Downloading certbot-auto Unable to locally verify the issuer's authority


#1

wget https://dl.eff.org/certbot-auto
–2016-11-22 11:20:58-- https://dl.eff.org/certbot-auto
Resolving dl.eff.org… 173.239.79.196
Connecting to dl.eff.org|173.239.79.196|:443… connected.
ERROR: cannot verify dl.eff.org’s certificate, issued by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3': Unable to locally verify the issuer's authority. To connect to dl.eff.org insecurely, use–no-check-certificate’.
Unable to establish SSL connection.


#2

@Niamh What operating system are you running that wget from?


#3

CentOS5 64 bit

Niamh


#4

I believe you might need to add --ca-certificate /etc/pki/tls/certs/ca-bundle.crt to your wget command. I don’t have a CentOS 5 machine to confirm with.

It’s also possible the CA bundle on that machine is too old and missing entries. CentOS 5 is quite old!!


#5

Download https://www.identrust.com/certificates/trustid/root-download-x3.html using a modern system and import that root cert into your ancient system or better yet, use the “ISRG Root X1” from https://letsencrypt.org/certificates/


#6

Venerable CentOS 5 may be, but it doesn’t go EOL until next year :slight_smile:


#7

This bundle seems to solve the problem-
https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt


#8

If that is a legit bundle. I would use an official browser and download from letsencrypt.org.


#9

Ah but I couldn’t download from letsencrypt-

wget https://letsencrypt.org/certs/isrgrootx1.pem
–2016-11-22 19:08:33-- https://letsencrypt.org/certs/isrgrootx1.pem
Resolving letsencrypt.org… 104.82.96.203, 2a02:26f0:c2:282::2a1f, 2a02:26f0:c2:2a1::2a1f
Connecting to letsencrypt.org|104.82.96.203|:443… connected.
ERROR: cannot verify letsencrypt.org’s certificate, issued by /C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID Server CA A52': Unable to locally verify the issuer's authority. To connect to letsencrypt.org insecurely, use–no-check-certificate’.
Unable to establish SSL connection.


#10

You don’t have to download directly to your CentOS5 server - you can always download the from letsencrypt.org to your PC, then upload to your server.


#11

I tried-
vi isrgrootx1.pem
Insert the certificate and save

cat isrgrootx1.pem >> /etc/pki/tls/certs/ca-bundle.crt
[root@nitrogen tmp]# wget https://dl.eff.org/certbot-auto
–2016-11-22 19:23:26-- https://dl.eff.org/certbot-auto
Resolving dl.eff.org… 173.239.79.196
Connecting to dl.eff.org|173.239.79.196|:443… connected.
ERROR: cannot verify dl.eff.org’s certificate, issued by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3': Unable to locally verify the issuer's authority. To connect to dl.eff.org insecurely, use–no-check-certificate’.
Unable to establish SSL connection


#12

I bet this old wget can’t download the intermediate automatically. Does it work if you also add the “Let’s Encrypt Authority X3”?


#13

Ah well I was told " better yet, use the “ISRG Root X1"” :slight_smile:

As mentioned adding that to ca-bundle.crt didn’t work…

Can’t really try the x3 now as I have a ca-bundle.crt that does let me do the download.


#14

No, you were told to try two different roots. Your software from the bronze age apparently has some problem with intermediate certificates, which you also need, otherwise it would work. The server properly sends the intermediate so every sane software works already if it just knows one of the roots. Yours doesn’t.


#15

I shall repeeat.

Cent OS 5 doesn’t go End of Life till next year


#16

I think you are the only person who has said end of life (twice now) no-one else has.


#17

Quite, centOS 5 is not out of date software.

And yes 2 roots were suggested but one was declared “better”


#18

I have a CentOS 5 server amongst many others, I’m not sure what the point of the discussion about end of life is though.

It’s not end of life, however there are certain modern things it doesn’t support. One of the packages that doesn’t support all the modern features is wget. curl works better for me on that box, as the features are a little more up-to-date.

Equally, you may be better using one of the alternate clients (rather than certbot) with less dependencies, which I find work better on older servers


#19

Well this is the first issue I’ve hit with wget, and it was solved as per an earlier post.

As to an alternate client, well that might be required however having now got the reccomended client I’ll try that first and if it doesn’t work ask for a reccomandation of an alternative.


#20

Right…

CentOS 5 comes with python v2.4 and whilst I can install v2.6 alongside it from the epel repo I can’t see how to get cerbot-auto to ust that version., so unless there’s a way then I need to try a plan B