Why is my certificate still in pending state

tholeb · June 23, 2023, 11:50am

My domain is: tholeb.fr (rasp.tholeb.fr)

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04 x64 LTS
Linux raspberry 5.15.0-1032-raspi #35-Ubuntu SMP PREEMPT Wed Jun 7 16:00:54 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux

My hosting provider, if applicable, is: home network

My DNS provider, if applicable, is: OVH

I can log in to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I don't use certbot

I want to generate an SSL certificate with Ansible but the certificate is still in pending status (https://acme-v02.api.letsencrypt.org/acme/order/1170912057/190407197297). Is this normal to be that long ? it's been at least an hour since I generated the CSR and validated the certificate. How can certbot generate a valid certificate in seconds while I have to wait for it to be valid ?

I use Ansible to generate all the key,csr, ... I need :

Here are my variables I use:

---
account_key_path: /etc/ssl/private/account.key
key_path: /etc/ssl/private/rasp.tholeb.fr.key

crt_path: /etc/ssl/certs/rasp.tholeb.fr.crt
crt_fullchain_path: /etc/ssl/certs/rasp.tholeb.fr-fullchain.crt

csr_path: /etc/ssl/certs/rasp.tholeb.fr.csr

acme_directory: https://acme-v02.api.letsencrypt.org/directory
acme_challenge_type: dns-01
acme_version: 2
acme_email: contact@tholeb.fr

zone: tholeb.fr
subdomain: rasp

Here is my playbook :

---
- name: Generate let's encrypt account key
  community.crypto.openssl_privatekey:
      path: "{{ account_key_path }}"

- name: Create private key (RSA, 4096 bits)
  community.crypto.openssl_privatekey:
      path: "{{ key_path }}"

- name: Generate an OpenSSL Certificate Signing Request
  community.crypto.openssl_csr:
      path: "{{ csr_path }}"
      privatekey_path: "{{ key_path }}"
      common_name: "*.{{ subdomain }}.{{ zone }}"
      subject_alt_name:
          - "DNS:*.{{ subdomain }}.{{ zone }}"
          - "DNS:{{ subdomain }}.{{ zone }}"

- name: Make sure account exists and has given contacts. We agree to TOS.
  community.crypto.acme_account:
      account_key_src: "{{ account_key_path }}"
      acme_directory: "{{ acme_directory }}"
      acme_version: "{{ acme_version }}"
      state: present
      terms_agreed: true
      contact:
          - mailto:contact@tholeb.fr

- name: Create a challenge using a account key file.
  community.crypto.acme_certificate:
      account_key_src: "{{ account_key_path }}"
      account_email: "{{ acme_email }}"
      csr: "{{ csr_path }}"
      dest: "{{ crt_path }}"
      fullchain_dest: "{{ crt_fullchain_path }}"
      challenge: dns-01
      acme_directory: "{{ acme_directory }}"
      acme_version: 2
      terms_agreed: true
      remaining_days: 60
  register: challenge

- name: Certificate does not exists or needs to be renewed
  when: challenge["challenge_data"] is defined and (challenge["challenge_data"] | length > 0)
  block:
      - name: Set challenge data
        ansible.builtin.set_fact:
            challenge: "{{ challenge }}"

      - name: Upload OVH credentials
        ansible.builtin.template:
            src: ovh.conf.j2
            dest: /root/.ovh.conf
            owner: root
            group: root
            mode: "0600"

      - name: Create DNS challenge record on OVH
        ansible.builtin.script:
            cmd: "dns.py create tholeb.fr TXT -t '{{ item.value['dns-01'].resource_value }}' -s '{{ item.value['dns-01'].resource }}.{{ subdomain }}'"
        args:
            executable: python3
            chdir: /root
        with_dict: "{{ challenge['challenge_data'] }}"

      - name: Let the challenge be validated and retrieve the cert and intermediate certificate
        community.crypto.acme_certificate:
            account_key_src: "{{ account_key_path }}"
            account_email: "{{ acme_email }}"
            src: "{{ csr_path }}"
            dest: "{{ crt_path }}"
            fullchain_dest: "{{ crt_fullchain_path }}"
            challenge: dns-01
            acme_directory: "{{ acme_directory }}"
            acme_version: 2
            terms_agreed: true
            remaining_days: 60
            data: "{{ challenge }}"

- name: Get certificate information
  community.crypto.x509_certificate_info:
      path: "{{ crt_path }}"

- name: Get CSR information
  community.crypto.openssl_csr_info:
      path: "{{ csr_path }}"

- name: Get private key information
  community.crypto.openssl_privatekey_info:
      path: "{{ key_path }}"

To generate the TXT record on my DNS provider, I made a simple Py script, using the python-ovh package.

MikeMcQ · June 23, 2023, 1:09pm

I see your auth is pending but I don't see a TXT record. The best way to check is to use https://unboundtest.com for _acme-challenge.tholeb.fr and the rasp subdomain.

I'm not sure how long a DNS challenge could possibly stay pending. So, there may be something else happening that a more skilled volunteer will see. Or, maybe someone on the Ansible community as we don't see that client here often.

Still, the first thing I'd check is your method of creating the TXT record. If Let's Encrypt servers see an invalid TXT record they fail right away.

tholeb · June 23, 2023, 1:16pm

Thank you for your answer. It seems that my problem came from the TXT records, not created with the proper value. Now, for some reason, when I go to my website, Google Chrome asks me to take a certificate that comes from my IAP.

That's really weird because my nginx config have the proper certificate :

ssl_certificate     /etc/ssl/certs/rasp.tholeb.fr-fullchain.crt;
ssl_certificate_key /etc/ssl/private/rasp.tholeb.fr.key;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers         HIGH:!aNULL:!MD5;

Another weird thing, when I look at the order. It says "expires": "2023-06-30T12:59:04Z". What expires at this date ? The order or the certificate ?

MikeMcQ · June 23, 2023, 1:28pm

Should I be able to see your domains from the public internet?

Because right rasp has port 443 blocked and the root domain isn't accepting https requests. Both domains point to different IP. Is that intentional?

The certs expire after 90 days

tholeb · June 23, 2023, 1:45pm

No, it's a local website, and the root domain points to a GitHub website. It's indeed intentional.

