Acme-client bad comm cert verify failed

Some success. The original /etc/ssl/certs hash for isrgrootx1.pem was 8d33f237.0. Earlier I computed the hash to be 4042bcee.0 (odd why it would be different, whatever) but this was before we looked at curl and this did not fix the acme. Now

curl -v https://acme-v02.api.letsencrypt.org/directory

returns (entire output
qq.txt (3.1 KB)
attached)

Linux (89) Yes ? curl -v https://acme-v02.api.letsencrypt.org/directory

  • Trying 172.65.32.248...
  • TCP_NODELAY set
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs/
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • NPN, negotiated HTTP1.1
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Next protocol (67):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
  • Server certificate:
  • subject: CN=acme-v02.api.letsencrypt.org
  • start date: Jul 2 23:09:08 2024 GMT
  • expire date: Sep 30 23:09:07 2024 GMT
  • subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
  • issuer: C=US; O=Let's Encrypt; CN=R10
  • SSL certificate verify ok.

GET /directory HTTP/1.1
Host: acme-v02.api.letsencrypt.org
User-Agent: curl/7.64.1
blah, blah, blah....

So now we know that /etc/ssl/certs is set up correctly (why this never mattered until recently is unclear) and fixes curl but sadly acme-client still fails as before.

1 Like

Try using this alternate/test server path:
--server https://le-acme-v02.beer4.work/directory

1 Like
echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head

What does this show now that curl is working?

2 Likes

I can't be sure ... because I don't use BSD.
But it looks like your client is no longer being maintained:

shows:
image
I would opt for any other client that is being maintained.

2 Likes

Looks like OpenBSD is maintaining it acme-client(1) - OpenBSD manual pages

Success! I do not understand at all how this has been working the last three years. The key was the hash link name was incorrect (out of date?). Using strace with -f to trace child processes I saw that acme-client uses /usr/local/ssl/certs, not /etc/ssl/certs. /usr/local/ssl/certs has

total 12
-rw-r--r-- 1 root root 1270 2021-02-16 13:13 DST_Root_CA_X3.pem
lrwxrwxrwx 1 root root 18 2021-02-16 13:14 2e5ac55d.0 -> DST_Root_CA_X3.pem
-rw-r--r-- 1 root root 1939 2021-10-28 09:18 isrgrootx1.pem
-rw-r--r-- 1 root root 1955 2021-10-28 09:18 isrg-root-x1-cross-signed.pem
lrwxrwxrwx 1 root root 14 2021-10-28 09:18 8d33f237.0 -> isrgrootx1.pem

I added the correct hash link

lrwxrwxrwx 1 root root 14 2024-08-03 13:49 4042bcee.0 -> isrgrootx1.pem

and now acme-client is happy. All of this is slowly coming back to me. I think since I build acme-client from source, it defaulted to looking for certificates in the /usr/local/ssl directory tree instead of /etc/ssl/certs. I suspect that if I rebuild acme-client there is a configure option in there to specify certificate location. I also built curl from source a long time ago and I suspected it defaulted to openssl which defaults to /etc/ssl.

The final mystery to me is why the different hashes for the same file. When openssl calculates the hash value does it get something from some CA site out there? If so and that is what the R10/R11 change affected, then this all makes sense.

I will write this up and put it in my SSL file folder (yes, real paper, I am that old).

THANK YOU THANK YOU MikeMcQ, petercooperjr, mcpherrinm, linkp, rg305 for sticking with me on this!!!! BTW linkp thank you for the ancient SUSE docs. I had given up on trying to upgrade the SUSE11 because I did not have the SP4 which is needed to jump to 12. The document page you pointed to shows how to leap. Fortunately this is a VM machine so I can simply checkpoint it before attempting. Once I am there I have the 12 SP files.

5 Likes

The manual page is there but I never found a more recent download. I think I used his acme-client because others needed supporting programs that I either could not get rpms for SUSE11 or build on SUSE11 due to old gcc/libc etc.

2 Likes

I see this on OpenBSD 7.5 /usr/src/usr.sbin/acme-client/CVS

cat Entries
/Makefile/1.9/Wed Jun 12 11:09:25 2019//TOPENBSD_7_5
/acctproc.c/1.32/Sun Oct 22 19:51:31 2023//TOPENBSD_7_5
/acme-client.1/1.42/Sun Oct 22 19:51:31 2023//TOPENBSD_7_5
/acme-client.conf.5/1.29/Mon Jan 11 07:23:42 2021//TOPENBSD_7_5
/base64.c/1.9/Tue Jan 24 13:32:55 2017//TOPENBSD_7_5
/certproc.c/1.13/Mon Sep 14 15:58:50 2020//TOPENBSD_7_5
/chngproc.c/1.17/Sat Nov  5 00:16:25 2022//TOPENBSD_7_5
/dbg.c/1.4/Tue Sep 13 17:13:37 2016//TOPENBSD_7_5
/dnsproc.c/1.12/Mon May  2 18:45:08 2022//TOPENBSD_7_5
/extern.h/1.20/Mon Sep 14 16:00:17 2020//TOPENBSD_7_5
/fileproc.c/1.18/Mon Jul 12 15:09:20 2021//TOPENBSD_7_5
/http.c/1.32/Thu Apr 20 21:00:24 2023//TOPENBSD_7_5
/http.h/1.8/Fri Jun  7 08:07:52 2019//TOPENBSD_7_5
/jsmn.c/1.1/Wed Aug 31 22:01:42 2016//TOPENBSD_7_5
/jsmn.h/1.1/Wed Aug 31 22:01:42 2016//TOPENBSD_7_5
/json.c/1.21/Mon Sep 14 16:00:17 2020//TOPENBSD_7_5
/key.c/1.8/Sun Oct 22 19:51:31 2023//TOPENBSD_7_5
/key.h/1.1/Wed Jun 12 11:09:25 2019//TOPENBSD_7_5
/keyproc.c/1.18/Sat Nov  5 00:16:25 2022//TOPENBSD_7_5
/main.c/1.55/Sat Nov  5 00:16:25 2022//TOPENBSD_7_5
/netproc.c/1.33/Thu Apr 20 21:00:24 2023//TOPENBSD_7_5
/parse.h/1.15/Mon Sep 14 16:00:17 2020//TOPENBSD_7_5
/parse.y/1.45/Thu Apr 20 21:00:24 2023//TOPENBSD_7_5
/revokeproc.c/1.25/Thu Apr 20 21:00:24 2023//TOPENBSD_7_5
/util.c/1.13/Thu Apr 20 21:00:24 2023//TOPENBSD_7_5
D

Interesting I may create a BSD VM just to check it out. Thanks.

4 Likes

And from the README.md there
`
Attention: acme-client has moved permanently into OpenBSD. It is not maintained here any more.
If you're using this repository---which is intended for OpenBSD anyway---you're using old code.
Please use the local version instead!

If you'd like to contribute to acme-client, please submit patches to the OpenBSD tree.

3 Likes

Hi Bruce,
How did you get those src files? I installed OpenBSD 7.5 using install75.iso, told it to install everything but /usr/src is empty.
Paul

3 Likes

Hi @TheOldMan,

I follow this OpenBSD Anonymous CVS

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.