Quoting Guilhem Moulin (2020-04-04 20:53:16) > Control: tag -1 moreinfo > > Hi Jonas, > > On Sat, 04 Apr 2020 at 20:18:28 +0200, Jonas Smedegaard wrote: > > C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > > error 2 at 1 depth lookup: unable to get issuer certificate > > [live] Error: Received invalid X.509 certificate from ACME server! > > This indicates that the received X.509 certificate isn't signed by the > CA specified as ‘CAfile’. More precisely, that > > openssl verify -CAfile $CAfile -purpose sslserver -x509_strict > </path/to/cert > > has a non-0 exit status. The default value for ‘CAfile’ is the lacme- > provided cross signed chain /usr/share/lacme/lets-encrypt-x3-cross-signed.pem > , > did you perhaps set it to something else? I'm not familiar with > verify(1ssl) error messages but it suggests that the the CA file doesn't > contain the full chain. > > Works for me with the default ‘CAfile’ value, at least: > > $ curl -s > https://acme-v02.api.letsencrypt.org/acme/cert/036c9c4c3720c2241c7f32cb5920470555db > \ > | openssl verify -CAfile > /usr/share/lacme/lets-encrypt-x3-cross-signed.pem -purpose sslserver > -x509_strict > stdin: OK > > Does this command work on your system?
Nope: debian@everton:~$ curl -s https://acme-v02.api.letsencrypt.org/acme/cert/036c9c4c3720c2241c7f32cb5920470555db | openssl verify -CAfile /usr/share/lacme/lets-encrypt-x3-cross-signed.pem -purpose sslserver -x509_strict unable to load certificate 3070115856:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE debian@everton:~$ echo $? 2 Weirdly the cause seems to be that curl doesn't get the cert at all: debian@everton:~$ curl -s https://acme-v02.api.letsencrypt.org/acme/cert/036c9c4c3720c2241c7f32cb5920470555db debian@everton:~$ echo $? 60 On another host I have no problem fetching the cert. So seems like an issue unrelated to lacme :-/ > (Adding --debug will indicate the exact `openssl verify -CAfile …` > that fails.) Here's the output with --debug (in case it is still interesting): Using configuration file: /etc/lacme/lacme.conf Reading /etc/lacme/lacme-certs.conf Reading /etc/lacme/lacme-certs.conf.d/live.conf Configuration option for live: CAfile = /usr/share/lacme/lets-encrypt-x3-cross-signed.pem certificate-chain = /etc/ssl/shared/live.pem certificate-key = /etc/ssl/private/live.key notify = /bin/systemctl reload apache2 subject = /CN=live.homebase.dk Certificate Request: Data: Version: 1 (0x0) Subject: CN = live.homebase.dk Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:ab:58:69:4a:3d:a4:aa:23:7f:28:62:70:86:fa: 29:c1:3d:c5:e1:46:07:a9:b6:70:ab:31:13:d5:ba: 79:f2:8e:cc:43:30:b3:9b:bc:36:fd:79:b0:25:07: 61:06:b7:8e:74:bd:15:44:45:47:46:23:b7:d2:b1: e8:ca:8f:c4:41:52:89:33:79:c7:6a:70:43:f0:28: 31:87:18:57:23:6b:88:e5:75:2c:9e:38:3a:d2:34: 4a:f8:b9:19:9a:b3:97:bf:94:5a:fd:61:4f:ae:d0: 58:2c:58:6a:b1:7d:74:2e:93:3d:eb:c5:04:78:04: 9d:ba:b0:c2:65:ea:24:0d:93:ae:09:ca:02:b9:80: