Curl gives certificate expired on Ubuntu 20.04 LTS

blueslow · November 16, 2021, 12:23pm

My domain is: derbi.sehlstedt.se, sehlstedt.se mail.sehlstedt.se, test.sehlstedt.se

I ran this command: curl -v https://acme-v02.api.letsencrypt.org/directory

It produced this output:

Trying 172.65.32.248:443...
TCP_NODELAY set
Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
TLSv1.3 (IN), TLS handshake, Certificate (11):
TLSv1.3 (OUT), TLS alert, certificate expired (557):
SSL certificate problem: certificate has expired
Closing connection 0
curl: (60) SSL certificate problem: certificate has expired

My web server is (include version):
nginx -V
nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 1.1.1f 31 Mar 2020

The operating system my web server runs on is (include version):
NAME="Ubuntu"
VERSION="20.04.3 LTS (Focal Fossa)"

My hosting provider, if applicable, is: Telia

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08

I have also used this version of curl on the same machine with the same result:
curl 7.80.0 (x86_64-pc-linux-musl) libcurl/7.80.0 OpenSSL/1.1.1l zlib/1.2.11 libssh2/1.9.0 nghttp2/1.43.0
Release-Date: 2021-11-10

I have re-installed ca-certificates, dpkg reconfiure ca-certificates, update-ca-certificates, removed /etc/ssl/certs and rebuilt, nothing helps.
Running:
curl -vk https://acme-v02.api.letsencrypt.org/directory
Gives:

Trying 172.65.32.248:443...
TCP_NODELAY set
Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
TLSv1.3 (IN), TLS handshake, Certificate (11):
TLSv1.3 (IN), TLS handshake, CERT verify (15):
TLSv1.3 (IN), TLS handshake, Finished (20):
TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
TLSv1.3 (OUT), TLS handshake, Finished (20):
SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
ALPN, server accepted to use h2
Server certificate:
subject: CN=acme-v01.api.letsencrypt.org
start date: Oct 17 18:26:38 2021 GMT
expire date: Jan 15 18:26:37 2022 GMT
issuer: C=US; O=Let's Encrypt; CN=R3
SSL certificate verify result: unable to get issuer certificate (2), continuing anyway.
Using HTTP2, server supports multi-use
Connection state changed (HTTP/2 confirmed)
Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
Using Stream ID: 1 (easy handle 0x5652f8f2ec80)
...
Please advice.

Osiris · November 16, 2021, 1:18pm

Which version is installed exactly?

blueslow · November 16, 2021, 2:45pm

apt list --installed | grep ca-certificate

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

ca-certificates/focal-updates,focal-security,now 20210119~20.04.2 all [installerat]

apt list | grep ssl-cert

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

ssl-cert-check/focal 4.14-1 all
ssl-cert/focal,now 1.0.39 all [installerat,automatiskt]

rg305 · November 16, 2021, 5:39pm

Please show output through end of all certs for:
openssl s_client -connect acme-v02.api.letsencrypt.org:443 -showcerts

Osiris · November 16, 2021, 6:19pm

Do you have the file ISRG_Root_X1.pem present in /etc/ssl/certs/ ?

And what's the output of grep rOPNk3sgrDQoo /etc/ssl/certs/ca-certificates.crt ?

