awsl
November 27, 2021, 2:08pm
1
Hello,curl -kvslI https://ssl.othing.xyz sudo curl -kvslI https://ssl.othing.xyz --cacert /etc/ssl/certs/ca-certificates.crt
It produced this output:
* Trying 2606:50c0:8000::153:443...
* Connected to ssl.othing.xyz (2606:50c0:8000::153) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=ssl.othing.xyz
* start date: Nov 21 13:24:02 2021 GMT
* expire date: Feb 19 13:24:01 2022 GMT
* issuer: C=US; O=Let's Encrypt; CN=R3
*** SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.**
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x559ed0153800)
As you can see
SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway
Why is it so?
My web server is (include version): github pages
curl 7.80.0 (x86_64-pc-linux-gnu) libcurl/7.80.0 OpenSSL/1.1.1l zlib/1.2.11 brotli/1.0.9 zstd/1.5.0 libidn2/2.3.2 libpsl/0.21.1 (+libidn2/2.3.0) libssh2/1.10.0 nghttp2/1.46.0
Linux 5.14.21-2-MANJARO #1 SMP PREEMPT Sun Nov 21 22:43:47 UTC 2021 x86_64 GNU/Linux
rg305
November 27, 2021, 2:58pm
2
You might need to update ca-certificates
awsl
November 27, 2021, 3:09pm
3
$ trust list | grep "ISRG"
pkcs11:id=%79%B4%59%E6%7B%B6%E5%E4%01%73%80%08%88%C8%1A%58%F6%E9%9B%6E;type=cert
type: certificate
label: ISRG Root X1
trust: anchor
category: authority
ISRG appears to be on the trust list
rg305
November 27, 2021, 3:17pm
4
Let's confirm OpenSSL, with:
openssl version
echo | openssl s_client -connect ssl.othing.xyz:443 -servername ssl.othing.xyz | head
awsl
November 27, 2021, 3:26pm
6
My requirement is to build a ssl monitoring website , monitoring more than 700 domain names and show the invalid ones. If curl can't return the correct result, there will be problems with the monitoring page.
MikeMcQ
November 27, 2021, 3:38pm
7
You showed ISRG in your PKCS11 store but what about the other store you showed in your second curl example? What is result of this:
grep -E "ISRG Root|DST Root" /etc/ssl/certs/ca-certificates.crt
Should show at least one of these
rg305
November 27, 2021, 3:41pm
10
Well there seems to be a problem with your curl.
But your OpenSSL has no problem with that site.https://helloworld.letsencrypt.orghttps://acme-staging-v02.api.letsencrypt.org
The possibility still exists that it's NOT your curl:
Name: saveweb.github.io
Addresses: 2606:50c0:8002::153
2606:50c0:8003::153
2606:50c0:8000::153
2606:50c0:8001::153
185.199.108.153
185.199.109.153
185.199.110.153
185.199.111.153
Aliases: ssl.othing.xyz
awsl
November 27, 2021, 4:01pm
11
$ grep -E "ISRG Root|DST Root" /etc/ssl/certs/ca-certificates.crt
awsl
November 27, 2021, 4:08pm
12
curl -kvslI https://helloworld.letsencrypt.org
Trying 52.9.173.94:443...
Connected to helloworld.letsencrypt.org (52.9.173.94) port 443 (#0 )
ALPN, offering h2
ALPN, offering http/1.1
TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS handshake, Finished (20):
SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
ALPN, server accepted to use h2
Server certificate:
subject: CN=helloworld.letsencrypt.org
start date: Oct 27 15:00:22 2021 GMT
expire date: Jan 25 15:00:21 2022 GMT
issuer: C=US; O=Let's Encrypt; CN=R3
SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
Using HTTP2, server supports multiplexing
Connection state changed (HTTP/2 confirmed)
Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
Using Stream ID: 1 (easy handle 0x55d781c76800)
Looks the same error.Not only is there a problem with let’s encrypt certificate.The same error occurs in other certs.
