[Eisfair] curl returnd with 60

Marcus Röckrath marcus.roeckrath at gmx.de
Di Okt 19 09:37:42 CEST 2021 

Hallo Olaf,

Olaf Jaehrling wrote:

>   curl -v https://acme-v02.api.letsencrypt.org/directory
> *   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...
> * Connected to acme-v02.api.letsencrypt.org
> (2606:4700:60:0:f53d:5624:85c7:3a2c) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
> * TLSv1.3 (IN), TLS handshake, Certificate (11):
> * TLSv1.3 (OUT), TLS alert, certificate expired (557):
> * SSL certificate problem: certificate has expired
> * Closing connection 0
> curl: (60) SSL certificate problem: certificate has expired

Da das Zertifikat des entfernten Servers bestimmt nicht abgelaufen ist, kann
es sich IMHO nur um eines in der Kette handeln.

Das base-certificate-Paket bringt u. a.

lrwxrwxrwx 1 root   root       16 Oct  5 20:52 4042bcee.0 ->
isrg_root_x1.pem

lrwxrwxrwx 1 root   root       16 Oct  5 20:52 6187b673.0 ->
isrg_root_x1.pem

-rw-r--r-- 1 root   root     1939 Sep 18 17:00 isrg_root_x1.pem

mit.

Ob es sich beim isrg root x1 umd das neue Root-Zertifikat handelt zeigt:

eis # /var/install/bin/certs-show-chain --nogui isrg_root_x1.pem 
Show certificate chain (run as 'root')
*
| certificate : isrg_root_x1.pem (4042bcee)
| subject     : C = US O = Internet Security Research Group CN = ISRG Root
X1
| issuer      : C = US O = Internet Security Research Group CN = ISRG Root
X1
| MD5 f-print : 0C:D2:F9:E0:DA:17:73:E9:ED:86:4D:A5:E3:70:E7:4E
| SHA1 f-print: CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8
|
+-> end of chain!

Wenn hier noch am Ende das DST Root-Zertifikat erscheint, ist es das alte
isrg root x1. Altes und neues Zertifikat haben den gleichen Hash!

In der Kette eines letyencrypt-Zertifikates taucht auch das r3 auf:

lrwxrwxrwx 1 root   root        6 Oct  5 20:52 8d33f237.0 -> r3.pem

lrwxrwxrwx 1 root   root        6 Oct  5 20:52 dec71a0b.0 -> r3.pem

-rw-r--r-- 1 root   root     6395 Sep 18 17:00 r3.pem

Dessen Kette:

eis # /var/install/bin/certs-show-chain --nogui r3.pem
Show certificate chain (run as 'root')
*
| certificate : r3.pem (8d33f237)
| subject     : C = US O = Lets Encrypt CN = R3
| issuer      : C = US O = Internet Security Research Group CN = ISRG Root
X1
| MD5 f-print : E8:29:E6:5D:7C:43:07:D6:FB:C1:3C:17:9E:03:7A:36
| SHA1 f-print: A0:53:37:5B:FE:84:E8:B7:48:78:2C:7C:EE:15:82:7A:6A:F5:A4:05
|
+->| certificate : isrg_root_x1.pem (4042bcee)
   | subject     : C = US O = Internet Security Research Group CN = ISRG
Root X1
   | issuer      : C = US O = Internet Security Research Group CN = ISRG
Root X1
   | MD5 f-print : 0C:D2:F9:E0:DA:17:73:E9:ED:86:4D:A5:E3:70:E7:4E
   | SHA1 f-print:
CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8
   |
   +-> end of chain!

Hast du nicht ein eigenes letsencrypt-Zertifikat? Wie sieht dess Chain aus?

-- 
Gruß Marcus
[eisfair-Team]

Mehr Informationen über die Mailingliste Eisfair