blueslow · November 16, 2021, 6:21pm

# openssl s_client -connect acme-v02.api.letsencrypt.org:443 -showcerts

CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=2:unable to get issuer certificate
issuer= O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=0 CN = acme-v01.api.letsencrypt.org
issuer= C = US, O = Let's Encrypt, CN = R3
verify return:1
---
Certificate chain
 0 s:CN = acme-v01.api.letsencrypt.org
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIGozCCBYugAwIBAgISAzeib02BoUeWjPfdMYGlC63bMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEwMTcyMDIyMTZaFw0yMjAxMTUyMDIyMTVaMCcxJTAjBgNVBAMT
HGFjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDH1QCccnLrFbct3ZLuo1wfdyOKGD7W4dTJzvUEnSfClO2J
uCM4e/qAB2XVz86QrwDgwXJJkRbqK+H1yj1vQtHezO9KayY3Ew1ezhVHFBbptmiY
idM7J6DdqNJrJwksNtn4rAXlr47LaG7vMmAw8a2QYkx47kL44UHbFVpe0UCS6h4B
lzJwaftO4LCEHo8o4YyDQNDAyw/pIDB1j8mMYDNj5NKeplYDbZIqbzQ7aquLYH+8
kRAX856BX2UzcTVTEKRzgi/I5tA3aqiM7XqvqJ8I6TnGutlJ5AdrnJkIqPoGUYKY
LENUR/PVy26m1VltvFcIp9ExQ0OOKPlWb+DxOIGBAgMBAAGjggO8MIIDuDAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFLj6iZ7Rv1yycd4P5AEIwFOJs8WqMB8GA1UdIwQY
MBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEF
BQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8v
cjMuaS5sZW5jci5vcmcvMIIBiQYDVR0RBIIBgDCCAXyCHmFjbWUtdjAxLTEuYXBp
LmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDEtMi5hcGkubGV0c2VuY3J5cHQub3Jn
gh5hY21lLXYwMS0zLmFwaS5sZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAxLTQuYXBp
LmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDEtNS5hcGkubGV0c2VuY3J5cHQub3Jn
ghxhY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3Jngh5hY21lLXYwMi0xLmFwaS5s
ZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTIuYXBpLmxldHNlbmNyeXB0Lm9yZ4Ie
YWNtZS12MDItMy5hcGkubGV0c2VuY3J5cHQub3Jngh5hY21lLXYwMi00LmFwaS5s
ZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTUuYXBpLmxldHNlbmNyeXB0Lm9yZ4Ic
YWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZzBMBgNVHSAERTBDMAgGBmeBDAEC
ATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNl
bmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2ACl5vvCeOTkh8FZz
n2Old+W+V32cYAr4+U1dJlwlXceEAAABfJAiQaMAAAQDAEcwRQIhAIXY+LEo5ikc
Ku9bEPcME4HkEMsNin8U3ZF8eL1il5L5AiBAzx+UynE0EOMT0azKoBm5/UFfHwIO
ELZVoY8y+60PggB3AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAAB
fJAiQpoAAAQDAEgwRgIhAOw4apJUTir/jPE/IZWetTyHnrv2Wb6KeVtT15xnWU0R
AiEAym23iIItXxMScz2QGMkk0PW2TMwMB0wBNqVGRmA7IAIwDQYJKoZIhvcNAQEL
BQADggEBAFGIPlF6nWL0CN93HuSRptGSSZBF+/ZEUYJCXD584uyPBCHIOXUXxVri
+B5gE5GC4iM6F1R5STdJwvseMNrkAZWrnxhs73SLAukP8zqQ4eWcdUaPHzPKaw55
GOyFigXX52MS6V7siwrb9r6vLMFGdsqsE6lSIhcL6ecutIhRK/mPALvK5HieA1XF
21DAxm7zuzEJTy0zjwznB3VXw9Bo3LP6ysQ/eTb5Oe5mlqSzSy+0hrzYfgKClfds
XNzeqdOvpUX8dvWlgVoCIDoiSEQRz+YhD0V7/FbIXDzeMGYtiV8+8OMlmKNnZdtF
G5PtvjyOJ7DU6k784LmkQV3eV0Dvt+w=
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

# grep rOPNk3sgrDQoo /etc/ssl/certs/ca-certificates.crt
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI

Osiris · November 16, 2021, 6:26pm

So the ISRG root is available in ca-certificates.crt, curl is even using that same file, proven by the "CAfile: /etc/ssl/certs/ca-certificates.crt" line.. But for some reason it's not using the root certificate..

This is very weird.

Although your first curl output shows "certificate problem: certificate has expired" while your second one shows the "unable to get issuer certificate" error also present in the OpenSSL output..

I have absolutely no idea how this could happen.. I also can't reproduce it on an Ubuntu 20.4.3 VirtualBox image from OSBoxes..