After some digging, it seems that my IAP changes the cert because when I do this command
openssl s_client -showcerts -connect localhost:443

I get this, which is my certificate :

CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.rasp.tholeb.fr
verify return:1
---
Certificate chain
 0 s:CN = *.rasp.tholeb.fr
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 23 11:59:49 2023 GMT; NotAfter: Sep 21 11:59:48 2023 GMT
-----BEGIN CERTIFICATE-----
MIIF/zCCBOegAwIBAgISA1ziVRK4q3J8Wt96AljFtrR1MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA2MjMxMTU5NDlaFw0yMzA5MjExMTU5NDhaMBsxGTAXBgNVBAMM
ECoucmFzcC50aG9sZWIuZnIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQD0vDFhj47C2zzde1G5294IUyyXXgWjcBo/0r7MDnYZmIHOdr2W+y4s5c8uIOsc
FD2e6U6BDG9ZY9ZWwnSVB/7bWLtrMekXmazC3p+Cj3Cle4B/KF5xi7W2PMLol/BB
F2AKH4p90q3au8g3WwsZUj2xUcHzxVhv/N91F7f8w4TIGZpsg474YWYvasUyGGa0
7hEfZvqJ0ddX+7h/Pq3+eAhOHxv492AHl6o9PzWZl848+2lIDY7L6ATi5wdlLhpa
CCnMQXiO3uNtefOZxGtFI2847MQ1f726tJdT21WRfM2aMDS4Dyf4eVtais5kN+qy
P0cRpfM7unFwF4Rqw1lriQiIMLT1myuO0Paog0LULABKEL96r0syyH13Lc0Mzr1n
Zk+/GZDKx3y2n3mAQKIlYZbaNnl8aBn93ki4iWRVlbCV5zsyPvk8EXyUdKG9nnqe
6qGggX84iMYhQ9e0bTX44+Qeh1sjUEt22hUAYHvmHYi0Un0u3PeCBMyyp+CZap3l
x54xnRnBuV0IaIbxWZeNbORIfdvG0DmRyZ4hz6caYPMBEUSSrDKAuYiXPLGEUfhB
BswaHB5lIzwAE3O0xXx8hGgjVhU1Bah59UswlRbmgriHjP2TCz5uWkVFEt9zQgPY
9UABPBO8y++DhYcJO9gryVOWe6sfT4tzPkx8yV0tf/UfzQIDAQABo4ICJDCCAiAw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAM
BgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRuTeisdx5vnM7//eQthO4KAIZPFzAfBgNV
HSMEGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYI
KwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0
cDovL3IzLmkubGVuY3Iub3JnLzArBgNVHREEJDAighAqLnJhc3AudGhvbGViLmZy
gg5yYXNwLnRob2xlYi5mcjATBgNVHSAEDDAKMAgGBmeBDAECATCCAQYGCisGAQQB
1nkCBAIEgfcEgfQA8gB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS
AAABiOhW5xsAAAQDAEgwRgIhAI2lBM9cAm8h9xbvymz3AziHQa9rpiujP8G9LGuA
WXhrAiEAjRX1KiJT9k2nHsIcfv4TXweUHINAJbRuRTFoabu/jrYAdwDoPtDaPvUG
NTLnVyi8iWvJA9PL0RFr7Otp4Xd9bQa9bgAAAYjoVucyAAAEAwBIMEYCIQCUtJ+s
bscCVsqt55qAus6wMNBuZsyE80VGVk96gc39PQIhALkG2CtuAFLpuNh9DKFCrue6
TGM4q14JjMXlwYm/9BtPMA0GCSqGSIb3DQEBCwUAA4IBAQCQpkyMb1TSdZV2xGET
qLaRAjE5GzpViZwYpXWTsRGke7mUMw6hNpOkBTg6VSxkXFp/ouwirg0CyluRC5HF
39XpFuBtYykE8qmjnNtucH8cX+jWF619uhhDAACOeYGpuJfs8IL/p400D3/r78lo
PT8TwJZi3i/2X1XHL7Q5Hvz0pPbvfNZ7NjFtyUsXHa68tqSZ69qAMWZZlTivssaF
tgxKC+TIZvnwTAoHrvigl7YvHOEenI0Iblod8Nx0KiNoQcONV49aYlEjqBDU2btX
m10DJoHBvNPfPKmXNn1037lJ9kh4i1CnMRemwnp/RIKywHC30PGSRxZ67zotDV+0
W44b
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.rasp.tholeb.fr
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5047 bytes and written 373 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 2EB1FA00B0625FADC09828198B1937B541B7C2F3F6C65EDF12434CD586663D9C
    Session-ID-ctx:
    Resumption PSK: AE5A133C15279DC53F9748AF004D0B1552216E1D2014A74DD6FE9C9D61BB26B34207B2F459B3881F5958E0B870721AD6
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 1d a6 15 dc 7d 70 87 6a-97 57 b6 bd 50 44 ad 9f   ....}p.j.W..PD..
    0010 - 69 3c 74 56 c3 fa a1 64-4c c1 85 ac bb 75 06 ca   i<tV...dL....u..
    0020 - e5 c4 d5 fc 04 04 e6 0b-04 01 f2 e5 56 df e5 9f   ............V...
    0030 - c6 f0 98 fb 54 03 fa 71-e2 91 76 50 7d 58 60 5f   ....T..q..vP}X`_
    0040 - 70 9d b0 52 42 3b 36 ec-d8 f9 3e c7 68 69 5c 8d   p..RB;6...>.hi\.
    0050 - e0 36 4a 24 d5 07 e2 d8-18 d2 e7 27 32 79 72 5e   .6J$.......'2yr^
    0060 - 7d 88 b2 cb 05 c9 09 32-70 e4 ff b4 12 dc 38 2d   }......2p.....8-
    0070 - 85 a2 65 0e 81 3d 00 10-f5 93 10 ef b3 3e 97 0a   ..e..=.......>..
    0080 - 45 00 22 77 11 a6 bf a4-56 66 a9 46 af ad 4e 7a   E."w....Vf.F..Nz
    0090 - 45 0d 78 78 b6 03 1f 04-f7 62 f5 65 da ab b8 02   E.xx.....b.e....
    00a0 - 6c 03 26 47 c0 bd f3 1f-41 3c 45 38 63 61 28 a6   l.&G....A<E8ca(.
    00b0 - ab 40 c0 05 2e 01 74 e0-c8 3e 13 b6 cf fc 66 df   .@....t..>....f.
    00c0 - da f2 41 c0 03 58 10 d5-1b 60 a5 21 cb fc e3 97   ..A..X...`.!....
    00d0 - f3 a2 5e 67 a4 3d 61 34-e1 b0 1e 74 14 2a cf e5   ..^g.=a4...t.*..

