Quoting Jonas Smedegaard (2020-04-05 01:00:04) > Quoting Guilhem Moulin (2020-04-04 20:53:16) > > On Sat, 04 Apr 2020 at 20:18:28 +0200, Jonas Smedegaard wrote: > > > C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > > > error 2 at 1 depth lookup: unable to get issuer certificate > > > [live] Error: Received invalid X.509 certificate from ACME server! > > > > This indicates that the received X.509 certificate isn't signed by the > > CA specified as ‘CAfile’. More precisely, that > > > > openssl verify -CAfile $CAfile -purpose sslserver -x509_strict > > </path/to/cert > > > > has a non-0 exit status. The default value for ‘CAfile’ is the lacme- > > provided cross signed chain > > /usr/share/lacme/lets-encrypt-x3-cross-signed.pem , > > did you perhaps set it to something else? I'm not familiar with > > verify(1ssl) error messages but it suggests that the the CA file doesn't > > contain the full chain. > > > > Works for me with the default ‘CAfile’ value, at least: > > > > $ curl -s > > https://acme-v02.api.letsencrypt.org/acme/cert/036c9c4c3720c2241c7f32cb5920470555db > > \ > > | openssl verify -CAfile > > /usr/share/lacme/lets-encrypt-x3-cross-signed.pem -purpose sslserver > > -x509_strict > > stdin: OK > > > > Does this command work on your system? > > Nope: > > debian@everton:~$ curl -s > https://acme-v02.api.letsencrypt.org/acme/cert/036c9c4c3720c2241c7f32cb5920470555db > | openssl verify -CAfile /usr/share/lacme/lets-encrypt-x3-cross-signed.pem > -purpose sslserver -x509_strict > unable to load certificate > 3070115856:error:0909006C:PEM routines:get_name:no start > line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE > debian@everton:~$ echo $? > 2 > > Weirdly the cause seems to be that curl doesn't get the cert at all: > > debian@everton:~$ curl -s > https://acme-v02.api.letsencrypt.org/acme/cert/036c9c4c3720c2241c7f32cb5920470555db > debian@everton:~$ echo $? > 60 > > On another host I have no problem fetching the cert. > > So seems like an issue unrelated to lacme :-/
Seems to be a problem with CA certificates generally: debian@everton:~$ curl -s https://acme-v02.api.letsencrypt.org/acme/cert/036c9c4c3720c2241c7f32cb5920470555db --verbose * Expire in 0 ms for 6 (transfer 0x5f25a8) [...] * Expire in 50 ms for 1 (transfer 0x5f25a8) * Trying 172.65.32.248... * TCP_NODELAY set * Expire in 200 ms for 4 (transfer 0x5f25a8) * Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 Ah, yes: The cause is that the system lack the hashes in /etc/ssl/certs. Sorry for bothering you with a bug outside of lacme - sharing these details only in case it might inspire you to provide clues when lacme runs into weird scenarios like that. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
