[Rd] r-project.org SSL certificate issues

Jeroen Ooms jeroen @end|ng |rom berke|ey@edu
Sun May 31 00:01:27 CEST 2020


On Sat, May 30, 2020 at 11:40 PM Duncan Murdoch
<murdoch.duncan using gmail.com> wrote:
>
> On 30/05/2020 5:23 p.m., Bob Rudis wrote:
> > I've updated the dashboard (https://rud.is/r-project-cert-status/)
> > script and my notifier script to account for the entire chain in each
> > cert.
>
> You never posted which certificate has expired.  Your dashboard shows
> they're all valid, but the download still fails, presumably because
> something not shown has expired.

To see the problem in R:

   certs <- openssl::download_ssl_cert('cran.r-project.org')
   as.list(certs[[3]])

Shows the root cert expires today.

> Hopefully someone who can actually act on this can figure out what needs
> doing.

The apache server will have a config entry SSLCertificateFile which
points to a cert bundle (in nginx servers this is called
"ssl_certificate"). If you open this in a text editor it contains the
3 certs, in PEM format, so 3 entires like this:

-----BEGIN CERTIFICATE-----
[base64 cert]
-----END CERTIFICATE-----

What you need to do is replace the final certificate with this one
(just copy-paste the base64 cert): https://crt.sh/?d=1720081 .Then
restart the server.

See here for details:
https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
. This site talks about "For business processes that depend on very
old systems...." but the reality is that this affects everything that
uses openssl for https, including curl, svn, etc.



More information about the R-devel mailing list