    Start Time: 1687527254
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: D6AF8F3BEE7F0C1468BA5DF30A2E85D33328D483CBB1DA92E3A2BE056318785E
    Session-ID-ctx:
    Resumption PSK: 61391DF55803BD2B3F4F6BC3151D96AD7B63D8E5AA0BA11E416FE286D32E94A85F2CB68769ABC2A23D0113C2802C7ECF
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 1d a6 15 dc 7d 70 87 6a-97 57 b6 bd 50 44 ad 9f   ....}p.j.W..PD..
    0010 - be 25 93 e1 2a 27 e4 1c-3a fa 14 a2 58 ad 03 37   .%..*'..:...X..7
    0020 - 74 6a a6 4d 49 a4 61 b7-b0 65 68 17 76 7b 55 de   tj.MI.a..eh.v{U.
    0030 - 36 3b a1 e7 af a1 52 f8-0e b6 ae 77 44 7b a8 71   6;....R....wD{.q
    0040 - 6d bf d0 d7 03 55 16 6a-a7 34 e4 17 93 1c a0 6a   m....U.j.4.....j
    0050 - 66 a4 15 16 63 40 d0 41-08 91 7e 6a 61 62 13 39   f...c@.A..~jab.9
    0060 - ab 13 15 68 98 15 6d 29-dd 22 be 22 da e9 e2 c6   ...h..m)."."....
    0070 - 55 cb fa b9 b3 50 f5 d4-f7 69 1e a3 5a ca 41 dd   U....P...i..Z.A.
    0080 - 91 06 75 d2 0d a0 33 85-fb 11 a0 6f bd 6b 6b 7c   ..u...3....o.kk|
    0090 - 8d 20 68 36 fa 25 44 04-cc e5 ad 05 cb 50 b9 78   . h6.%D......P.x
    00a0 - 0c b5 f2 09 54 3b e9 11-40 03 2b ff 57 b8 9a 0c   ....T;..@.+.W...
    00b0 - dc 74 6e b0 78 ed c2 ca-ea 90 ba 05 c1 ef 1a 97   .tn.x...........
    00c0 - 64 3b 9e 59 13 38 91 68-64 e4 a2 a8 94 5e 74 c4   d;.Y.8.hd....^t.
    00d0 - 6c cd 13 c0 20 16 8d 79-19 03 64 0c 8a 99 7c b5   l... ..y..d...|.

    Start Time: 1687527254
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

But, when I do the same with the public hostname rasp.tholeb.fr:443:

