There is a problem with the SSL certificate offered by https://api.turris.cz:443/. Compared to https://repo.turris.cz/ which is issued by Lets Encrypt, it seems to use a certificate issued by an unknown Certificate Authority.
$ wget https://api.turris.cz/
–2017-08-19 14:40:07-- https://api.turris.cz/
Resolving api.turris.cz… 217.31.192.101, 2001:1488:ac15:ff80::101
Connecting to api.turris.cz|217.31.192.101|:443… connected.
ERROR: cannot verify api.turris.cz’s certificate, issued by ‘emailAddress=michal.vaner@nic.cz,CN=Turris Emergency CA,OU=Labs,O=CZ.NIC,L=Prague,ST=Czech republic,C=CZ’:
Unable to locally verify the issuer’s authority.
To connect to api.turris.cz insecurely, use `–no-check-certificate’.
The main concern with this is that the Turris updater connects to api.turris.cz to retrieve info on new packages. If the updater is using insecure (unverified) connections, it’s potentially open to MITM attack.
I have that file. I has a completely different cert in it signed by GeoTrust:
$ openssl x509 -in /etc/ssl/updater.pem -text -noout
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
I can’t replace that file because api.turris.cz is only offering it’s own cert. It does not supply the cert chain. For example:
$ openssl s_client -host api.turris.cz -port 443 -prexit -showcerts
…cert details…
Verify return code: 21 (unable to verify the first certificate)
So I don’t seem to be able to establish a secure connection, nor can I update my local cert store.
