Curl fails to validate ceriticate presented by openssl server (with fullchain.pem)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: satdev.hopto.org

I ran this command: openssl s_server -accept 443 -cert /etc/letsencrypt/live/satdev.hopto.org/fullchain.pem -key /etc/letsencrypt/live/satdev.hopto.org/privkey.pem -www > /tmp/s_server.log 2>&1 &
curl -v https://satdev.hopto.org

It produced this output:

• Trying 44.217.130.115:443...
• Connected to satdev.hopto.org (44.217.130.115) port 443
• ALPN: curl offers h2,http/1.1
• Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
• TLSv1.2 (OUT), TLS handshake, Client hello (1):
• CAfile: /etc/pki/tls/certs/ca-bundle.crt
• CApath: none
• TLSv1.2 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (OUT), TLS alert, unknown CA (560):
• SSL certificate problem: unable to get local issuer certificate
• Closing connection
  curl: (60) SSL certificate problem: unable to get local issuer certificate
  More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

My web server is (include version): openssl s_server (OpenSSL 1.0.2k-fips 26 Jan 2017)

The operating system my web server runs on is (include version):
Amazon Linux 2 on the most recent ami release

My hosting provider, if applicable, is: AWS EC2

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

Welcome @sat95

The openssl s_server requires 3 cert related files for this. The -key you have is correct.

But, the -cert should be the .../cert.pem file and you need the -cert_chain option for the .../chain.pem file.

You have fullchain.pem in the -cert file option but openssl only uses the first cert in that file. Thus, your client (curl) cannot follow the cert to a trusted root and fails validation

You can see this by using the below command instead of curl to test the connection.

echo | openssl s_client -connect satdev.hopto.org:443 | head -40 

You will only see a single cert in the "Certificate Chain" section when connecting to openssl s_server like you did it. Compare that to connecting to a domain like letsencrypt.org using that same openssl s_client command. For that you will see two certificates. The leaf and the intermediate which are both in "fullchain.pem" from Certbot.

Once you set the 3 options it should work fine. I just reproduced all of this on my own test server

Thank you so much. That was very dumb on my part. I used openssl s_client multiple times and kept thinking s_server was not able to present the full chain (with 2 blocks) for some reason instead of just testing with another domain- which would've helped me identify the issue is with the command itself. I appreciate your quick and kind correction. Thank you.

No worries. As much as I've used openssl I've never used the s_server feature before. So, I got to learn something too.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.