SSL working for newest Chrome but not curl or wget

#1

As far as I can tell the /etc/ssl/certs/DST_Root_CA_X3.pem and /etc/ssl/certs/ca-certificates.crt files on my Debian Stretch system match what Chrome is using (serial #44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b) to successfully verify https://docs.raineyelectronics.com.

Is this a case of Chrome being “ahead” of the updates on my Debian system in some other respect, or of wget/curl being more stringent about what they’re checking? I did run update-ca-certificates.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: docs.raineyelectronics.com

I ran this command: openssl s_client -connect docs.raineyelectronics.com:443

It produced this output:
CONNECTED(00000003)
depth=0 CN = docs.raineyelectronics.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = docs.raineyelectronics.com
verify error:num=21:unable to verify the first certificate
verify return:1

Certificate chain
0 s:/CN=docs.raineyelectronics.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

Server certificate
-----BEGIN CERTIFICATE-----
MIIFbDCCBFSgAwIBAgISAzKbqiSjlMUN0I71246G3iiQMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAzMjMyMzAwMjRaFw0x
OTA2MjEyMzAwMjRaMCUxIzAhBgNVBAMTGmRvY3MucmFpbmV5ZWxlY3Ryb25pY3Mu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4FL4gSIIqmK3GfeI
pWvldng68FP3kexC2Om71EHaJ62YXJrZZZ3QyOc3oPP8oHE44KrhkIfAmXfOfAGL
LUm5m/QgbGSRneEiSN8ObfA3XE3m3pXwAX8ybP4e8J6fZ18WtxMP8P7bjv2ZPpzv
r/8wyNq0qPL6tIXqF8i1s10QWxx/DH/VYlOgJQBeZCcP7OHbZbLalmyw4DRlPrvG
/lizcNCmFtKI65hsrbfHDj1uC+3nbkMGFl7zU8Fet4rXA9V9DoPUkfDxLpDTHsn1
M/h5y7Y2910hftVUZXx7C8XluzLIPiZqXTR9kxQyvwxEGAHs2VQCLzyM175ISwNO
GwQ1OwIDAQABo4ICbzCCAmswDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSSkntt0FMR
VuVMq1rj22p7ocIv0DAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBv
BggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5s
ZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5s
ZXRzZW5jcnlwdC5vcmcvMCUGA1UdEQQeMByCGmRvY3MucmFpbmV5ZWxlY3Ryb25p
Y3MuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYI
KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHW
eQIEAgSB9QSB8gDwAHYAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYA
AAFprP+SzgAABAMARzBFAiEA20991hpnGZi+BlqTeAe2Qa5a+ebDEC9Nai6tsZop
+dkCIA8QuFN+SEsrP5IjPtfu43A2WLjQFBU7F9RT+0jI87PiAHYAKTxRllTIOWW6
qlD8WAfUt2+/WHopctykwwz05UVH9HgAAAFprP+S1gAABAMARzBFAiA6Y2Qo8mPn
JjDYE0TsOvnU6vEpgFq/bbqpisSXFD7b0AIhAMIC4gsB+X7ApvVswHWPT+6XSQqL
or992aheRGQAc/dWMA0GCSqGSIb3DQEBCwUAA4IBAQAS8wxChZ1YIyVxXd0vHiFG
7MdSqUkY0ZdCQkMzCq/wiUJSEWOcGtzHDCAGGzpdtAWvkjSVLsGthCZ2P4/MtogP
3vuYztAm4LiKTldTBCA/2Q6IvlUJV5iUN6sJxjjQDuLOugRW+SVJfQ4OD18e70V/
SAY5dxNZHBA/4jQYovIlc6d6aHd7E7SoPoEimwc0BAVF6Djb5yXS0t12QXKrVoas
bZAJ0TOM8whFlZtPNrJyMnch4FWKGmL3qV8cy3bFvAiMwk44DuaqaoVc10X2YwGw
/VksGhvEVGhYEMwsnXAVGVsOFK5FiCQgHvLKAOdmWlckqFhO5wNQ1xp0k3v3nXdV
-----END CERTIFICATE-----
subject=/CN=docs.raineyelectronics.com
issuer=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 2078 bytes and written 302 bytes
Verification error: unable to verify the first certificate

New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 07BDA551C3072FC5AF5EFBE32B1F7977FB1366C1DF34FF4931C022354AD9540F
Session-ID-ctx:
Master-Key: 5CBD08BFFAC54849A946819F46B4993AA5327DDD090F8C7DC07E1D5A3DC44462ACC0B4772BBEEDB974C8DCF53CC2B479
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - bc 3a ce db 77 64 16 30-3a 96 8b fe 4b d8 59 ee .:…wd.0:…K.Y.
0010 - f9 b7 58 9e 26 50 d8 ac-d7 fa b7 c9 01 10 32 25 …X.&P…2%
0020 - 52 d9 4a 93 6e 36 f5 63-39 72 43 da d5 5a 63 19 R.J.n6.c9rC…Zc.
0030 - 28 26 78 9a 16 77 fa 2c-47 11 0c 9e 09 74 46 e2 (&x…w.,G…tF.
0040 - 2d f5 00 23 e3 cd 81 4e-79 80 39 5d fb ef d4 a4 -…#…Ny.9]…
0050 - 11 04 35 9a 3e c5 61 05-1b d6 ca 51 66 7b 65 2c …5.>.a…Qf{e,
0060 - bc 81 b1 0b 14 2a 35 4e-0c a7 d3 e1 d9 5e af 98 …*5N…^…
0070 - 98 7f c2 79 a5 75 97 07-c1 48 ab 91 37 13 9d f9 …y.u…H…7…
0080 - e2 9a 15 62 34 03 1b 6c-e1 6c e1 ac e5 9a 7a ff …b4…l.l…z.
0090 - f9 cd 5e 5b be 64 d7 fa-05 06 ff 53 8e 6e d4 f6 …^[.d…S.n…
00a0 - 63 10 5b 3a ac cb e0 83-fd ac 2d 82 ad 14 ad 32 c.[:…-…2
00b0 - fe 52 ac 0d 26 c4 f1 0d-6f a0 4e 8e 96 ce bf bd .R…&…o.N…

Start Time: 1557935127
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no

My web server is (include version): nodejs

The operating system my web server runs on is (include version): node-v6.11.3

My hosting provider, if applicable, is: rackspace.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

#2

Hi @doif

checking your domain your chain is incomplete ( https://check-your-website.server-daten.de/?q=docs.raineyelectronics.com ):

Your certificate is ok:

	24.03.2019
	22.06.2019
expires in 38 days	docs.raineyelectronics.com - 1 entry

But your chain doesn’t send the intermediate certificate:

Chain - incomplete	
	1	CN=docs.raineyelectronics.com

That should look like

Chain (complete)	
	1	CN=*.server-daten.de
	2	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

You should have three files - cert, key, fullchain. Perhaps use fullchain instead of cert. Fullchain should include both certificates - your certificate and the intermediate certificate. Open it with an editor, then you should see that.

2 Likes
#3

Thank you Juergen! I am now researching our nodejs https setup to see where the chain.pem fits in.

#4

Ok it’s good to go! The only change was from cert.pem to fullchain.pem as you suggested.

I guess now the thing that is a bit weird for me is why wasn’t Chrome checking that, and how much does it matter?

2 Likes
#5

Happy to read that it had worked.

Chrome knows the intermediate certificate, same with FireFox. But there are some other devices (older Apple). Then it’s sometimes a problem if the intermediate certificate is missing.