Server certificate:
subject: CN=*.lenciel.com
start date: Oct 25 09:41:36 2021 GMT
expire date: Nov 26 09:41:36 2022 GMT
issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
If it is really a problem with curl, where can I get help?
MikeMcQ
November 27, 2021, 4:31pm
13
Well, lenciel is not the best example as that site does not send intermediates. My openssl verify fails (as does my curl) and you can see that here too:https://decoder.link/sslchecker/lenciel.com/443
You could try something like digicert.com for a non-LE test
rg305
November 27, 2021, 8:26pm
14
Did this one return the same error?:
rg305
November 27, 2021, 8:28pm
15
What about?:trust list | grep "R3"
awsl
December 4, 2021, 11:37am
16
Thanks for your help. I just finished a week of high school studies, sorry for the late reply.
Yes, the same error :
curl -kvslI https://acme-staging-v02.api.letsencrypt.org
Trying 2606:4700:60:0:f41b:d4fe:4325:6026:443...
Connected to acme-staging-v02.api.letsencrypt.org (2606:4700:60:0:f41b:d4fe:4325:6026) port 443 (#0 )
ALPN, offering h2
ALPN, offering http/1.1
TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
TLSv1.3 (IN), TLS handshake, Certificate (11):
TLSv1.3 (IN), TLS handshake, CERT verify (15):
TLSv1.3 (IN), TLS handshake, Finished (20):
TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
TLSv1.3 (OUT), TLS handshake, Finished (20):
SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
ALPN, server accepted to use h2
Server certificate:
subject: CN=acme-staging-v02.api.letsencrypt.org
start date: Nov 29 03:20:57 2021 GMT
expire date: Feb 27 03:20:56 2022 GMT
issuer: C=US; O=Let's Encrypt; CN=R3
SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
awsl
December 4, 2021, 11:37am
17
trust list | grep "R3"
label: GlobalSign Root CA - R3
label: GTS Root R3
rg305
December 4, 2021, 12:08pm
18
Please show:cat /etc/os-releaseecho | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
awsl
December 4, 2021, 12:13pm
19
NAME="Manjaro Linux"https://manjaro.org/ "https://wiki.manjaro.org/ "https://manjaro.org/ "https://bugs.manjaro.org/ "
echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:CN = acme-v02.api.letsencrypt.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
DONE
rg305
December 4, 2021, 12:15pm
20
OpenSSL is good.
curl --cacert /etc/ssl/certs/ca-certificates.crt -vsI \
https://acme-v02.api.letsencrypt.org/
awsl
December 4, 2021, 12:18pm
21
curl --cacert /etc/ssl/certs/ca-certificates.crt -vsI \
https://acme-v02.api.letsencrypt.org/
* Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...
* Connected to acme-v02.api.letsencrypt.org (2606:4700:60:0:f53d:5624:85c7:3a2c) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=acme-v02.api.letsencrypt.org
* start date: Nov 29 09:56:06 2021 GMT
* expire date: Feb 27 09:56:05 2022 GMT
* subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55bcad290800)
> HEAD / HTTP/2
> Host: acme-v02.api.letsencrypt.org
> user-agent: curl/7.80.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
HTTP/2 200
< server: nginx
server: nginx
< date: Sat, 04 Dec 2021 12:16:53 GMT
date: Sat, 04 Dec 2021 12:16:53 GMT
< content-type: text/html
content-type: text/html
< content-length: 2174
content-length: 2174
< last-modified: Wed, 18 Aug 2021 16:35:58 GMT
last-modified: Wed, 18 Aug 2021 16:35:58 GMT
< etag: "611d36ee-87e"
etag: "611d36ee-87e"
< x-frame-options: DENY
x-frame-options: DENY
< strict-transport-security: max-age=604800
strict-transport-security: max-age=604800
<
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
rg305
December 4, 2021, 12:19pm
22
OK, so curl just doesn't know where to find the ca-cert file.