Problem connecting to server

mike_e · May 1, 2024, 2:53pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: fensoft.co.uk

I ran this command: curl -v https://acme-staging-v02.api.letsencrypt.org/directory
(The curl version is 8.4.0)

It produced this output:

Trying 172.65.46.172:443...
Connected to acme-staging-v02.api.letsencrypt.org (172.65.46.172) port 443
ALPN: curl offers http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
TLSv1.2 (OUT), TLS handshake, Client hello (1):
CAfile: none
CApath: /etc/ssl/certs
TLSv1.2 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS alert, unknown CA (560):
SSL certificate problem: unable to get local issuer certificate
Closing connection
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS alert, unexpected_message (522):
TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl - SSL CA Certificates

My web server is (include version): apache 2.4.20

The operating system my web server runs on is (include version): Slackware Linux 14.2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

aarongable · May 1, 2024, 3:06pm

It looks like your system trust store doesn't include ISRG Root X1, the root that all of Let's Encrypt's certificates (including those we issue to ourselves for our own API servers) chain up to.

Slackware 14.2 is from 2016, and ships with both a very old certificate trust store, and an old and unsafe version of openssl. I would advise updating to Slackware 15.0. If you can't do that, it should be safe to install the -current version of the ca-certificates package.

Osiris · May 1, 2024, 3:08pm

Or some kind of untrusted MachineInTheMiddle is trying to hijack the connection, e.g. anti-virus on the device itself or a firewall doing deep packet inspection on HTTPS somewhere on the premises, ISP or on a government level.

Knowing which certificate is unrecognised by cURL would help to distinguish what's what.

rg305 · May 1, 2024, 3:09pm

What shows?:
openssl s_client -connect acme-staging-v02.api.letsencrypt.org:443 | head -n 20

system · May 31, 2024, 3:10pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
HTTPS connection Error Help	12	2114	November 16, 2022
Failed to connect to acme-v02.api.letsencrypt.org Help	5	256	August 16, 2024
Auto-SSL failed -- GET request Help	15	1247	June 6, 2022
I cannot obtain ssl certificate on my nginx web server Help	49	1107	May 11, 2023
ConnectionError: HTTPSConnectionPool(host=’acme-v02.api.letsencrypt.org’, port=443) Help	6	10023	May 27, 2019

Problem connecting to server

Related topics