soroush.asadi
e0c786fcd1
CI/CD / CI · API (dotnet build + test) (push) Successful in 55s
CI/CD / CI · Admin API (dotnet build) (push) Successful in 31s
CI/CD / CI · Dashboard (tsc) (push) Successful in 1m10s
CI/CD / CI · Admin Web (tsc) (push) Successful in 38s
CI/CD / CI · Website (tsc) (push) Successful in 47s
CI/CD / CI · Koja (tsc) (push) Successful in 57s
CI/CD / Deploy · all services (push) Successful in 3m1s
Run 77 diagnostics proved http://yr.i.lencr.org/ connects but never responds from the runner (national filtering), so fetching ISRG Root YR at build time can never work. Meanwhile the mirror's fullchain.pem now serves the complete chain: leaf → YR2 → ISRG Root YR cross-signed by ISRG Root X1, which IS in every stock trust store — verified with strict curl (ssl_verify_result=0) and openssl verify. Replace both Trust steps with a cheap s_client sanity check that fails early with a pointer to the server-side fix if the cert regresses on its ~90-day renewal. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>