![](https://seccdn.libravatar.org/avatar/ec2e857562f9e94f420a54d9a7ce8d79.jpg?s=120&d=mm&r=g)
Op dinsdag 20 maart 2018 17:24:18 CET schreef Marcus Meissner:
On Tue, Mar 20, 2018 at 05:14:27PM +0100, Per Jessen wrote:
Bjoern Voigt wrote:
Per Jessen wrote:
Well, I have now determined it is a missing root CA. Firefox has it, but wget/curl/w3m/konqueror do not. I exported it from Firefox (quite an old one), and when I use that with wget, it works.
I guess Firefox comes with a built-in CA bundle, whereas the others use e.g. /etc/ssl/certs ? (pkg ca-certificates).
Did it worked for you to import the root CA "DigiCert Global Root CA" from Firefox? I tried this, but after that "c_rehash" showed my a duplicate root CA in /etc/ssl/certs. So this was unsuccessful.
I exported one called "Geotrust RSA CA 2018" (from memory), rehashed etc.
I think, the immediate certificate "GeoTrust RSA CA 2018" is missing.
Haha, right.
Firefox and others handle this somehow other than OpenSSL based programs.
Firefox in older versions has that CA - I exported from a Firefox on openSUSE 12.3.
I'm beginning to think this is about an incomplete chain being served, just like ssllabs suggested. I'll have to double check the config.
No, it is just the certificate is expired:
openssl s_client -connect www.elixseri.com:443 ...
Verify return code: 10 (certificate has expired)
Not Before: Dec 18 21:28:36 2017 GMT Not After : Mar 18 21:28:36 2018 GMT
So the letsencrypt refresh is probably stopped.
Ciao, Marcus Found out recently that letsencrypt renewal fails on apache redirects in the vhost config, and in some cases on (probably redirects too) .htaccess. FYI.
-- Gertjan Lettink, a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team Linux user #548252 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org