[opensuse] website certificate works with ff, opera and chromium, but not with curl, wget, w3m and konqueror.
A customer of ours recently renewed the ssl certificate (Digicert/Geotrust). Since then, accessing the site with curl, wget, w3m and konqueror causes a complaint "Unable to locally verify the issuer's authority". Firefox, Opera and Chromium have no problems. (all on Leap422). The site: https://www.elixseri.com/ On Leap15 - Firefox is fine, wget isn't. Even an older Firefox on openSUSE 13.1 works fine. -- Per Jessen, Zürich (0.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
A customer of ours recently renewed the ssl certificate (Digicert/Geotrust). Since then, accessing the site with curl, wget, w3m and konqueror causes a complaint "Unable to locally verify the issuer's authority".
Firefox, Opera and Chromium have no problems. (all on Leap422).
The site: https://www.elixseri.com/
On Leap15 - Firefox is fine, wget isn't.
Even an older Firefox on openSUSE 13.1 works fine. I think, the webserver www.elixseri.com has some SSL setup problems. Most browsers seem to ignore them.
SSL Labs complains about "Chain issues: Incomplete, Extra certs, Contains anchor". See https://www.ssllabs.com/ssltest/analyze.html?d=www.elixseri.com&s=185.85.251.21 I think, there is nothing what you can do as a client except disabling the certificate validation. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Bjoern Voigt wrote:
Per Jessen wrote:
A customer of ours recently renewed the ssl certificate (Digicert/Geotrust). Since then, accessing the site with curl, wget, w3m and konqueror causes a complaint "Unable to locally verify the issuer's authority".
Firefox, Opera and Chromium have no problems. (all on Leap422).
The site: https://www.elixseri.com/
On Leap15 - Firefox is fine, wget isn't.
Even an older Firefox on openSUSE 13.1 works fine. I think, the webserver www.elixseri.com has some SSL setup problems. Most browsers seem to ignore them.
SSL Labs complains about "Chain issues: Incomplete, Extra certs, Contains anchor".
See https://www.ssllabs.com/ssltest/analyze.html?d=www.elixseri.com&s=185.85.251.21
I'll check it out, but the website works fine, except with wget and curl.
I think, there is nothing what you can do as a client except disabling the certificate validation.
Well, I have now determined it is a missing root CA. Firefox has it, but wget/curl/w3m/konqueror do not. I exported it from Firefox (quite an old one), and when I use that with wget, it works. I guess Firefox comes with a built-in CA bundle, whereas the others use e.g. /etc/ssl/certs ? (pkg ca-certificates). -- Per Jessen, Zürich (1.6°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Well, I have now determined it is a missing root CA. Firefox has it, but wget/curl/w3m/konqueror do not. I exported it from Firefox (quite an old one), and when I use that with wget, it works.
I guess Firefox comes with a built-in CA bundle, whereas the others use e.g. /etc/ssl/certs ? (pkg ca-certificates). Did it worked for you to import the root CA "DigiCert Global Root CA" from Firefox? I tried this, but after that "c_rehash" showed my a duplicate root CA in /etc/ssl/certs. So this was unsuccessful. I think,
Per Jessen wrote: the immediate certificate "GeoTrust RSA CA 2018" is missing. Firefox and others handle this somehow other than OpenSSL based programs. You may verify OpenSSL's certificates with this command: $ openssl s_client -connect www.elixseri.com:https -CApath /etc/ssl/certs -servername www.elixseri.com Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Bjoern Voigt wrote:
Per Jessen wrote:
Well, I have now determined it is a missing root CA. Firefox has it, but wget/curl/w3m/konqueror do not. I exported it from Firefox (quite an old one), and when I use that with wget, it works.
I guess Firefox comes with a built-in CA bundle, whereas the others use e.g. /etc/ssl/certs ? (pkg ca-certificates).
Did it worked for you to import the root CA "DigiCert Global Root CA" from Firefox? I tried this, but after that "c_rehash" showed my a duplicate root CA in /etc/ssl/certs. So this was unsuccessful.
I exported one called "Geotrust RSA CA 2018" (from memory), rehashed etc.
I think, the immediate certificate "GeoTrust RSA CA 2018" is missing.
Haha, right.
Firefox and others handle this somehow other than OpenSSL based programs.