rg305 · November 16, 2021, 6:49pm

My appologies, I tried to edit your post, to add "```" above and below the posted content.
But on save discourse ATE the entire post.
Please repost it.
[with the backticks]

blueslow · November 16, 2021, 6:58pm

Do you mean backticks like below

grep rOPNk3sgrDQoo /etc/ssl/certs/ca-certificates.crt
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI

and

root@derbi:~# openssl s_client -connect acme-v02.api.letsencrypt.org:443 -showcerts
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=2:unable to get issuer certificate
issuer= O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=0 CN = acme-v01.api.letsencrypt.org
issuer= C = US, O = Let's Encrypt, CN = R3
verify return:1
---
Certificate chain
 0 s:CN = acme-v01.api.letsencrypt.org
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIGojCCBYqgAwIBAgISBK5DU5z0GvoOy6oP823LmSbAMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEwMTgxOTU4MDBaFw0yMjAxMTYxOTU3NTlaMCcxJTAjBgNVBAMT
HGFjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC3eShHLhQzDFKzXH3URutlnaKfqNYIwA+z1yiLmOC/gHJE
GINnX0IgFcfpRFHwIACD7C1hYNmF2gsejLwsyveXIiBYt2ZhpN5YmsG7ssGNcL4z
GZpsEYEpNDTD/aEfWSwUd+NKQyj0avx2bEU+1/jIshNTpsyVCgAhxvinfGjLPOH8
t3M2zSRD0w003s6xU65tPg21xQQZc9+f0qUb6Ko+ijS4K6bWtK0nW/P99YkbJmIe
an+BHI53j/7GKqdjIETNLHzk6VcbriOuf3/C/DPfyb9C1q/S+rqKy7tRW3KvM5D+
7T/L/U7KnjnYGGO4ZQ+/LEvLQ1RRPI0PtkkTqUI1AgMBAAGjggO7MIIDtzAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFKTncKR2IJnz39nFd9AzyXqOnlLDMB8GA1UdIwQY
MBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEF
BQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8v
cjMuaS5sZW5jci5vcmcvMIIBiQYDVR0RBIIBgDCCAXyCHmFjbWUtdjAxLTEuYXBp
LmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDEtMi5hcGkubGV0c2VuY3J5cHQub3Jn
gh5hY21lLXYwMS0zLmFwaS5sZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAxLTQuYXBp
LmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDEtNS5hcGkubGV0c2VuY3J5cHQub3Jn
ghxhY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3Jngh5hY21lLXYwMi0xLmFwaS5s
ZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTIuYXBpLmxldHNlbmNyeXB0Lm9yZ4Ie
YWNtZS12MDItMy5hcGkubGV0c2VuY3J5cHQub3Jngh5hY21lLXYwMi00LmFwaS5s
ZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTUuYXBpLmxldHNlbmNyeXB0Lm9yZ4Ic
YWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZzBMBgNVHSAERTBDMAgGBmeBDAEC
ATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNl
bmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AEHIyrHfIkZKEMah
OglCh15OMYsbA+vrS8do8JBilgb2AAABfJUyZVEAAAQDAEcwRQIhAOxwaj4bWWH7
UG3PWJvRkqQujD+3prgzR6HN/nucNVGfAiAOQR39At+2JQ8jEwIOu2JX0ISpE5bQ
deI2D8w9Kp0BwwB2ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAAB
fJUyZTMAAAQDAEcwRQIhAKgQfCRCH+V85oK0LY2GTy7AXlMVlV7LlLBDWbMSm5VW
AiAe/E/dQiN8i9LZyXc73K951m/lQRdw0s1AznLnqFQZjzANBgkqhkiG9w0BAQsF
AAOCAQEAD9FtEGZC1ymtVlUInoEhquRF68uEgYuNLKL6PdtItgxbhlQgB/skULY8
8dwxU+Mw7ckRxJFOTohpFDAL3dMcFV4qbOPcVBmA5rE76gDkExpr7gYUwlwakhSk
Y5ogzsQJlnuAMjkUTBLiQHhnirORhrO03wHr6MQmfajrf85bRZvmos2gzQTQ2vb5
CJlXB0LSb/w61F/FIjfZeKAlDbi6Xnr4ql079UCumsy3RYxGl4iKA+0K+OKrc2/b
uHyd5Va2mABZsN3Jtu4HMHm6AcyWUf8Q7ctBAlkpLMlEoFIxw2fhEMD4KuvVDTXc
Ftrecx7E4cv5Os82oOX8kkzPVIYYfg==
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = acme-v01.api.letsencrypt.org