cb:46:6d:f7:32:4a:48:76:6f:7d:2e:2f:5c:b0:42: d6:6e:f3:db:ad:5f:d7:14:5b:f3:f1:68:c4:b0:b1: d5:99:33:3a:df:24:64:76:94:37:93:60:48:25:16: f5:4b:1d:a9:40:c3:55:6c:f0:22:75:ef:80:ac:d2: e5:f0:1f:6d:de:ab:e1:f1:01:4f:3f:1a:99:1b:2b: 18:53:2f:d3:9c:ee:d5:99:38:49:69:b7:b2:39:10: c4:41:55:f1:13:09:b3:5e:a3:2f:14:23:12:ff:af: ad:de:82:63:71:0b:a4:9f:a3:1f:1f:40:a7:79:4c: 6e:06:fc:a5:03:0c:8d:ef:4c:25:f3:bd:ad:8e:1d: db:3c:4e:3b:41:48:f9:4a:2e:6e:68:03:68:e7:88: 43:2b:ba:35:4e:ad:79:13:1b:1f:96:c1:63:29:cd: 89:73:14:d1:f3:2d:11:b4:ad:c5:42:52:b3:33:27: 07:d6:3c:10:1d:e1:84:0d:57:45:6a:1c:da:25:a2: 48:71:84:41:5b:05:7b:0f:da:d9:2f:73:76:0d:82: e0:00:f4:94:87:fa:88:7c:b9:ef:d1:c2:96:52:1c: 9d:cd:1f:0f:d1:b5:ab:81:7e:47:1d:01:a5:95:e9: ea:85:0c:c8:9d:1c:57:95:58:e5:14:c3:7a:c2:15: 26:3d:27:bf:f2:ea:d7:85:53:6a:b5:9b:f1:02:69: 2d:3d:10:04:7e:46:b9:bb:78:6d:da:49:d1:b3:9e: 30:a3:a2:11:22:1e:cd:fe:ad:e9:85:e2:6c:93:cd: da:72:8d:ad:cf:91:18:42:c7:68:d5:f1:58:fa:66: f7:99:f0:1c:f9:9b:4a:1b:e4:dc:f9:4c:d5:8f:8c: 91:79:38:55:1c:e2:a6:83:5d:9e:f9:a9:b0:cf:41: d4:1e:dc:17:76:30:5d:e8:52:44:62:73:83:b6:33: 46:85:fa:4a:fe:4e:de:9b:19:a4:12:52:a8:a1:e0: af:7b:ed Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 54:59:31:D1:A8:55:4C:57:FF:C0:93:DB:3A:17:12:32:8A:2B:75:34 Signature Algorithm: sha256WithRSAEncryption 2a:32:f7:9c:dd:5f:2e:37:50:57:aa:c2:61:73:4c:c1:63:67: 19:78:a8:98:49:ee:7e:d7:bd:0b:f7:29:ed:32:0d:71:33:08: e0:0d:68:f1:10:4d:16:bd:03:c0:7c:9f:b8:55:46:05:1a:f7: 40:6c:d7:7b:d4:f5:3e:1a:55:9d:72:54:01:df:1f:c9:6e:2c: 5f:e3:d7:0e:12:dd:15:c0:c5:61:25:a8:19:35:73:8e:cf:68: 95:93:f0:ce:dd:33:fc:5b:a3:67:81:22:56:3f:5f:7a:b0:5b: f1:81:d0:6a:6d:9a:26:2c:4b:c9:72:64:2a:f2:c0:72:37:09: 1b:cf:8d:93:1a:d3:40:94:39:b9:1f:8c:3f:c8:65:6f:f5:7a: 44:60:1c:0d:b5:02:fc:0b:81:c3:c4:6c:04:6e:b6:94:d6:47: 26:12:20:3f:0d:32:76:95:84:3b:c6:37:fd:e4:9a:3b:1d:b3: 22:e3:19:27:5b:f6:cf:c0:71:96:cb:c8:53:2c:87:da:d1:16: c2:93:76:ad:6c:4c:e5:3b:7b:81:78:9f:81:bd:70:1b:b5:64: d6:6f:db:91:c8:00:52:03:8a:01:46:ff:60:1b:8b:00:a5:c6: d0:28:ad:b5:7c:e7:70:c4:bf:37:16:7b:9d:a0:a2:a9:a4:bf: 6b:33:05:57:66:43:e9:25:25:7b:86:88:5f:b7:95:2d:75:49: 2a:8b:bb:88:b2:4f:b2:80:be:ff:bb:8b:db:12:10:f9:5c:aa: 57:32:0f:27:e0:6c:ae:98:a8:c3:67:8f:b9:bb:23:f2:b9:13: fa:cb:ca:30:bd:c7:a0:1d:b9:3b:13:2a:36:79:58:d3:01:91: 87:25:a3:d3:ee:f0:60:6c:7e:fb:0d:fa:a1:ec:cf:85:74:6c: c8:e8:3a:d9:29:d2:db:2a:8d:af:51:ed:a7:47:42:d5:a1:f4: 93:c6:79:d1:fc:ad:ed:dd:18:cd:90:b2:df:57:c6:c1:45:12: 56:ff:05:57:21:a1:60:41:17:7c:c1:4a:64:62:3c:c0:05:b5: 43:ad:ff:de:35:2a:da:71:f0:d1:8e:19:2f:a9:50:74:9e:8c: 46:c8:53:a0:b2:99:14:4d:91:d0:09:ed:fc:e9:8e:19:c4:4b: c2:65:ce:8b:c0:c8:ef:ff:e7:0e:99:aa:91:09:94:14:a5:a1: fd:30:72:bd:ab:14:f2:2e:fe:02:52:02:1b:f8:55:fe:6d:20: cb:ca:8b:42:77:6b:10:cc:8e:97:36:b3:7b:b9:07:9b:17:16: ea:70:b0:b6:4e:40:69:42:d2:3a:10:3b:e8:1a:ba:1f:d3:bd: 05:36:da:3c:a5:04:71:54 [23111] Forking ACME webserver bound to /var/run/lacme-www.socket, child PID 