CONNECTED(00000003)
depth=0 C = FR, O = Orange, CN = 60CE86-Livebox 4-FBKL00101781704
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = FR, O = Orange, CN = 60CE86-Livebox 4-FBKL00101781704
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = FR, O = Orange, CN = 60CE86-Livebox 4-FBKL00101781704
verify return:1
---
Certificate chain
 0 s:C = FR, O = Orange, CN = 60CE86-Livebox 4-FBKL00101781704
   i:C = FR, O = Orange, CN = Orange Devices Auth MIB4 RGW CA
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 12 22:56:59 2019 GMT; NotAfter: Dec 12 22:56:59 2034 GMT
-----BEGIN CERTIFICATE-----
MIIFLDCCAxSgAwIBAgISESEMGDKeiX5IKsd7J0bAI1IJMA0GCSqGSIb3DQEBCwUA
MEgxCzAJBgNVBAYTAkZSMQ8wDQYDVQQKDAZPcmFuZ2UxKDAmBgNVBAMMH09yYW5n
ZSBEZXZpY2VzIEF1dGggTUlCNCBSR1cgQ0EwHhcNMTkxMjEyMjI1NjU5WhcNMzQx
MjEyMjI1NjU5WjBJMQswCQYDVQQGEwJGUjEPMA0GA1UEChMGT3JhbmdlMSkwJwYD
VQQDDCA2MENFODYtTGl2ZWJveCA0LUZCS0wwMDEwMTc4MTcwNDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMwfJGhYR5+MLX9EaQ/F4hp5dSS3a/ugMDBX
A3gIHgOVA1Jfp0w6+tD0p5lh304mKaTAu1Y9vqRQxXoPjAmY6qKMaW/Q2wcpciUc
VjL49DL3EfgPe7Lsk1Ez/1V1EaYLz0AOVDZaxgNGD8D4bBfCISNegSVXGy4izeiy
5tEu3U2N5LFpD0zVnmOoh0zqhZwyX4QLysUyjDqlfG9qep1LeHjaiN+Mizh7f6eb
zUkj374K0z6MA/qU9Zs07eKMsY9ElV40FKvZRshLH56Cu2XWMY65jiWcr6STsXWI
rjA35Opvt56aZqa126QoVEVoJ/Ppv6LlbTr379qRfgjhZ25M7Q8CAwEAAaOCAQ0w
ggEJMBYGA1UdIAQPMA0wCwYJKoF6ARAMBxwBMAkGA1UdEwQCMAAwDgYDVR0PAQH/
BAQDAgWgMCcGA1UdEQQgMB6CB2xpdmVib3iCDWxpdmVib3gubG9jYWyHBMCoAQEw
HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMEwGA1UdHwRFMEMwQaA/oD2G
O2h0dHA6Ly9wa2kub3JhbmdlLmNvbS9jcmwvb3JhbmdlZGV2aWNlc19taWI0X2F1
dGhyZ3dfY2EuY3JsMB0GA1UdDgQWBBQTL8hrOCupMEsrbsJ+apdosWTfjTAfBgNV
HSMEGDAWgBS7bTlt0E+Xzw8Rg3nLpGqlTcuUGTANBgkqhkiG9w0BAQsFAAOCAgEA
eKHLkMGGmdQna5BlJfbgi7ZnGECkuv/zy0fT7FwAUVG0yh46hkn142g6F5V6Y1Qo
pRzmm2i3S+azHCRNsJFcKwaUUCCcHHHGVKBP35gx+/1n2LVnRE4pYbbknmXPvIeX
6LpD16c7paTk5fs2ThCWieWICAhrGgb2AopZn75kxdp0aYdRNGHvMuc9zd8O/Tmz
MxRGdnUXL4EqdTdcJetLRUW5JOIceh475DgMaqaR3FS5soJrGVI6TMwGbuDsY2OV
PvcVOOpoV2kMGSbxlhZLjHB9wqnuwRYlDlvx/0XkBaJEJdonzCwYmeWxEKSUXbAV
SwcItERjPb+3+8fqt/mVupbxvLQ7kV7yn+LnHfAz6UWTj/roi3GVpByuVQwUZ9kw
nQUYdAhGlwnv1RZ7U8g/GmuPm2QKO1yxDC+QxoXBoUYN/nwyQNcobc9z8QnaXg7W
LMoqlOJZr2lVYwYvc4o6x83f3IOhdkO0q5WsEzznohPsi8fkbTbuu0Gj1qg2Xqfl
j3gU4qfBxFbolt0KcagAfOZxffEYkKjjvty15y4svq5gMPFk5ayipOfey6vRfBlQ
L4srXkNcfU9V/poGncXJVaFtKQ16Ng5PEXFmGrxTivmatU5++hphiK1N701s6vpM
GEkX0lGKwRYvcWOp/DgBTKRF7x9a3GvXVOjDiIDe6ew=
-----END CERTIFICATE-----
 1 s:C = FR, O = Orange, CN = Orange Devices Generic4 CA
   i:C = FR, O = Orange, OU = 0002 380129866, CN = Orange Devices Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  9 09:21:03 2014 GMT; NotAfter: Sep  8 09:21:03 2037 GMT
-----BEGIN CERTIFICATE-----
MIIGYDCCBEigAwIBAgIBGDANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJGUjEP
MA0GA1UECgwGT3JhbmdlMRcwFQYDVQQLDA4wMDAyIDM4MDEyOTg2NjEfMB0GA1UE
AwwWT3JhbmdlIERldmljZXMgUm9vdCBDQTAeFw0xNDA5MDkwOTIxMDNaFw0zNzA5
MDgwOTIxMDNaMEMxCzAJBgNVBAYTAkZSMQ8wDQYDVQQKDAZPcmFuZ2UxIzAhBgNV
BAMMGk9yYW5nZSBEZXZpY2VzIEdlbmVyaWM0IENBMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEA4hQgppNcYQ/bfcShgNLWD0kalriQg358JYpSHyPWlo1l
6NMz4rOaqlGfbYL/YdnNkBN+G175OaDNrrrEnjpzM1OXlRDLp5mIG6uOSGshNmE2
B6pF3w1P62vkLsppsJra6TiRa7QdPL3rWErJVgWcomKyhhQYHthN9dqCyVIVeuGj
x0GhLqytl1LEIeUXjELWROSEIuvTOPxFn/+155CfZ0COn2x7g1tC/II4yZmSuswv
NabDAwWMHkRG98IDg6jZNm0IMD3cn3SrmsedYjokTu+2N44Lq2+Ib17rjyKRkKB/
CyUK0MOEZixOJGgcZnILQxYCUuLXDBwZfNif77uSLyT+WUQLUzhcRx3Rc3/y0LGK
SgoXcuT2CNoLwkPTr2UzMzyxPXWTy8BCBPTs4XZZg7biS+yW1lt0LmudKBaeNjOb
LJoMtdTeK+norZJCnQRBALthWmO13xIPUvfjjK+UPgGiNcq46t6cQocIahpP4Ab1
hW5M0G8R8LuEg7015pGF0IdPPPf61qxfxkMK7MEfAC73cDCEhYbOIbBAIS/t2nu0
O0gXAB6AiPMQktDxCCFWNhjRUt820qU2MxDNlS/TfDs8e/QiV61VXzeARE696dDE
EoMbGoNrWgsdSF5FeIztf2X/fqi19GH/J9o1ePRpQNoS4/8gSyhM6M0dBgPmKLUC
AwEAAaOCAUgwggFEMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G
A1UdDgQWBBRmdwTc4dqFj5f/mpUhcOhCoHRUKDBiBgNVHSMEWzBZgBQwszaeGhYj
NBqco6HsrmrRdKBWPKE+gTxDTj1PcmFuZ2UgRGV2aWNlcyBSb290IENBLCBPVT0w
MDAyIDM4MDEyOTg2NiwgTz1PcmFuZ2UsIEM9RlKCAQAwgYUGA1UdHwR+MHwwO6A5
oDeGNWh0dHA6Ly9wa2ktY3JsLml0bi5mdGdyb3VwL2NybC9vcmFuZ2VkZXZpY2Vz
X3Jvb3QuY3JsMD2gO6A5hjdodHRwOi8vd3d3Lm9yYW5nZS5jb20vc2lyaXVzL3Br
aS9vcmFuZ2VkZXZpY2VzX3Jvb3QuY3JsMBYGA1UdIAQPMA0wCwYJKoF6ARAMBwEB
MA0GCSqGSIb3DQEBCwUAA4ICAQCvjhsmyY1Bp0z8JyQrrWGUqeqWQEPXbrjgjvQ6
nZuobIkajpWdu/xQYyugt13WdQRIjuU6x1gksMmrhhXQq80TGx1QZ6Bt1RAMs0MW
DEv5PYACBoiuHqMMKzftp9R0N7dr0Vu6LxluUg1fc7CZFKQGxkHSd2geElnqjvOj
pZr3E/LHT/eRjp4H8Xj3NMkc5n8WD00vJ5KXAnfXnxbbo8R+7w5l9tQ9CqFY+fWz
jwFDQ8nle6JdowNRfNlv3VloXDU4fCrEGBruP6RM3ggXIiKwQvN0b0QeZkXEl7vZ
rlUjxowwn3BVYb4pgwy3Vzr6zpIGJULL76pTaCCLYO51+f7xykusW4Z5JTuQXKUs
HpiuCC0U0Q7LLs9tsw+W7bHzUU6IQUmFf1aihHyZ8dCGPq3mWpGHF7dRqBWyQmrb
WvEalYvyi+YOJ/1picD9Mdogl0mZrJrFyQnzVaTvij5mxbyyvCnxTVVkiYffKg3P
KEh3zIJ1LKbwaj7ppEuHl80z6EUVDJfvkUXtzbfNA6+uGq0XSE1aC/fElFEoFl0i
nWwxTbybP2MgsnKvivQcB7XGME62Fr4Ya9E1tdfX1KMAR2i5C3qrxibhVa2cG+uV
AguoHGQtVwFYRiDMlBswvxxugEFrCNjgfC1WBcXvidEP4Ux9UfKQeMBOgS9+SewE
zY3IPA==
-----END CERTIFICATE-----
 2 s:C = FR, O = Orange, OU = 0002 380129866, CN = Orange Devices Root CA
   i:C = FR, O = Orange, OU = 0002 380129866, CN = Orange Devices Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 10 10:24:14 2011 GMT; NotAfter: May 10 10:24:14 2041 GMT
-----BEGIN CERTIFICATE-----
MIIFpjCCA46gAwIBAgIBADANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJGUjEP
MA0GA1UECgwGT3JhbmdlMRcwFQYDVQQLDA4wMDAyIDM4MDEyOTg2NjEfMB0GA1UE
AwwWT3JhbmdlIERldmljZXMgUm9vdCBDQTAeFw0xMTA1MTAxMDI0MTRaFw00MTA1
MTAxMDI0MTRaMFgxCzAJBgNVBAYTAkZSMQ8wDQYDVQQKDAZPcmFuZ2UxFzAVBgNV
BAsMDjAwMDIgMzgwMTI5ODY2MR8wHQYDVQQDDBZPcmFuZ2UgRGV2aWNlcyBSb290
IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsb74igenbrPvy3E+
L/8GCuqwjPyhIaZN86bmKLDBshbIWMT4yw0Itc9g5g+yNg450IhI5O5etp0eDQH5
