Yes, rg305, it does
If I comment out the line:
;cacert_file = /etc/ssl/certs/ca-certificates.crt
then when I enter:
curl -vsk https://admin:password@18.214.95.156:6984
I see a different response after this section:
- Rebuilt URL to: https://admin:MyPassword@18.214.95.156:6984/
- Hostname was NOT found in DNS cache
- Trying 18.214.95.156...
- Connected to 18.214.95.156 (18.214.95.156) port 6984 (#0)
- successfully set certificate verify locations:
- CAfile: none
CApath: /etc/ssl/certs
- SSLv3, TLS handshake, Client hello (1):
So right here, instead of:
- Unknown SSL protocol error in connection to 18.214.95.156:6984
- Closing connection 0
Execution continues:
- SSLv3, TLS handshake, Server hello (2):
- SSLv3, TLS handshake, CERT (11):
- SSLv3, TLS handshake, Server key exchange (12):
- SSLv3, TLS handshake, Server finished (14):
- SSLv3, TLS handshake, Client key exchange (16):
- SSLv3, TLS change cipher, Client hello (1):
- SSLv3, TLS handshake, Finished (20):
- SSLv3, TLS change cipher, Client hello (1):
- SSLv3, TLS handshake, Finished (20):
- SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
- Server certificate:
-
subject: CN=ppcjsondata.com
-
start date: 2018-12-27 17:44:01 GMT
-
expire date: 2019-03-27 17:44:01 GMT
-
issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
-
SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
- Server auth using Basic with user 'admin'
GET / HTTP/1.1
Authorization: Basic YWRtaW46VUlWVnZsejZpMm1R
User-Agent: curl/7.38.0
Host: 18.214.95.156:6984
Accept: /
< HTTP/1.1 200 OK
< Cache-Control: must-revalidate
< Content-Length: 164
< Content-Type: application/json
< Date: Sat, 29 Dec 2018 17:35:03 GMT
- Server CouchDB/2.2.0 (Erlang OTP/20) is not blacklisted
< Server: CouchDB/2.2.0 (Erlang OTP/20)
< X-Couch-Request-ID: 936bbd2ed2
< X-CouchDB-Body-Time: 0
If I enter:
curl https://admin:password@18.214.95.156:6984
(without "-vsk") then I get:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl - SSL CA Certificates
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
So I need the correct "local issuer certificate" (I created the "user's" certificate) and I point to it in my configuration file with this line:
[ssl]
cacert_file = /etc/ssl/certs/ca-certificates.crt
In that /etc/ssl/certs directory, one can see loads of .pem files. I don't think it matters what extension it has, ".pem" or ".crt".
See, when cacert_file is uncommented, the program uses a default procedure and goes into the "TLS handshake" stuff without success.
When I get the correct "local issuer certificate" I will see the same kind of output except it will succeed.
Maybe time to try COMODO. One can get a free certificate for two months. If it works, I am happy to pay and stop this drain of my time.
Just in case, although I don't think I made an error in certificate creation, here is what it showed:
e[Ke]0;bitnami@ip-172-31-31-100: ~abitnami@ip-172-31-31-100:~$ sudo lego --email="admin@ppcjsondata.com" --domains="ppcjsondata.com" --domains="www.ppcjsondata.com" --path="/etc/lego" run
2018/12/29 18:18:10 [INFO] [ppcjsondata.com, www.ppcjsondata.com] acme: Obtaining bundled SAN certificate
2018/12/29 18:18:10 [INFO] [ppcjsondata.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/cCBJe3v9SQc3T7KGTY2vt6xpbyp_IGzOV9ygw_ondYQ
2018/12/29 18:18:10 [INFO] [www.ppcjsondata.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/M5D0V55ZQDI8j-yU7iSFlW-NlgJoZqZgAW3kUSZ_06E
2018/12/29 18:18:10 [INFO] [ppcjsondata.com] acme: Authorization already valid; skipping challenge
2018/12/29 18:18:10 [INFO] [www.ppcjsondata.com] acme: Authorization already valid; skipping challenge
2018/12/29 18:18:10 [INFO] [ppcjsondata.com, www.ppcjsondata.com] acme: Validations succeeded; requesting certificates
2018/12/29 18:18:12 [INFO] [ppcjsondata.com] Server responded with a certificate.
e]0;bitnami@ip-172-31-31-100: ~abitnami@ip-172-31-31-100:~$
Configured at AWS, both ppcjsondata.com and www.ppcjsondata.com
Namecheap hosts the domain name and DNS entries from AWS made correctly.
Tested: DNS Propagation Checker - Global DNS Testing Tool