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3573 bytes and written 400 bytes
Verification error: unable to get issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 2 (unable to get issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: FDE55186998856BE67DDAD3539C6E80C316E7C0D04854EFC01930C9E2A040FB6
    Session-ID-ctx: 
    Resumption PSK: 2A4C89C6C90F6DFF4D41A7243CE70A5FC35A8BD670D4C5DC4C4594AE8DA43A1E381ECD8D435E73ECD414D62D61FD7E6A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - ad 8a e5 2e 7b f4 a5 f7-06 51 d9 e0 e1 6c aa a6   ....{....Q...l..
    0010 - f2 1e 84 34 4c 20 d4 12-cf c8 5f d7 79 b5 02 76   ...4L ...._.y..v

    Start Time: 1637088950
    Timeout   : 7200 (sec)
    Verify return code: 2 (unable to get issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 03B814194CC7DF3F7913C1EFE705A9D8CD019E4B5947D6A0C052295C1CC8B721
    Session-ID-ctx: 
    Resumption PSK: E364220735289BA83A1A9EC2920B517FD77B3B208B33C9DB776BC323C388514E4F8620398054B44295CA2BBA21D5B648
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - e4 14 ec c3 9b df 38 80-05 8f 2a b0 02 52 97 51   ......8...*..R.Q
    0010 - 3c e4 db 1c 49 30 21 8c-cf 80 a5 f8 a0 63 23 a0   <...I0!......c#.

    Start Time: 1637088950
    Timeout   : 7200 (sec)
    Verify return code: 2 (unable to get issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

rg305 · November 16, 2021, 6:59pm

I will try to edit it again.
Please be patient.

You almost had it.
use 3 ticks not one

```
text
```

And it just comes back to life (all on it's own) ! ! !

rg305 · November 16, 2021, 7:06pm

OK, at this point, there is no doubt in my mind that:
Your system is receiving the exact same certs.
We're both using the exact same OS version.
The exact same openssl version.
The exact same ca-certificates version.

And yet my system works and your system doesn't.

I have nothing left to explain why this can be happening.

blueslow · November 17, 2021, 2:27pm

Note using curl and openssl on a different machine
on the same subnet behind a my router goes perfectly well:

curl 7.74.0 (x86_64-pc-linux-gnu) libcurl/7.74.0 OpenSSL/1.1.1j zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh/0.9.5/openssl/zlib nghttp2/1.43.0 librtmp/2.3
Release-Date: 2020-12-09

and

openssl s_client -connect acme-v02.api.letsencrypt.org:443 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = acme-v01.api.letsencrypt.org
verify return:1
---
Certificate chain
 0 s:CN = acme-v01.api.letsencrypt.org
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIGojCCBYqgAwIBAgISAxNwMQlDAGqH5aCYoMQtyPEHMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEwMTgxNjIzNTlaFw0yMjAxMTYxNjIzNThaMCcxJTAjBgNVBAMT
HGFjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC0p2mpIfwWXcbg0ekJBudGsRacozZnpEBApp+09eYocAb9
brp75JzYzNhBP+F9UUdIIXzkf5Fhi+0ydaHw3JExD/0JdcqcnAfQxmfCI4FzKEr4
YorfkAqT7YZbVgYUmQXBKLmW/NTYZ9o5V/X6EfhPg39RMGBxDIK4lMwnAKoEJj18
DGdOpjNluVUqzsQ/Di4lmkYqJ6w3MPIWFxS4WgJJGE6oUCd7Is2cPBPP0Cj9xapj
E9mLUTW5dEsDK7/inkuwtK3ESou8gd3KCQGKKVAoIHWxGayon9K8Alj8Z1wKM2im
zjcW91/XP4I3zrkJRLT0Y9ZXJRAzsP3ywIy1YgqNAgMBAAGjggO7MIIDtzAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFHl5Ou6kaFqI2AblH/2naKUJN0vEMB8GA1UdIwQY
MBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEF
BQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8v
cjMuaS5sZW5jci5vcmcvMIIBiQYDVR0RBIIBgDCCAXyCHmFjbWUtdjAxLTEuYXBp
LmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDEtMi5hcGkubGV0c2VuY3J5cHQub3Jn
gh5hY21lLXYwMS0zLmFwaS5sZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAxLTQuYXBp
LmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDEtNS5hcGkubGV0c2VuY3J5cHQub3Jn
ghxhY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3Jngh5hY21lLXYwMi0xLmFwaS5s
ZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTIuYXBpLmxldHNlbmNyeXB0Lm9yZ4Ie
YWNtZS12MDItMy5hcGkubGV0c2VuY3J5cHQub3Jngh5hY21lLXYwMi00LmFwaS5s
ZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTUuYXBpLmxldHNlbmNyeXB0Lm9yZ4Ic
YWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZzBMBgNVHSAERTBDMAgGBmeBDAEC
ATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNl
bmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3ACl5vvCeOTkh8FZz
n2Old+W+V32cYAr4+U1dJlwlXceEAAABfJRudB4AAAQDAEgwRgIhAPSTeAMmohBx
k95NN0DhmN0bQgga/OMLbxAEnXi+ACq7AiEA/BYavP/o6IKOUQCCx+eLpbQvDjWG
bl5iAOKDvSHSrRgAdQBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAA
AXyUbnQzAAAEAwBGMEQCICVGv9Nf5xI/jEQjEmre9tt02o1+l7ICBVnCIWr1mY+w
AiAkQrPufoqu4TPGa/zXnK2jeUdV7xcy/jejwTTZKIhmYTANBgkqhkiG9w0BAQsF
AAOCAQEAEtHsw/o/zikUt9LFQKbqefl6vEEPa7kneCN52uZXQ4Boa7fmokeNIQDx
YhTORlJaXRNtyIrmr2rpCZeiJu2DUq7AkE5Xe/58LK7hrbbY4nQp1OFtwNS/bexI
GTlPMcsiDA8B0ttzECfgPO7mWtUaNc4u7uUq2hPBKsxuThu7QohLeQm92oGfYZ5J
OxfjlhTQ9xMNqf3dY5Xi5SBZ19KPXDHbTkte67yQulq61xBLz3KdmAmFc2/XAfvW
aSfVdZ/iwEvPRR3SQB3zIQS6xVFSbhYUU6Dv/5r5FyF07//c28qsW0tq2vSZCfN9
wDwK7nRLVi2YUYC+2MXn6EME6U18YQ==
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = acme-v01.api.letsencrypt.org

