[Eisfair] curl returnd with 60

Marcus Röckrath marcus.roeckrath at gmx.de
Mo Okt 18 09:05:50 CEST 2021 

Hallo Olaf,

Olaf Jaehrling wrote:

> # INFO: Using main config file /etc/dehydrated/config
> ERROR: Problem connecting to server (get for
> https://acme-v02.api.letsencrypt.org/directory; curl returned with 60)
> EXPECTED value GOT -
> Successfully installed: certs_dehydrated (1.1.8)!
> 
> Im Web fand ich dazu das:
>
https://community.letsencrypt.org/t/error-problem-connecting-to-server-get-for-https-acme-v02-api-letsencrypt-org-directory-curl-returned-with-60/149255/14

Das dort zum Test ausgeführte

eis # curl -v https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248:443...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: Sep 30 00:18:24 2021 GMT
*  expire date: Dec 29 00:18:23 2021 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's
"acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade:
len=0
* Using Stream ID: 1 (easy handle 0x5270a0)
> GET /directory HTTP/2
> Host: acme-v02.api.letsencrypt.org
> user-agent: curl/7.77.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200 
< server: nginx
< date: Mon, 18 Oct 2021 07:01:24 GMT
< content-type: application/json
< content-length: 658
< cache-control: public, max-age=0, no-cache
< x-frame-options: DENY
< strict-transport-security: max-age=604800
< 
{
  "3xK-xM4R8Ik":
"https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService":
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
}

funktioniert klaglos auf meinem eis.

Bügele mal das base-certificate-Paket drüber, vielleicht ist bei die das
ISRG Root X1 mit der DST-signierten Version überschrieben worden.

Trage in /var/certs/ssl/certs-request-ignore-list

r3
isrg_root_x1
isrg_root_x2

ein, damit die zukünftig beim Import von letsencrypt-Zertifikaten geschützt
sind.

-- 
Gruß Marcus
[eisfair-Team]

Mehr Informationen über die Mailingliste Eisfair