Certificate of acme-v02.api.letsencrypt.org issue by the U.S Goverment

I ran this command: openssl s_client -connect acme-v02.api.letsencrypt.org:443

It produced this output:

-----END CERTIFICATE-----
subject=/C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=DOD/CN=wildcard4-com.test.cce.af.mil
issuer=/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD SW CA-54

No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 3433 bytes and written 302 bytes
Verification error: unable to get local issuer certificate

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 18E0E011CF5F157A719E21D810CC244F6AFD4F11F1BACE045DBDAAA3ABEA7C64
Session-ID-ctx:
Master-Key: 011355018ECE253F60518CEF2BC8438FBB93689B9C6F432A4AA191576068F47F2345A35B582AA3856D6A45A35F805A8D
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 00 00 3a 8e c4 04 53 85-f8 a7 e7 02 ab 95 f3 f0 …:…S…
0010 - d0 4e 87 85 82 d1 d5 3a-5d cf 0c 24 e2 31 5c 02 .N…:]…$.1.
0020 - 16 a7 50 89 e0 be 91 90-86 5b df 57 7d 84 cc 9a …P…[.W}…
0030 - 5c 6d a2 aa 44 36 2a e8-89 c6 6e 78 be 30 f1 79 \m…D6*…nx.0.y
0040 - e5 6b f2 13 ca 44 a2 fa-c3 55 6b 3c 10 79 b4 6a .k…D…Uk<.y.j
0050 - da 62 57 ce a5 b1 20 b6-d0 17 99 7c 65 de b0 f5 .bW… …|e…
0060 - 1a 87 85 1e 05 2f a9 41-6e f6 52 8a 92 12 6a ac …/.An.R…j.
0070 - 92 3c 90 c8 a1 7a 26 df-36 37 7d ca 5d ee 19 df .<…z&.67}.]…
0080 - 2c f8 e7 a6 03 f9 97 f4-e3 92 b0 a6 bc f9 d4 e6 ,…
0090 - 5b 4a 60 d3 43 07 88 b8-7d 77 9a c1 7d 28 6a 2d [J`.C…}w…}(j-

Start Time: 1576867503
Timeout   : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no

The operating system my web server runs on is (include version): Debian 9

Why the certificate is issue by U.S Government?

2 Likes

Hi @n00n3,

Do you have any special entries for acme-v02.api.letsencrypt.org in your /etc/hosts file?

Have you checked that the DNS resolvers your system is using are working correctly?

Are you on a system that might have a network proxy or corporate MITM device in between your machine and the ACME API?

It looks to me like you’re connecting to the wrong server, not the Let’s Encrypt API.

2 Likes

:man_facepalming: I had an entree at the hosts file.

Sorry for the inconvenience

3 Likes

That’ll do it! :slight_smile: We don’t recommend adding those static records for this reason. I believe this would have been broken for you since we changed the production API CDN: New CDN for the Production API

No inconvenience, that’s what the forum is for :lock: :tada: Thanks for reporting back with the confirmation.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.