qz3CdZLCBgApE8ZajYk2TOQW4sDdFyfxM11GE769eNC3rIL7GjPjF2yVP03bJ9b7
fhI9FGoqNI6pK8zBwSiyEWJL7+3a/H6uWbmr4EHw6n6sSqk6VUa5+MtczBucE0Lg
KC4K8Csjw/tmC0HRSusiTLWtpE8Pc44rU+qjIiixyUU3CMQxG8nfFYVBPNHTMCkx
XLMQis/EfusrCSQJJf0wSMfHSZ8yF38FvuBowt/ZBeI05lpbQm4Ejgd7Ay49z+U8
LkCAI5LCEqxbhIE79m6nv41tp8/ECWWSBFcEotdXDXbX4TtlsoDNO/D7eH/wOtMs
3oheLzVw045JAx/s2OWSq9H4niMg8RrZu5YqhK9A8XVUcEZ2yraTJ73kvVAkcZKJ
tRell3HEqhfsjvV0u3qH5sjktAq8HRPpTlqE5e4w7LaHDDGO3oUFj1+WiIdHoktf
K5NEhBuOLMCJWiWHpKcQQJ+bg+KSATKuq3kHbS1Dmd5ODAZAo8JhTu3K9tgJwpgO
QZwdXhn9fZav1WDvHHsC4nTCY3osEofJyqYHQj+kERAOSHJAdTf9lKE3gsHUvtro
pVVZ3HprukvnDv90ZCwd9Zk1+2MCAwEAAaN7MHkwDwYDVR0TAQH/BAUwAwEB/zAO
BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFDCzNp4aFiM0GpyjoeyuatF0oFY8MB8G
A1UdIwQYMBaAFDCzNp4aFiM0GpyjoeyuatF0oFY8MBYGA1UdIAQPMA0wCwYJKoF6
ARAMBwEBMA0GCSqGSIb3DQEBCwUAA4ICAQAA5Lx1Lboy6b7XLfG1Xwh7O5Fnty8M
iTzofZOJwowv4xte9eNs7n4qByD2QgQQaM0VSC53345tSLLNEZFMt55aO9lKio0g
RoSis0t/2M3JaRakNMKxCj1qugfYcH+poEIdt7Qqp/bysJ1b60QffFx0p4JqDIPi
KSYbA6u469gDz7tgJOfH3qQ4qrpQMRzw/Gs88XjNdc4vKhmcKCQnmRKt59wuUm2R
J94rPm+k9efGiVSAO5SGSR27rpUVBhbqKj5hILl3nx6JyYksfHtgk124+yT18bZ4
5bvRvsKAlHWrl2ylc2CiNSHYbUc9jMC5b/muBzZV5WH7OLYB4d8tSZVkPk+J0FlU
ndfIa+i5hkgxEPGuOFNvT1Q6ZJMEBjpWROw8fdB4hLgsgH4s3HV53gRlpr0E1R0H
Lr4ffdo79JtC0ylzJPneU3STyLM1Xm1x0Z9yPdf8KBwsrBtZBQR+SjD1wZikRCKN
rl2Xdss1TVkMNHGD1S7RMgFNtETrNPcaAWxhrWu+l440qEQ16Mkw24RC+2ilJorO
qwwDhogzqaagMLTLfVFr0HDX/fx4D/HVFbovi5EEQZ7jFrJNeqyoQX32o9I5NnE4
W7SDTXbMfkL444xX9OtrwAk/bOu0bUnC21Rwmk/cu93QE57CaKlneGBGyKmxhimT
Al/xiXt6IiNOrw==
-----END CERTIFICATE-----
 3 s:C = FR, O = Orange, CN = Orange Devices Auth MIB4 1 Fut CA
   i:C = FR, O = Orange, OU = 0002 380129866, CN = Orange Devices Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  9 09:38:27 2014 GMT; NotAfter: Sep  8 09:38:27 2037 GMT
-----BEGIN CERTIFICATE-----
MIIGZzCCBE+gAwIBAgIBJjANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJGUjEP
MA0GA1UECgwGT3JhbmdlMRcwFQYDVQQLDA4wMDAyIDM4MDEyOTg2NjEfMB0GA1UE
AwwWT3JhbmdlIERldmljZXMgUm9vdCBDQTAeFw0xNDA5MDkwOTM4MjdaFw0zNzA5
MDgwOTM4MjdaMEoxCzAJBgNVBAYTAkZSMQ8wDQYDVQQKDAZPcmFuZ2UxKjAoBgNV
BAMMIU9yYW5nZSBEZXZpY2VzIEF1dGggTUlCNCAxIEZ1dCBDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAMWlVJu3iNNV8iSg64UV87rDp7Ou353wC9Mw
JdoxFbpOSU30en+PvR7Et0rGU2uP6w/8ZXChwHf6wIa6Y5VYpKIZnCTR19uR0Uec
Gj0jHPXCWjg0UP3y1VYhO1oPWauPhOsctkgiXubWO+ozrDDjWZtYLlxCklrqMjbs
rGxnVqbZd7tZrT4BdZbo/q+pn0Y+1mZR03yS0p0Uu/PYSxvSlgtQs+WL+vogP5gn
YUrro/vENqtPElbXtkAKRVvq3Q4CAwc97rPumQQMgrZo7ZspvI39+8MK1RVPSmQQ
PmUDCVyqkRTIpHpScoRCz7mDf7uzPkIv4lE07Dp4UsNr6TrtUACRme9zIDGOp//h
0H+Lm49hAPxX4Ls33sC9duKA00E7gvd7ZGAyWTzATKhTWVH9Z2FUq3TW6KAM/9N4
c3wPWJMU7wVkbG3ropG1h8xB47vBNqtCIfdpan6tBBFnyE30oaLd54nBP4hvKRos
9AL8/ktXq1IV/gTE59+eE0P+HD9F2S2c4icUdhtau/axwV8kNGNm8Y18MGdt8Oxb
xM++h5Non7zM2BeW7RYIgxVeFT1CC9u0fJJGgRnPqNDEYvFPBPNsxIbK40Vl07Yz
GDIK+VEO0ALEp0vUWZbQB+vFyi8VlPDqWbX8DyU3j2sTIwNhRmymSzANqdEUcnbB
7DRe3rRJAgMBAAGjggFIMIIBRDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
AwIBBjAdBgNVHQ4EFgQUP+hiJooavU78rL1RuGMkFLM6oW4wYgYDVR0jBFswWYAU
MLM2nhoWIzQanKOh7K5q0XSgVjyhPoE8Q049T3JhbmdlIERldmljZXMgUm9vdCBD
QSwgT1U9MDAwMiAzODAxMjk4NjYsIE89T3JhbmdlLCBDPUZSggEAMIGFBgNVHR8E
fjB8MDugOaA3hjVodHRwOi8vcGtpLWNybC5pdG4uZnRncm91cC9jcmwvb3Jhbmdl
ZGV2aWNlc19yb290LmNybDA9oDugOYY3aHR0cDovL3d3dy5vcmFuZ2UuY29tL3Np
cml1cy9wa2kvb3JhbmdlZGV2aWNlc19yb290LmNybDAWBgNVHSAEDzANMAsGCSqB
egEQDAcBATANBgkqhkiG9w0BAQsFAAOCAgEAVEeJwcf1Jy5herRsIdMn9FR2/xEJ
vIa3YSbsrphtpndYanrIKzLkXVP5stHYMP0uSR0oSi9aEAlqtO5dd7VJKcNZHQET
0UYV9TXLU5aSNYR2GiLMvBZ2eh4QieoKjALS23rXts1uQKGPiTd/ECHzB78tQTFl
q6tqINEklFmFIcBxkiyxdK3xx2Y3/+YwLerrBeLrlV5i7KBibE5EnawZVAKkPrhi
ooLz8zc9DpZlT8QWeG4uxcCDZ8h00JFjRYo1MG81ZNbjWZGibJP4rQPPSfSU0mbE
8TxCpSNu5+liGoWQMXnTsww2ASuA56K3zTQvprZttkPcUzKVPHOhOPBiwijkvzZr
wU60zeJkxCVm+1uOm/5qA85dKuav90sG195AboCenRUdRytAwqn1mcBg/LLsM60R
xWP2xGpuTB6UmhLBQ2dV3C3orHvWC1GZVv76svcvAVX4O1H/76SKY22wgMqJp7/v
CE4E20jA6NuC//TvXYA24JzZxO24Z+lTU+NpPXLkPhoDyTZFQfBpBQ7Em9vpKdh3
4wOJlsgPCVgizvkZN7nxJevLrwencHsz5zurGy6eU0VdjxH/cOqfNkzBqY0eWe1E
hTv+Sse19doRVdyoLdjq4ujIL6P+2a8Cc0sXWFqCRvxV1uzo9pnbZgIhs7IWNRyK
e4yThE/8PAbej1A=
-----END CERTIFICATE-----
---
Server certificate
subject=C = FR, O = Orange, CN = 60CE86-Livebox 4-FBKL00101781704
issuer=C = FR, O = Orange, CN = Orange Devices Auth MIB4 RGW CA
---
No client certificate CA names sent
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 6825 bytes and written 775 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: CF584B2788B332292AB4FB1ECA2705E6DEA426873B652D51C58809AE29549B9E
    Session-ID-ctx:
    Resumption PSK: 0BEFC7D5A9EDE27B90E52036FFD188970F029B4BD4C85B7E5265FEFB6D59B49738C6B76F363CC173E833301521CEC97C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 68 0a ce ba 5c 5e 83 2f-6a 3f 25 80 08 56 9d fc   h...\^./j?%..V..
    0010 - f9 e5 33 08 ce f5 ef 14-53 dd 01 21 8b b4 28 d5   ..3.....S..!..(.
    0020 - 2c 7e dd b7 6b b4 72 05-8f e7 63 23 3e 29 8f 73   ,~..k.r...c#>).s
    0030 - 17 f1 bc 28 b8 1f 63 36-06 c0 8d 65 96 29 21 00   ...(..c6...e.)!.
    0040 - 2a 5e 71 1b 56 f6 d1 b9-b6 f6 cc da 94 70 13 6c   *^q.V........p.l
    0050 - 0d 3e e4 bd e4 30 d4 69-7f bf 8f 1c 8d f2 1d d6   .>...0.i........
    0060 - 47 a4 82 cf fd 52 e0 c1-b8 2c 79 c0 b4 d0 f2 21   G....R...,y....!
    0070 - 68 26 2d 20 0b f0 76 d6-47 f2 7c 2a 42 dc 75 03   h&- ..v.G.|*B.u.
    0080 - 4e b0 8b f8 ca 27 4a 65-d7 02 5f 47 b5 53 69 d1   N....'Je.._G.Si.
    0090 - 71 94 47 b6 1a 7a 07 93-fd 44 4e b3 9f b5 e5 2f   q.G..z...DN..../
    00a0 - f9 a1 0a 82 86 31 1a 15-35 28 4b 0d 22 f4 7f 7e   .....1..5(K."..~
    00b0 - 3c df 62 b1 33 25 83 14-26 a0 8d 9e d4 90 69 1e   <.b.3%..&.....i.
    00c0 - 1a a1 e9 94 ea a3 1f e1-18 67 b9 fb d5 8e fe 51   .........g.....Q