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3573 bytes and written 400 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 70797E5C8B10EC2095E331F34E8703BEB886B2E67CC4A5BD16B6194B113992A0
    Session-ID-ctx: 
    Resumption PSK: 796DFBDEC8CC74609F5FD5AD7A4180F708B36EF2570B910CB60730B2FB5847C56FF5DCDE43E851E76A3ADFCA9D2DAD99
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - a7 40 2d 7a fa 5f 58 fa-ca 27 8d 60 ec ac 98 68   .@-z._X..'.`...h
    0010 - b6 88 c9 6f 67 b9 84 ea-be 4f 69 17 42 11 d7 dd   ...og....Oi.B...

    Start Time: 1637087970
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 6D304E23A18A1D69E34685FC78676098456E3EF5FC9C4D774FBDD70B30AC6197
    Session-ID-ctx: 
    Resumption PSK: 03654CA02D60CF82D63A2B3BF6E1AA776175C4E93409EFA4D6007FB60435CE057BA50239DC506464FAB77F324E7FC590
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - b9 7a 0e 05 f5 84 25 de-db 84 fb d8 ee ec 06 93   .z....%.........
    0010 - 14 06 c6 35 f8 21 05 d1-3e eb da a9 16 f0 ad f9   ...5.!..>.......

    Start Time: 1637087970
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

A quick glance I can see a couple differences when comparing,

1. in the beginning:

depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=2:unable to get issuer certificate
issuer= O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1

versus

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1

E.g. On the first with non working curl has DST Root CA X3 cert,
which I belive is expired compaired to the second one that has
ISRG Root X1 as first output fron the openssl command.

2. after Server Temp key

SSL handshake has read 3574 bytes and written 400 bytes
Verification error: unable to get issuer certificate

versus

SSL handshake has read 3573 bytes and written 400 bytes
Verification: OK

The non working has read one extra byte.

I don't have the knowledge if these differences are significant to cause the error.

