Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

website: certificate seems to be expired for dl.google.com and go.googlesource.com (maybe others). #23857

Closed
jeffreydwalter opened this issue Feb 15, 2018 · 4 comments
Closed

website: certificate seems to be expired for dl.google.com and go.googlesource.com (maybe others). #23857

jeffreydwalter opened this issue Feb 15, 2018 · 4 comments
Labels
FrozenDueToAge WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.

Comments

@jeffreydwalter
Copy link 

$ go get -insecure golang.org/x/build/version/go1.10rc2
# cd .; git clone https://go.googlesource.com/build /root/go/src/golang.org/x/build
Cloning into '/root/go/src/golang.org/x/build'...
fatal: unable to access 'https://go.googlesource.com/build/': SSL certificate problem: certificate has expired
package golang.org/x/build/version/go1.10rc2: exit status 128

$ curl -v -O https://dl.google.com/go/go1.9.4.freebsd-amd64.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 172.217.1.238...
* TCP_NODELAY set
* Connected to dl.google.com (172.217.1.238) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [102 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3908 bytes data]
* TLSv1.2 (OUT), TLS alert, Server hello (2):
} [2 bytes data]
* SSL certificate problem: certificate has expired
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
@mvdan
Copy link
Member

mvdan commented Feb 15, 2018

Are you sure this isn't a problem with your system? Both sites work for me. The expiry date for googlesource appears as April 2018 on my phone.

@dominikh
Copy link
Member

I can't reproduce the issue, either. Things I would check

  • is your system clock set correctly?
  • is some anti-virus or firewall doing TLS MITM?
  • Use openssl s_client -showcerts to see what certificate you're actually being served

@davecheney davecheney added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Feb 15, 2018
@bradfitz
Copy link
Contributor

If you add another -v to your curl command, it'll show you the server's cert. I see this:

$ curl  -v -v -O https://dl.google.com/go/go1.9.4.freebsd-amd64.tar.gz 2>&1 | head -40
* Hostname was NOT found in DNS cache
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 209.85.200.190...
* Connected to dl.google.com (209.85.200.190) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* Server certificate:
*        subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=*.google.com
*        start date: 2018-01-30 08:30:45 GMT
*        expire date: 2018-04-24 08:30:00 GMT
*        subjectAltName: dl.google.com matched
*        issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
*        SSL certificate verify ok.
> GET /go/go1.9.4.freebsd-amd64.tar.gz HTTP/1.1
> User-Agent: curl/7.38.0
> Host: dl.google.com
...

@jeffreydwalter
Copy link
Author

Arg! It was the system time on my VM. Sorry and thanks!

@mikioh mikioh changed the title certificate seems to be expired for dl.google.com and go.googlesource.com (maybe others). website: certificate seems to be expired for dl.google.com and go.googlesource.com (maybe others). Feb 21, 2018
@golang golang locked and limited conversation to collaborators Feb 21, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@bradfitz @davecheney @dominikh @jeffreydwalter @mvdan @gopherbot