| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | postgres(at)netlag(dot)com |
| Cc: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: BUG #17224: Postgres Yum repo mirror has expired SSL certificate |
| Date: | 2021-10-12 15:43:19 |
| Message-ID: | 577282.1634053399@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
PG Bug reporting form <noreply(at)postgresql(dot)org> writes:
> In our automation we first install the PGDG Yum repo
> pgdg-redhat-repo-latest.noarch.rpm and then install the individual
> components needed by our applications and servers. Starting about a week
> ago, with the expiration of the Let's Encrypt! CA cert, we've been
> experiencing intermittent repo failures due to an expired SSL cert on one of
> the repo mirrors.
This indicates out-of-date software on your end.
We are aware of two possible sources of trouble:
* You might have a very out-of-date system trust store that
doesn't list the "ISRG Root X1" root certificate as trusted.
* Versions of OpenSSL up through 1.0.2 or so won't believe
that ISRG Root X1 is the cert to check for, as a result of
a hack that Let's Encrypt are using to preserve compatibility
with equally ancient Android installations. Details and
possible workarounds are mentioned at [1].
regards, tom lane
[1] https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David G. Johnston | 2021-10-12 15:50:32 | Re: v12.4 pg_dump .sql fails to load data via psql |
| Previous Message | PG Bug reporting form | 2021-10-12 15:15:06 | BUG #17224: Postgres Yum repo mirror has expired SSL certificate |