    Start Time: 1687527650
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 6E8E7F6B9CD9B5303514280AE7628DFA68B9268F9F7E5CFA0B69E6E9E160B608
    Session-ID-ctx:
    Resumption PSK: F9774EC7BFC1F92B03F85E56153996DDC54671DFDBC859B40D0F240826E353C3FDA3B0AAE95CAB5FF088B30E5B164E14
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 68 0a ce ba 5c 5e 83 2f-6a 3f 25 80 08 56 9d fc   h...\^./j?%..V..
    0010 - ec 34 78 9a b7 97 48 1d-6a 33 0f 50 7a b1 59 a4   .4x...H.j3.Pz.Y.
    0020 - 96 db 20 21 c1 39 b9 0b-56 75 e2 73 de 8d f4 71   .. !.9..Vu.s...q
    0030 - cb 23 5e 12 ca e0 76 a9-de 13 a9 3d 44 a7 78 8a   .#^...v....=D.x.
    0040 - 6b a3 17 a0 fa 5a 78 8c-5f 37 fa 78 f7 d6 f1 0f   k....Zx._7.x....
    0050 - 51 00 7c 62 3e 98 ff d1-22 96 f3 2d 64 ec 60 e7   Q.|b>..."..-d.`.
    0060 - 47 3a 6b 0e f6 47 89 87-d0 da 54 70 d6 f7 b1 c5   G:k..G....Tp....
    0070 - d1 5e 76 c0 bd c1 85 d0-08 13 c6 cb ba 7f 66 da   .^v...........f.
    0080 - 15 f2 c5 ab 38 a8 84 35-4c 52 de 6e 51 a6 d6 39   ....8..5LR.nQ..9
    0090 - 47 65 a1 1a c9 01 56 1f-b2 79 4c ce 4f f2 54 6c   Ge....V..yL.O.Tl
    00a0 - da fc 0b 47 85 fd 07 6b-a1 d6 19 56 12 e3 17 90   ...G...k...V....
    00b0 - a3 4a b6 75 d0 79 98 da-6b bc 3b f0 fb f8 16 2e   .J.u.y..k.;.....
    00c0 - a8 85 ee 5f a6 30 1e 86-2e 31 b0 90 b4 a6 94 7d   ..._.0...1.....}