There are differences regarding libraries between curl on non working machine versus working machine, the left output below is the non working:

 /usr/bin/diff   <(ssh derbi "ldd /usr/bin/curl | sed 's/\(0x.*\)//g'") <(ldd /usr/bin/curl | sed 's/\(0x.*\)//g') -y | grep '|'
	libhogweed.so.5 => /lib/x86_64-linux-gnu/libhogweed.s |		libhogweed.so.6 => /lib/x86_64-linux-gnu/libhogweed.s
	libnettle.so.7 => /lib/x86_64-linux-gnu/libnettle.so. |		libnettle.so.8 => /lib/x86_64-linux-gnu/libnettle.so.
	libffi.so.7 => /lib/x86_64-linux-gnu/libffi.so.7 (    |		libffi.so.8 => /lib/x86_64-linux-gnu/libffi.so.8 (

On the other hand using statically linked curl does not work either:

./curl-amd64 -V 
curl 7.80.0 (x86_64-pc-linux-musl) libcurl/7.80.0 OpenSSL/1.1.1l zlib/1.2.11 libssh2/1.9.0 nghttp2/1.43.0
Release-Date: 2021-11-10
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets

But work on the working machine. Thus I'm ruling out that the dynamic library and version differencies is not the root cause.

Nummer378 · November 17, 2021, 3:00pm

I just skimmed through this thread and I found something that catched my attention. It was this output from OpenSSL's verify algorithm:

blueslow:

CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=2:unable to get issuer certificate
issuer= O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=0 CN = acme-v01.api.letsencrypt.org
issuer= C = US, O = Let's Encrypt, CN = R3
verify return:1

This looks like your OpenSSL is using the R3 signed by DST Root CA X3 certificate for verification. This can't work, as that intermediate and its root are both expired.

However, the acme server is definetly not sending that intermediate, which is also confirmed by the Certificate chain output below (which prints the usual leaf -> R3 -> ISRG Root X1 chain).

So that leads me to the conclusion that your OpenSSL on that machine is not using the R3 intermediate send by the server.

I believe this can happen if you have installed the R3-signed-by-DST-Root-CA-X3 intermediate certificate into the system trust store manually. If it's a recent OpenSSL that uses -trusted-first by default, certificates present in the trust store may override certificates send by the server - causing the errors you're seeing.

You've said that you've pretty much wiped and reinstalled your system trust store, so that's a bit contradictory with what I've just said, but I would definetly recommend you to have a good look at what certificates are trusted by your OpenSSL.

blueslow · November 18, 2021, 2:35pm

Solved

Thank you Profile - Nummer378 - Let's Encrypt Community Support.
I would also like to thank rg305 and Osiris

After a long journey I found the file that caused the problem. Just as Nummer378 pointed out I had misstakenly added the intermediate certificate to the trust store indirect and manually.

Below I have written down the steps I used to track it down. It could probably be done in a more effective way, but I'm learning. For example the man page for update-ca-certificates pointed out that files in the the directory /usr/localshare/ca-certificates was included in to ca-certificates.crt and a file link created to those files.

So if you don't need to know the steps I took you can stop reading now.

I repeated the following:

cd /etc/ssl
rsync -av certs/  certs_bak
rm -rf certs
mkdir certs
nano /etc/ce-certificates.conf  # Removed the line !mozilla/DST_Root_CA_X3.crt 
# Checked that the file /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt didn't exist
update-ce-certificates
curl  -v https://acme-v02.api.letsencrypt.org/directory
....
curl: (60) SSL certificate problem: certificate has expired
...
openssl s_client -connect acme-v02.api.letsencrypt.org:443 -showcerts
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=2:unable to get issuer certificate
issuer= O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
...

Same false result even after reboot. I also rechecked that openssl used the /etc/ssl/certs/ca-certificates.crt et.c. As I didn't have a copy of the expired DST root CA X3 certificate (it probably could be extracted by openssl), I thought maybe it was stored under a different filename.

awk -v cmd='openssl x509 -noout -subject' '
    /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt  | grep DST

Nothing.

Then I executed the above without the grep and was lucky the last row was Letsencrypt ...X3. I did some mangling of the ca-certificates.crt, e.g. backuped the file, extracted the last certificate into a separate file, 'false.crt'. I also excluded the last cert from ca-certificates.crt.
Re run the curl and openssl commands, still false.

I then used grep to identify if there was another file in /etc/ssl/certs that contained the content of the false.crt.

cd /etc/ssl/certs
grep -R -F -f false.crt .

And it was, I found a link to another file and noted the filename. I removed the link and re executed the curl and openssl commands and it worked.

I tracked down the file and I had created the file in the begining of the year as my CA and ii was included by the update-ca-certificates command but it was not in the /etc/ca-certificates.conf file.

system · December 18, 2021, 2:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.