23114 [live] Will request authorization for: live.homebase.dk [23111] Forking /usr/lib/lacme/client, child PID 23115 [23115] >>> GET https://acme-v02.api.letsencrypt.org/directory <<< [23115] >>> 200 OK Cache-Control: public, max-age=0, no-cache Connection: close Date: Sat, 04 Apr 2020 18:32:21 GMT Server: nginx Content-Length: 658 Content-Type: application/json Client-Date: Sat, 04 Apr 2020 18:32:21 GMT Client-Peer: 172.65.32.248:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Client-SSL-Cert-Subject: /CN=acme-v01.api.letsencrypt.org Client-SSL-Cipher: ECDHE-RSA-AES256-GCM-SHA384 Client-SSL-Socket-Class: IO::Socket::SSL Strict-Transport-Security: max-age=604800 X-Frame-Options: DENY { "Za-Cv84q58w" : "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange" : "https://acme-v02.api.letsencrypt.org/acme/key-change", "meta" : { "caaIdentities" : [ "letsencrypt.org" ], "termsOfService" : "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website" : "https://letsencrypt.org" }, "newAccount" : "https://acme-v02.api.letsencrypt.org/acme/new-acct", "newNonce" : "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "newOrder" : "https://acme-v02.api.letsencrypt.org/acme/new-order", "revokeCert" : "https://acme-v02.api.letsencrypt.org/acme/revoke-cert" } [23115] >>> HEAD https://acme-v02.api.letsencrypt.org/acme/new-nonce <<< [23115] >>> 200 OK Cache-Control: public, max-age=0, no-cache Connection: close Date: Sat, 04 Apr 2020 18:32:22 GMT Server: nginx Client-Date: Sat, 04 Apr 2020 18:32:22 GMT Client-Peer: 172.65.32.248:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Client-SSL-Cert-Subject: /CN=acme-v01.api.letsencrypt.org Client-SSL-Cipher: ECDHE-RSA-AES256-GCM-SHA384 Client-SSL-Socket-Class: IO::Socket::SSL Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" Replay-Nonce: 0102pwY3kIRbGfd7JQFtuKjVzoQ1zU8NCxK_h2yyWgHVP18 Strict-Transport-Security: max-age=604800 X-Frame-Options: DENY [23115] >>> POST https://acme-v02.api.letsencrypt.org/acme/new-acct <<< [23115] >>> 200 OK Cache-Control: public, max-age=0, no-cache Connection: close Date: Sat, 04 Apr 2020 18:32:22 GMT Location: https://acme-v02.api.letsencrypt.org/acme/acct/82113666 Server: nginx Content-Length: 896 Content-Type: application/json Client-Date: Sat, 04 Apr 2020 18:32:23 GMT Client-Peer: 172.65.32.248:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Client-SSL-Cert-Subject: /CN=acme-v01.api.letsencrypt.org Client-SSL-Cipher: ECDHE-RSA-AES256-GCM-SHA384 Client-SSL-Socket-Class: IO::Socket::SSL Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" Replay-Nonce: 0101mr3LTHUIU0uKZQME5Eu4fB9sTcDUycrRaSfJ46gqdh0 Strict-Transport-Security: max-age=604800 X-Frame-Options: DENY [23115] >>> POST https://acme-v02.api.letsencrypt.org/acme/new-order <<< [23115] >>> 201 Created Cache-Control: public, max-age=0, no-cache Connection: close Date: Sat, 04 Apr 2020 18:32:23 GMT Location: https://acme-v02.api.letsencrypt.org/acme/order/82113666/2890864421 