My domain is:
I ran this command: /shared/scripts/dehydrated --register --accept-terms
It produced this output:
INFO: Using main config file /etc/dehydrated/config
ERROR: Problem connecting to server (get for https://acme-v02.api.letsencrypt.org/directory; curl returned with 60)
My web server is (include version):
The operating system my web server runs on is (include version): BIG-IP 14.1.4 Build 0.0.11
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Hi @mike.walls
looks like the installed curl is too old.
What says
curl -V
curl -v https://acme-v02.api.letsencrypt.org/directory
Version and verbose
curl 7.47.1 (x86_64-redhat-linux-gnu) libcurl/7.47.1 OpenSSL/1.0.2s zlib/1.2.7 libidn/1.28 libssh2/1.4.3 nghttp2/1.31.1
Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
Connected to acme-v02.api.letsencrypt.org (2606:4700:60:0:f53d:5624:85c7:3a2c) port 443 (#0 )
ALPN, offering h2
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
successfully set certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
TLSv1.2 (OUT), TLS header, Certificate Status (22):
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS alert, Server hello (2):
SSL certificate problem: unable to get local issuer certificate
Closing connection 0curl - SSL CA Certificates
curl performs SSL certificate verification by default, using a "bundle"
With the "-k" option:
Trying 2606:4700:60:0:f53d:5624:85c7:3a2c...
Connected to acme-v02.api.letsencrypt.org (2606:4700:60:0:f53d:5624:85c7:3a2c) port 443 (#0 )
ALPN, offering h2
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
successfully set certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
TLSv1.2 (OUT), TLS header, Certificate Status (22):
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS change cipher, Client hello (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS change cipher, Client hello (1):
TLSv1.2 (IN), TLS handshake, Finished (20):
SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
ALPN, server accepted to use h2
Server certificate:
subject: CN=acme-v01.api.letsencrypt.org
start date: Apr 6 22:20:42 2021 GMT
expire date: Jul 5 22:20:42 2021 GMT
issuer: C=US; O=Let's Encrypt; CN=R3
SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
Using HTTP2, server supports multi-use
Connection state changed (HTTP/2 confirmed)
TCP_NODELAY set
Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
Using Stream ID: 1 (easy handle 0x12a7190)
GET /directory HTTP/1.1acme-v02.api.letsencrypt.org /
Connection state changed (MAX_CONCURRENT_STREAMS updated)!Adding random entries to the directory ",https://acme-v02.api.letsencrypt.org/acme/key-change ",letsencrypt.org "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf ",https://letsencrypt.org "https://acme-v02.api.letsencrypt.org/acme/new-acct ",https://acme-v02.api.letsencrypt.org/acme/new-nonce ",https://acme-v02.api.letsencrypt.org/acme/new-order ",https://acme-v02.api.letsencrypt.org/acme/revoke-cert "
Connection #0 to host acme-v02.api.letsencrypt.org left intact
mike.walls:
curl 7.47.1
That's very old:
https://curl.se/docs/vuln-7.47.1.html
curl version 7.47.1 was released on February 8 2016
So your curl doesn't know the ISRG root - Chain of Trust - Let's Encrypt
Check, if you can add that certificate local. Or if you can install a newer version.
1 Like
Osiris
April 7, 2021, 5:55pm
5
acme-v02.api.letsencrypt.org chains up to DST Root CA X3 and not the ISRG root?
In addition, it looks like it's just using some system cert store /etc/pki/tls/certs/ca-bundle.crt which I would assume has the DST Root in it. But it does seem that maybe it doesn't?
Osiris
April 7, 2021, 6:01pm
7
Most likely the certificate store mentioned in your post @petercooperjr requires updating.
However, I've never heard of the operating system called "BIG-IP". So no idea how.
1 Like
F5 BIG-IP Local Traffic Manager (LTM) is a load balancer.
Osiris:
and not the ISRG root?
Yes, my FireFox shows the ISRG root.
Osiris
April 7, 2021, 6:16pm
10
You can't trust browsers showing you the chain provided of the webserver. acme-v02.api.letsencrypt.org serves the cross-signed R3 certificate as intermediate, so any root certificate store containing DST Root CA X3 will do just fine. The fact a browser can cache the R3 signed by ISRG Root X1 is a whole different story.
openssl s_client -connect acme-v02.api.letsencrypt.org:443 shows the server is sending the intermediate-signed-by-DST-Root.
Certificate chain
0 s:CN = acme-v01.api.letsencrypt.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
I think it might be worthwhile to see if the curl also complains when trying other CAs.
curl -v https://www.identrustssl.com/
curl -v https://valid-isrgrootx1.letsencrypt.org/
curl -v https://comodorsacertificationauthority-ev.comodoca.com/
[Side note, I was trying to find the official test site for the DST Root X3 cert, which I think is the www.identrustssl.com URL based on CCADB and IdenTrust , but when testing with OpenSSL it doesn't look like it actually chains up to that? So I may be misunderstanding something about how these test sites are supposed to work.]
But regardless, the question is whether /etc/pki/tls/certs/ca-bundle.crt on your system has something reasonable in it. Can you see the date and size of that file? I don't know if there's an easy command to check if a specific cert is in it, but an ls of it might tell us… something.
ls -l /etc/pki/tls/certs/ca-bundle.crt
schoen
April 7, 2021, 7:46pm
12
@petercooperjr maybe something like
cat /etc/pki/tls/certs/ca-bundle.crt | while true; do while read a; do echo $a; if echo $a | fgrep -q "END CERTIFICATE"; then break; fi; done | openssl x509 -text -noout || break; done | grep Subject:
Yeah, something like that looks like it'd work. I could probably figure it out, but I couldn't rattle it off from the top of my head.
So I updated the ca-bundle.crt and resolved the "curl: (60) SSL certificate problem: unable to get local issuer certificate" issue. Now I'm left with:
Generating account key...
Registering account key with ACME server...
Details:https://acme-v02.api.letsencrypt.org/directory ;rel="index"
{
Error registering account key. See message above for more information.
That shouldn't happen. Same question: How old is your dehydrated?
Dehydrated version: 0.6.5
I made the following update to dehydrated, CURL_OPTS="--http1.1", which seems to have resolved the issue.
system
May 7, 2021, 9:44pm
18
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