    Start Time: 1687527650
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

MikeMcQ · June 23, 2023, 1:52pm

Well, it's hard to help with something I can't see.

Your service is clearly reacting differently depending on the requested domain. Does localhost and rasp.tholeb.fr resolve to the same IP? Does that service support SNI and does it use the correct cert for these different names.

You could try this which sets the host name for SNI

openssl s_client -connect localhost:443 -servername rasp.tholeb.fr

and vice-versa

tholeb · June 23, 2023, 2:05pm

Adding my raspberry to the DMZ works, but it exposes the machine to the internet, which is not what I want because it's not safe at all, and I only want the websites to be accessible through local network only (the raspberry has a DNS server that redirects *.rasp.tholeb.fr > local network ip)

I don't understand here. rasp.tholeb.fr points to my raspberry (home), and localhost is when i'm connected to the rasp using SSH. I tried the commands above when I was connected to the rasp using SSH.

The output is :

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.rasp.tholeb.fr
verify return:1
---
Certificate chain
 0 s:CN = *.rasp.tholeb.fr
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 23 11:59:49 2023 GMT; NotAfter: Sep 21 11:59:48 2023 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF/zCCBOegAwIBAgISA1ziVRK4q3J8Wt96AljFtrR1MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA2MjMxMTU5NDlaFw0yMzA5MjExMTU5NDhaMBsxGTAXBgNVBAMM
ECoucmFzcC50aG9sZWIuZnIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQD0vDFhj47C2zzde1G5294IUyyXXgWjcBo/0r7MDnYZmIHOdr2W+y4s5c8uIOsc
FD2e6U6BDG9ZY9ZWwnSVB/7bWLtrMekXmazC3p+Cj3Cle4B/KF5xi7W2PMLol/BB
F2AKH4p90q3au8g3WwsZUj2xUcHzxVhv/N91F7f8w4TIGZpsg474YWYvasUyGGa0
7hEfZvqJ0ddX+7h/Pq3+eAhOHxv492AHl6o9PzWZl848+2lIDY7L6ATi5wdlLhpa
CCnMQXiO3uNtefOZxGtFI2847MQ1f726tJdT21WRfM2aMDS4Dyf4eVtais5kN+qy
P0cRpfM7unFwF4Rqw1lriQiIMLT1myuO0Paog0LULABKEL96r0syyH13Lc0Mzr1n
Zk+/GZDKx3y2n3mAQKIlYZbaNnl8aBn93ki4iWRVlbCV5zsyPvk8EXyUdKG9nnqe
6qGggX84iMYhQ9e0bTX44+Qeh1sjUEt22hUAYHvmHYi0Un0u3PeCBMyyp+CZap3l
x54xnRnBuV0IaIbxWZeNbORIfdvG0DmRyZ4hz6caYPMBEUSSrDKAuYiXPLGEUfhB
BswaHB5lIzwAE3O0xXx8hGgjVhU1Bah59UswlRbmgriHjP2TCz5uWkVFEt9zQgPY
9UABPBO8y++DhYcJO9gryVOWe6sfT4tzPkx8yV0tf/UfzQIDAQABo4ICJDCCAiAw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAM
BgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRuTeisdx5vnM7//eQthO4KAIZPFzAfBgNV
HSMEGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYI
KwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0
cDovL3IzLmkubGVuY3Iub3JnLzArBgNVHREEJDAighAqLnJhc3AudGhvbGViLmZy
gg5yYXNwLnRob2xlYi5mcjATBgNVHSAEDDAKMAgGBmeBDAECATCCAQYGCisGAQQB
1nkCBAIEgfcEgfQA8gB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS
AAABiOhW5xsAAAQDAEgwRgIhAI2lBM9cAm8h9xbvymz3AziHQa9rpiujP8G9LGuA
WXhrAiEAjRX1KiJT9k2nHsIcfv4TXweUHINAJbRuRTFoabu/jrYAdwDoPtDaPvUG
NTLnVyi8iWvJA9PL0RFr7Otp4Xd9bQa9bgAAAYjoVucyAAAEAwBIMEYCIQCUtJ+s
bscCVsqt55qAus6wMNBuZsyE80VGVk96gc39PQIhALkG2CtuAFLpuNh9DKFCrue6
TGM4q14JjMXlwYm/9BtPMA0GCSqGSIb3DQEBCwUAA4IBAQCQpkyMb1TSdZV2xGET
qLaRAjE5GzpViZwYpXWTsRGke7mUMw6hNpOkBTg6VSxkXFp/ouwirg0CyluRC5HF
39XpFuBtYykE8qmjnNtucH8cX+jWF619uhhDAACOeYGpuJfs8IL/p400D3/r78lo
PT8TwJZi3i/2X1XHL7Q5Hvz0pPbvfNZ7NjFtyUsXHa68tqSZ69qAMWZZlTivssaF
tgxKC+TIZvnwTAoHrvigl7YvHOEenI0Iblod8Nx0KiNoQcONV49aYlEjqBDU2btX
m10DJoHBvNPfPKmXNn1037lJ9kh4i1CnMRemwnp/RIKywHC30PGSRxZ67zotDV+0
W44b
-----END CERTIFICATE-----
subject=CN = *.rasp.tholeb.fr
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5051 bytes and written 396 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 47E7221E06CF951016E686FF1CBC6AC2187B4E6AAAB197C0B63450BA3864E59D
    Session-ID-ctx:
    Resumption PSK: 568278BA9E9285B55EF2B834D2045BF76E1D1F8860FB2FC1A18DAF27044D9F323BA826406706C8C6095EA5F2ED9E2347
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 1d a6 15 dc 7d 70 87 6a-97 57 b6 bd 50 44 ad 9f   ....}p.j.W..PD..
    0010 - 06 d8 bd 7e d3 98 21 60-e5 8a b9 36 20 2b b5 b3   ...~..!`...6 +..
    0020 - 19 35 50 df 91 24 94 7b-d4 70 03 15 93 ff b2 a2   .5P..$.{.p......
    0030 - 80 79 b4 91 26 1c 04 26-c5 a7 65 d5 0a 0e 5b 47   .y..&..&..e...[G
    0040 - a9 b3 16 70 cc 8f 92 bd-af f5 32 da b2 98 99 3a   ...p......2....:
    0050 - 2d 7b d6 9b bd 90 aa 83-ea f6 b4 44 cc 9a 62 94   -{.........D..b.
    0060 - b0 e6 20 f6 74 93 86 38-f5 76 61 0d 80 af bd 31   .. .t..8.va....1
    0070 - 45 7b 49 79 04 4c fc e7-f8 9e 7a d3 ed 98 63 de   E{Iy.L....z...c.
    0080 - 06 b6 c0 49 70 09 3e 27-fc f6 53 ab 2c 4e 0a c3   ...Ip.>'..S.,N..
    0090 - 91 c9 ea 9e e7 af 12 cf-c4 7f 0d 90 09 14 50 76   ..............Pv
    00a0 - b8 0a 2f fe 8a 76 66 0b-0e cb 15 3b 26 a8 ee 01   ../..vf....;&...
    00b0 - 73 4a 89 88 7f d8 0e 77-bf ba e0 e8 1d 32 b1 19   sJ.....w.....2..
    00c0 - 03 d3 19 79 e9 9e dc 4b-66 2e 2a 54 bd a2 71 22   ...y...Kf.*T..q"
    00d0 - 9a 03 e9 11 fc d9 e0 e2-35 5d 07 77 da 78 0d 42   ........5].w.x.B
    00e0 - df 64 99 96 03 3b 61 62-e5 17 1f 2a 5d b0 a3 27   .d...;ab...*]..'