Server: nginx Content-Length: 344 Content-Type: application/json Boulder-Requester: 82113666 Client-Date: Sat, 04 Apr 2020 18:32:23 GMT Client-Peer: 172.65.32.248:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Client-SSL-Cert-Subject: /CN=acme-v01.api.letsencrypt.org Client-SSL-Cipher: ECDHE-RSA-AES256-GCM-SHA384 Client-SSL-Socket-Class: IO::Socket::SSL Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" Replay-Nonce: 0102MySokyspnhXPTD4tYVFTGrKblxFdBiBtXgw-r9uV8RE Strict-Transport-Security: max-age=604800 X-Frame-Options: DENY { "authorizations" : [ "https://acme-v02.api.letsencrypt.org/acme/authz-v3/3678075301" ], "expires" : "2020-04-11T18:32:23.863982362Z", "finalize" : "https://acme-v02.api.letsencrypt.org/acme/finalize/82113666/2890864421", "identifiers" : [ { "type" : "dns", "value" : "live.homebase.dk" } ], "status" : "ready" } [23115] >>> POST https://acme-v02.api.letsencrypt.org/acme/authz-v3/3678075301 <<< [23115] >>> 200 OK Cache-Control: public, max-age=0, no-cache Connection: close Date: Sat, 04 Apr 2020 18:32:24 GMT Server: nginx Content-Length: 718 Content-Type: application/json Boulder-Requester: 82113666 Client-Date: Sat, 04 Apr 2020 18:32:24 GMT Client-Peer: 172.65.32.248:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Client-SSL-Cert-Subject: /CN=acme-v01.api.letsencrypt.org Client-SSL-Cipher: ECDHE-RSA-AES256-GCM-SHA384 Client-SSL-Socket-Class: IO::Socket::SSL Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" Replay-Nonce: 0102YiHBID877VnvlxmPBDvyB4qA2sgWHw9wr_P2p7U2aJQ Strict-Transport-Security: max-age=604800 X-Frame-Options: DENY { "challenges" : [ { "status" : "valid", "token" : "e63Ko3aOt_wwNDmxc3zGD5gmCAJkNyyjlluVeCGH0gw", "type" : "http-01", "url" : "https://acme-v02.api.letsencrypt.org/acme/chall-v3/3678075301/fdLznQ", "validationRecord" : [ { "addressUsed" : "94.18.231.215", "addressesResolved" : [ "94.18.231.215" ], "hostname" : "live.homebase.dk", "port" : "80", "url" : "http://live.homebase.dk/.well-known/acme-challenge/e63Ko3aOt_wwNDmxc3zGD5gmCAJkNyyjlluVeCGH0gw" } ] } ], "expires" : "2020-04-30T18:16:31Z", "identifier" : { "type" : "dns", "value" : "live.homebase.dk" }, "status" : "valid" } [23115] >>> POST https://acme-v02.api.letsencrypt.org/acme/order/82113666/2890864421 <<< [23115] >>> 200 OK Cache-Control: public, max-age=0, no-cache Connection: close Date: Sat, 04 Apr 2020 18:32:25 GMT Server: nginx Content-Length: 334 Content-Type: application/json Client-Date: Sat, 04 Apr 2020 18:32:25 GMT Client-Peer: 172.65.32.248:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Client-SSL-Cert-Subject: /CN=acme-v01.api.letsencrypt.org Client-SSL-Cipher: ECDHE-RSA-AES256-GCM-SHA384 Client-SSL-Socket-Class: IO::Socket::SSL Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" Replay-Nonce: 0101Mivmh0we6XtJTkmgoJtlYR_BNx1DIsNbNBAAUT9ePOI Strict-Transport-Security: max-age=604800 X-Frame-Options: DENY { "authorizations" : [ "https://acme-v02.api.letsencrypt.org/acme/authz-v3/3678075301" ], "expires" : "2020-04-11T18:32:23Z", "finalize" : "https://acme-v02.api.letsencrypt.org/acme/finalize/82113666/2890864421", "identifiers" : [ { "type" : "dns", "value" : "live.homebase.dk" } ], "status" : "ready" } [23115] >>> POST https://acme-v02.api.letsencrypt.org/acme/finalize/82113666/2890864421 <<< [23115] >>> 200 OK Cache-Control: public, max-age=0, no-cache Connection: close Date: Sat, 04 Apr 2020 18:32:32 GMT Location: https://acme-v02.api.letsencrypt.org/acme/order/82113666/2890864421 Server: nginx Content-Length: 438 Content-Type: application/json Boulder-Requester: 82113666 Client-Date: Sat, 04 Apr 2020 18:32:32 GMT Client-Peer: 172.65.32.248:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Client-SSL-Cert-Subject: /CN=acme-v01.api.letsencrypt.org Client-SSL-Cipher: ECDHE-RSA-AES256-GCM-SHA384 Client-SSL-Socket-Class: IO::Socket::SSL Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" Replay-Nonce: 0002Nokj3uqhzgT55ge9uanqOpu5soWvUcvlo8I7jDPyxtg Strict-Transport-Security: max-age=604800 X-Frame-Options: DENY { "authorizations" : [ "https://acme-v02.api.letsencrypt.org/acme/authz-v3/3678075301" ], "certificate" : "https://acme-v02.api.letsencrypt.org/acme/cert/0321272b9a6d660c800c53e13c8e01a4438d", "expires" : "2020-04-11T18:32:23Z", "finalize" : "https://acme-v02.api.letsencrypt.org/acme/finalize/82113666/2890864421", "identifiers" : [ { "type" : "dns", "value" : "live.homebase.dk" } ], "status" : "valid" } Certificate URI: https://acme-v02.api.letsencrypt.org/acme/cert/0321272b9a6d660c800c53e13c8e01a4438d [23115] >>> POST https://acme-v02.api.letsencrypt.org/acme/cert/0321272b9a6d660c800c53e13c8e01a4438d <<< [23115] >>> 200 OK Cache-Control: public, max-age=0, no-cache Connection: close Date: Sat, 04 Apr 2020 18:32:33 GMT Server: nginx Content-Length: 3908 Content-Type: application/pem-certificate-chain Client-Date: Sat, 04 Apr 2020 18:32:33 GMT Client-Peer: 172.65.32.248:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Client-SSL-Cert-Subject: /CN=acme-v01.api.letsencrypt.org Client-SSL-Cipher: ECDHE-RSA-AES256-GCM-SHA384 Client-SSL-Socket-Class: IO::Socket::SSL Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" Replay-Nonce: 0002Xm20Flz0kLU9cpzpH_OBcylrnd64isWX4ccAv2Vj4IA Strict-Transport-Security: max-age=604800 X-Frame-Options: DENY [23111] Forking openssl, child PID 23119 [23111] Forking openssl, child PID 23120 [23111] Forking openssl, child PID 23121 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 error 2 at 1 depth lookup: unable to get issuer certificate [live] Error: Received invalid X.509 certificate from ACME server! [23111] Shutting down ACME webserver bound to /var/run/lacme-www.socket accept: Invalid argument at /usr/lib/lacme/webserver line 80. Unlinking /var/run/lacme-www.socket Connection to everton.homebase.dk closed. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature