t/remote-files.t crashes due to misconfigured SSL certificate chain on external server (webspace.science.uu.nl)

[gyx47]

when I run test remote-files ,a 500 error was being returned due to network issues.

biber-12.21-3-x86_64-check.log

Can't call method "get_field" on an undefined value at /build/biber/src/biber/blib/lib/Biber/DataList.pm line 1816.
# Looks like your test exited with 255 before it could output anything.
t/remote-files.t ..
1..1
ERROR - Could not fetch 'https://webspace.science.uu.nl/~bodla101/graphs-bib/definitions.bib' (HTTP code: 500)
ERROR - Could not fetch 'https://www.staff.science.uu.nl/~bodla101/graphs-bib/papers.bib' (HTTP code: 500)
Dubious, test returned 255 (wstat 65280, 0xff00)
Failed 1/1 subtests

I tried connecting to this website directly.

curl -I -v https://webspace.science.uu.nl/\~bodla101/graphs-bib/papers.bib
* Uses proxy env variable no_proxy == '127.0.0.1,*.local,space.dingtalk.com,speedtest.zju.edu.cn,cs.zju.edu.cn,zhfw.zju.edu.cn,yunfeng.zju.edu.cn,cspo.zju.edu.cn,zju.edu.cn,dingtalk.com,tongyi.aliyun.com,service.zju.edu.cn,xlab.zju.edu.cn,youth.zju.edu.cn,zhihuishu.com,eta.zju.edu.cn,libweb.zju.edu.cn,pan.zju.edu.cn,webvpn.zju.edu.cn,zjuam.zju.edu.cn,classroom.zju.edu.cn,identity.zju.edu.cn,courses.zju.edu.cn,zdbk.zju.edu.cn,192.168.*,172.31.*,172.30.*,172.29.*,172.28.*,172.27.*,172.26.*,172.25.*,172.24.*,172.23.*,172.22.*,172.21.*,172.20.*,172.19.*,172.18.*,172.17.*,172.16.*,10.*,127.*,localhost,<local>'
* Uses proxy env variable https_proxy == 'http://127.0.0.1:52345'
*   Trying 127.0.0.1:52345...
* Connected to (nil) (127.0.0.1) port 52345 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to webspace.science.uu.nl:443
> CONNECT webspace.science.uu.nl:443 HTTP/1.1
> Host: webspace.science.uu.nl:443
> User-Agent: curl/7.81.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
HTTP/1.1 200 Connection established
<

* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Some experiments have shown that adding two SSL certificates may resolve the connection issue.Adding only the root certificate didn't work; the website's trust chain might be faulty.

My co-reporter @Xeonacid runs openssl s_client webspace.science.uu.nl:443 And it turns out that their server certificate chain is misconfigured.

Certificate chain
 0 s:C=NL, L=Utrecht, O=Universiteit Utrecht, CN=webspace.science.uu.nl
   i:C=GR, O=Hellenic Academic and Research Institutions CA, CN=GEANT TLS RSA 1
   a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
   v:NotBefore: Nov 27 07:36:42 2025 GMT; NotAfter: Nov 27 07:36:42 2026 GMT
 1 s:C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA
   i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
   a:PKEY: RSA, 2048 (bit); sigalg: sha384WithRSAEncryption
   v:NotBefore: Nov  2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT
 2 s:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
   i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   a:PKEY: RSA, 4096 (bit); sigalg: sha384WithRSAEncryption
   v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT

1 should be GEANT TLS RSA 1, but it's configured as Sectigo RSA Organization Validation Secure Server CA.

[plk]

Usually this is because the root cert package we use is outdated - I will update to the latest version for next release. DEV release on SF has been updated with this.