    Start Time: 1687528492
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 93A8FFF98EA41EDD94E8170050834CD2D07E97ED05E65005C6AD464484B805B7
    Session-ID-ctx:
    Resumption PSK: 3634AE186C83C5358CE2FB3054A9E1F45775255D3E2B28DC28FB7681548DB820878A8B8D85AEC682DC879CCD549C826D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 1d a6 15 dc 7d 70 87 6a-97 57 b6 bd 50 44 ad 9f   ....}p.j.W..PD..
    0010 - d9 97 bf d3 9b 61 4d 33-b4 59 b1 9b 57 a3 f0 d3   .....aM3.Y..W...
    0020 - b3 97 6b 8c 6d 62 93 b3-c8 93 df ab dd d9 28 83   ..k.mb........(.
    0030 - 19 4f 64 21 9e e1 5d 1d-88 d5 59 45 17 71 f2 cf   .Od!..]...YE.q..
    0040 - d0 b9 39 24 69 0c a1 90-e6 fa 63 8d 40 0d 82 76   ..9$i.....c.@..v
    0050 - 1d 8a 9c 56 0a e3 4a 4a-bb e9 24 c5 51 8f 4b 98   ...V..JJ..$.Q.K.
    0060 - 43 c7 f9 1a 5d eb 44 2f-4c 59 0a 3e 65 30 6f 42   C...].D/LY.>e0oB
    0070 - e9 46 5a f8 b3 c8 ec d2-fa 5b 7d dc a4 ef 9f e9   .FZ......[}.....
    0080 - 2b ad 53 d5 77 a6 0c 03-17 42 cf 68 cf 41 5d a4   +.S.w....B.h.A].
    0090 - b7 02 65 09 1f 80 8b 3c-81 65 67 88 88 ad 7c a3   ..e....<.eg...|.
    00a0 - b6 94 c4 0b 99 44 3c 92-6b 81 ef 81 89 76 27 cf   .....D<.k....v'.
    00b0 - c7 cc ad 6c 8e cb a8 8a-45 18 b4 e2 b7 87 56 1e   ...l....E.....V.
    00c0 - 6d bc 9b 8b 06 f9 d4 96-41 97 6f 8e e2 92 6e 9a   m.......A.o...n.
    00d0 - 8a d3 54 c0 dd fc a8 54-10 36 2c 04 32 d5 49 dd   ..T....T.6,.2.I.
    00e0 - 6c e6 e6 6a 40 74 b7 6f-38 38 99 d5 15 bd 96 d2   l..j@t.o88......

    Start Time: 1687528492
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

tholeb · June 23, 2023, 3:42pm

After some more digging, the certificate gave by Orange (my IAP) is indeed a bug, but, I resolved my problem by checking my local DNS (on my raspberry), and it wasn't started for some reason. Thanks a lot for the help !

system · July 23, 2023, 3:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ansible controlled Let's Encrypt Challenge Stuck at 'Pending', No Certificates Generated Help	11	1474	October 28, 2023
Timeout when waiting for file Help	3	558	November 12, 2022
Cert working, but hangs at Client hello Help	4	3765	May 24, 2022
Certbot Renewal Clarification Help	7	769	April 3, 2019
Is it possible to have actual server status? Help	8	3608	January 13, 2018

Why is my certificate still in pending state

Related topics