp.mailfrom=ben@xxxxxxxxxxxxxxx; dmarc=pass header.from=<ben@xxxxxxxxxxxxxxx>

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu; s=zohoarc; t=1651563101; h=Content-Type:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=agYiZDXrWU/ucw8Y5weNJMNnFi79tv+7i0CUrLxcV2M=; b=CpMwm40EGMI05+O6E4t3vJu5twQMzd+FFkO0aUZr5JRBlfsayXK0+jrtcUqgJozxSAXg8f206eDzMtTNMWMJE+fahM+C6WYiaXiCs7tWSy6fzdTKpgQNzpeSEHbRuYxrpTZnqM+hnr+tLNbwnlmdUrLvF+0i/tXaex9H4AGqXY4=

Arc-seal: i=1; a=rsa-sha256; t=1651563101; cv=none; d=zohomail.eu; s=zohoarc; b=H/j3NJytZ66/CG94VOcwCuYkZcApaZG1QNGQ0yjRnKfiwr8GIEoP0kEvxGQtK5HdsBOPNu2atGgyH22GgLWlW8OOCNaL4rRJN8AJOzLEE2WaPdjsu6lNxI1DIDlcghlDQYM34Z5/8NIE2Ub0q7dH+LB/JkSw9+9zhYYbE3btW64=

Delivered-to: archiver@xxxxxxxx

Delivery-date: Tue, 03 May 2022 04:17:43 -0400

Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1651563101; s=zohomail; d=bentasker.co.uk; i=ben@xxxxxxxxxxxxxxx; h=Date:Date:From:From:To:To:Cc:Cc:Message-Id:Message-Id:In-Reply-To:References:Subject:Subject:MIME-Version:Content-Type:Reply-To; bh=agYiZDXrWU/ucw8Y5weNJMNnFi79tv+7i0CUrLxcV2M=; b=d8mptnqyFPPCPLWUiaPMKOis+bWpjBAXtIlzLtEMGg9NqTrP8e97dXpvupVIyE5d UI98/TC5VuDkm/K57jW2Z/4/ztZ+UbWhRWDeLN/V1jqq+sShMOF/0xpOSAZiaLyodJ6 0Qw5h82NYgmQd3uw06BK8vll95IOu/2Ns6eTxuvk=

Importance: Medium

In-reply-to: <9d718a2d-9f86-0696-694b-39d487ebd4ae@gmx.de>

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

References: <49747692-45DE-425C-868B-DC197B5C97E4@hxcore.ol> <9d718a2d-9f86-0696-694b-39d487ebd4ae@gmx.de>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

User-agent: Zoho Mail

>> Certificate verification failed: The certificate is NOT trusted. The

>> certificate chain uses expired certificate. Could not handshake: Error

>> in the certificate verification. [IP: 95.216.163.36 443]

> Maybe renew the key ?

The repo uses a LetsEncrypt certificate.

Odds are, the OP's system's trust store is quite old and so still has the old root in place - LE's intermediate has multiple signatures and one of the roots expired last year.

Running

sudo apt-get -y install ca-certificates

Should bring it up to date (assuming there's a relatively modern openssl in use - I think 1.0 will throw an error either way because it still tries to follow both forks in the chain and borks when it sees the expired cert).

--
Ben Tasker
https://www.bentasker.co.uk

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays