Note using curl and openssl on a different machine
on the same subnet behind a my router goes perfectly well:
curl 7.74.0 (x86_64-pc-linux-gnu) libcurl/7.74.0 OpenSSL/1.1.1j zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh/0.9.5/openssl/zlib nghttp2/1.43.0 librtmp/2.3
Release-Date: 2020-12-09
and
openssl s_client -connect acme-v02.api.letsencrypt.org:443 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = acme-v01.api.letsencrypt.org
verify return:1
---
Certificate chain
0 s:CN = acme-v01.api.letsencrypt.org
i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIGojCCBYqgAwIBAgISAxNwMQlDAGqH5aCYoMQtyPEHMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEwMTgxNjIzNTlaFw0yMjAxMTYxNjIzNThaMCcxJTAjBgNVBAMT
HGFjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC0p2mpIfwWXcbg0ekJBudGsRacozZnpEBApp+09eYocAb9
brp75JzYzNhBP+F9UUdIIXzkf5Fhi+0ydaHw3JExD/0JdcqcnAfQxmfCI4FzKEr4
YorfkAqT7YZbVgYUmQXBKLmW/NTYZ9o5V/X6EfhPg39RMGBxDIK4lMwnAKoEJj18
DGdOpjNluVUqzsQ/Di4lmkYqJ6w3MPIWFxS4WgJJGE6oUCd7Is2cPBPP0Cj9xapj
E9mLUTW5dEsDK7/inkuwtK3ESou8gd3KCQGKKVAoIHWxGayon9K8Alj8Z1wKM2im
zjcW91/XP4I3zrkJRLT0Y9ZXJRAzsP3ywIy1YgqNAgMBAAGjggO7MIIDtzAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFHl5Ou6kaFqI2AblH/2naKUJN0vEMB8GA1UdIwQY
MBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEF
BQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8v
cjMuaS5sZW5jci5vcmcvMIIBiQYDVR0RBIIBgDCCAXyCHmFjbWUtdjAxLTEuYXBp
LmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDEtMi5hcGkubGV0c2VuY3J5cHQub3Jn
gh5hY21lLXYwMS0zLmFwaS5sZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAxLTQuYXBp
LmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDEtNS5hcGkubGV0c2VuY3J5cHQub3Jn
ghxhY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3Jngh5hY21lLXYwMi0xLmFwaS5s
ZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTIuYXBpLmxldHNlbmNyeXB0Lm9yZ4Ie
YWNtZS12MDItMy5hcGkubGV0c2VuY3J5cHQub3Jngh5hY21lLXYwMi00LmFwaS5s
ZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTUuYXBpLmxldHNlbmNyeXB0Lm9yZ4Ic
YWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZzBMBgNVHSAERTBDMAgGBmeBDAEC
ATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNl
bmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3ACl5vvCeOTkh8FZz
n2Old+W+V32cYAr4+U1dJlwlXceEAAABfJRudB4AAAQDAEgwRgIhAPSTeAMmohBx
k95NN0DhmN0bQgga/OMLbxAEnXi+ACq7AiEA/BYavP/o6IKOUQCCx+eLpbQvDjWG
bl5iAOKDvSHSrRgAdQBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAA
AXyUbnQzAAAEAwBGMEQCICVGv9Nf5xI/jEQjEmre9tt02o1+l7ICBVnCIWr1mY+w
AiAkQrPufoqu4TPGa/zXnK2jeUdV7xcy/jejwTTZKIhmYTANBgkqhkiG9w0BAQsF
AAOCAQEAEtHsw/o/zikUt9LFQKbqefl6vEEPa7kneCN52uZXQ4Boa7fmokeNIQDx
YhTORlJaXRNtyIrmr2rpCZeiJu2DUq7AkE5Xe/58LK7hrbbY4nQp1OFtwNS/bexI
GTlPMcsiDA8B0ttzECfgPO7mWtUaNc4u7uUq2hPBKsxuThu7QohLeQm92oGfYZ5J
OxfjlhTQ9xMNqf3dY5Xi5SBZ19KPXDHbTkte67yQulq61xBLz3KdmAmFc2/XAfvW
aSfVdZ/iwEvPRR3SQB3zIQS6xVFSbhYUU6Dv/5r5FyF07//c28qsW0tq2vSZCfN9
wDwK7nRLVi2YUYC+2MXn6EME6U18YQ==
-----END CERTIFICATE-----
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = acme-v01.api.letsencrypt.org
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3573 bytes and written 400 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 70797E5C8B10EC2095E331F34E8703BEB886B2E67CC4A5BD16B6194B113992A0
Session-ID-ctx:
Resumption PSK: 796DFBDEC8CC74609F5FD5AD7A4180F708B36EF2570B910CB60730B2FB5847C56FF5DCDE43E851E76A3ADFCA9D2DAD99
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - a7 40 2d 7a fa 5f 58 fa-ca 27 8d 60 ec ac 98 68 .@-z._X..'.`...h
0010 - b6 88 c9 6f 67 b9 84 ea-be 4f 69 17 42 11 d7 dd ...og....Oi.B...
Start Time: 1637087970
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 6D304E23A18A1D69E34685FC78676098456E3EF5FC9C4D774FBDD70B30AC6197
Session-ID-ctx:
Resumption PSK: 03654CA02D60CF82D63A2B3BF6E1AA776175C4E93409EFA4D6007FB60435CE057BA50239DC506464FAB77F324E7FC590
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - b9 7a 0e 05 f5 84 25 de-db 84 fb d8 ee ec 06 93 .z....%.........
0010 - 14 06 c6 35 f8 21 05 d1-3e eb da a9 16 f0 ad f9 ...5.!..>.......
Start Time: 1637087970
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
closed
A quick glance I can see a couple differences when comparing,
1. in the beginning:
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=2:unable to get issuer certificate
issuer= O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
versus
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
E.g. On the first with non working curl has DST Root CA X3 cert,
which I belive is expired compaired to the second one that has
ISRG Root X1 as first output fron the openssl command.
2. after Server Temp key
SSL handshake has read 3574 bytes and written 400 bytes
Verification error: unable to get issuer certificate
versus
SSL handshake has read 3573 bytes and written 400 bytes
Verification: OK
The non working has read one extra byte.
I don't have the knowledge if these differences are significant to cause the error.
There are differences regarding libraries between curl on non working machine versus working machine, the left output below is the non working:
/usr/bin/diff <(ssh derbi "ldd /usr/bin/curl | sed 's/\(0x.*\)//g'") <(ldd /usr/bin/curl | sed 's/\(0x.*\)//g') -y | grep '|'
libhogweed.so.5 => /lib/x86_64-linux-gnu/libhogweed.s | libhogweed.so.6 => /lib/x86_64-linux-gnu/libhogweed.s
libnettle.so.7 => /lib/x86_64-linux-gnu/libnettle.so. | libnettle.so.8 => /lib/x86_64-linux-gnu/libnettle.so.
libffi.so.7 => /lib/x86_64-linux-gnu/libffi.so.7 ( | libffi.so.8 => /lib/x86_64-linux-gnu/libffi.so.8 (
On the other hand using statically linked curl does not work either:
./curl-amd64 -V
curl 7.80.0 (x86_64-pc-linux-musl) libcurl/7.80.0 OpenSSL/1.1.1l zlib/1.2.11 libssh2/1.9.0 nghttp2/1.43.0
Release-Date: 2021-11-10
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets
But work on the working machine. Thus I'm ruling out that the dynamic library and version differencies is not the root cause.