Firefox in older versions has that CA - I exported from a Firefox on openSUSE 12.3. I'm beginning to think this is about an incomplete chain being served, just like ssllabs suggested. I'll have to double check the config. -- Per Jessen, Zürich (1.8°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Mar 20, 2018 at 05:14:27PM +0100, Per Jessen wrote:
Bjoern Voigt wrote:
Per Jessen wrote:
Well, I have now determined it is a missing root CA. Firefox has it, but wget/curl/w3m/konqueror do not. I exported it from Firefox (quite an old one), and when I use that with wget, it works.
I guess Firefox comes with a built-in CA bundle, whereas the others use e.g. /etc/ssl/certs ? (pkg ca-certificates).
Did it worked for you to import the root CA "DigiCert Global Root CA" from Firefox? I tried this, but after that "c_rehash" showed my a duplicate root CA in /etc/ssl/certs. So this was unsuccessful.
I exported one called "Geotrust RSA CA 2018" (from memory), rehashed etc.
I think, the immediate certificate "GeoTrust RSA CA 2018" is missing.
Haha, right.
Firefox and others handle this somehow other than OpenSSL based programs.
Firefox in older versions has that CA - I exported from a Firefox on openSUSE 12.3.
I'm beginning to think this is about an incomplete chain being served, just like ssllabs suggested. I'll have to double check the config.
No, it is just the certificate is expired: openssl s_client -connect www.elixseri.com:443 ... Verify return code: 10 (certificate has expired) Not Before: Dec 18 21:28:36 2017 GMT Not After : Mar 18 21:28:36 2018 GMT So the letsencrypt refresh is probably stopped. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marcus Meissner wrote:
No, it is just the certificate is expired:
openssl s_client -connect www.elixseri.com:443 ...
Verify return code: 10 (certificate has expired)
Not Before: Dec 18 21:28:36 2017 GMT Not After : Mar 18 21:28:36 2018 GMT
So the letsencrypt refresh is probably stopped. No, you got the certificate for virtual host dev.elixseri.ch. The server uses SNI:
openssl s_client -connect www.elixseri.com:443 -servername www.elixseri.com Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op dinsdag 20 maart 2018 17:24:18 CET schreef Marcus Meissner:
On Tue, Mar 20, 2018 at 05:14:27PM +0100, Per Jessen wrote:
Bjoern Voigt wrote:
Per Jessen wrote:
Well, I have now determined it is a missing root CA. Firefox has it, but wget/curl/w3m/konqueror do not. I exported it from Firefox (quite an old one), and when I use that with wget, it works.
I guess Firefox comes with a built-in CA bundle, whereas the others use e.g. /etc/ssl/certs ? (pkg ca-certificates).
Did it worked for you to import the root CA "DigiCert Global Root CA" from Firefox? I tried this, but after that "c_rehash" showed my a duplicate root CA in /etc/ssl/certs. So this was unsuccessful.
I exported one called "Geotrust RSA CA 2018" (from memory), rehashed etc.
I think, the immediate certificate "GeoTrust RSA CA 2018" is missing.
Haha, right.
Firefox and others handle this somehow other than OpenSSL based programs.
Firefox in older versions has that CA - I exported from a Firefox on openSUSE 12.3.
I'm beginning to think this is about an incomplete chain being served, just like ssllabs suggested. I'll have to double check the config.
No, it is just the certificate is expired:
openssl s_client -connect www.elixseri.com:443 ...
Verify return code: 10 (certificate has expired)
Not Before: Dec 18 21:28:36 2017 GMT Not After : Mar 18 21:28:36 2018 GMT
So the letsencrypt refresh is probably stopped.
Ciao, Marcus Found out recently that letsencrypt renewal fails on apache redirects in the vhost config, and in some cases on (probably redirects too) .htaccess. FYI.
-- Gertjan Lettink, a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team Linux user #548252 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
I'm beginning to think this is about an incomplete chain being served, just like ssllabs suggested. I'll have to double check the config.
Thanks for your input Björn, it's always helpful with a 2nd pair of eyes. When this certificate was renewed about two weeks ago, it appears that Geotrust used a _new_ intermediate CA. We overlooked that when we updated the certificate. I ran the site through ssllabs again - grade A+ on ipv4 and ipv6 both. -- Per Jessen, Zürich (1.7°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Bjoern Voigt -
Knurpht - Gertjan Lettink -
Marcus Meissner -
Per Jessen