[Eisfair] curl returnd with 60

Olaf Jaehrling eisfair at ojaehrling.de
Di Okt 19 19:59:44 CEST 2021 

Hallo Marcus,


Marcus Röckrath schrieb am 19.10.21 um 09:37:
> Hallo Olaf,
> 
> Olaf Jaehrling wrote:
> 
>>    curl -v https://acme-v02.api.letsencrypt.org/directory
>> *   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...
>> * Connected to acme-v02.api.letsencrypt.org
>> (2606:4700:60:0:f53d:5624:85c7:3a2c) port 443 (#0)
>> * ALPN, offering h2
>> * ALPN, offering http/1.1
>> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
>> * TLSv1.3 (IN), TLS handshake, Server hello (2):
>> * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
>> * TLSv1.3 (IN), TLS handshake, Certificate (11):
>> * TLSv1.3 (OUT), TLS alert, certificate expired (557):
>> * SSL certificate problem: certificate has expired
>> * Closing connection 0
>> curl: (60) SSL certificate problem: certificate has expired
> 
> Da das Zertifikat des entfernten Servers bestimmt nicht abgelaufen ist, kann
> es sich IMHO nur um eines in der Kette handeln.
> 
> Das base-certificate-Paket bringt u. a.
> 
> lrwxrwxrwx 1 root   root       16 Oct  5 20:52 4042bcee.0 ->
> isrg_root_x1.pem
> 
> lrwxrwxrwx 1 root   root       16 Oct  5 20:52 6187b673.0 ->
> isrg_root_x1.pem
> 
> -rw-r--r-- 1 root   root     1939 Sep 18 17:00 isrg_root_x1.pem
> 
> mit.

lh /var/certs/ssl/certs/ |grep isrg_root_x1.pem
lrwxrwxrwx 1 root root   16 Sep 18 17:25 4042bcee.0 -> isrg_root_x1.pem
lrwxrwxrwx 1 root root   16 Sep 18 17:25 6187b673.0 -> isrg_root_x1.pem
-rw-r--r-- 1 root root 1.9K Sep 18 17:00 isrg_root_x1.pem


> 
> Ob es sich beim isrg root x1 umd das neue Root-Zertifikat handelt zeigt:
> 
> eis # /var/install/bin/certs-show-chain --nogui isrg_root_x1.pem
> Show certificate chain (run as 'root')
> *
> | certificate : isrg_root_x1.pem (4042bcee)
> | subject     : C = US O = Internet Security Research Group CN = ISRG Root
> X1
> | issuer      : C = US O = Internet Security Research Group CN = ISRG Root
> X1
> | MD5 f-print : 0C:D2:F9:E0:DA:17:73:E9:ED:86:4D:A5:E3:70:E7:4E
> | SHA1 f-print: CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8
> |
> +-> end of chain!

sieht bei mir auch so aus:
/var/install/bin/certs-show-chain --nogui isrg_root_x1.pem
Show certificate chain (run as 'root')
*
| certificate : isrg_root_x1.pem (4042bcee)
| subject     : C = US O = Internet Security Research Group CN = ISRG 
Root X1
| issuer      : C = US O = Internet Security Research Group CN = ISRG 
Root X1
| MD5 f-print : 0C:D2:F9:E0:DA:17:73:E9:ED:86:4D:A5:E3:70:E7:4E
| SHA1 f-print: CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8
|
+-> end of chain!

> 
> Wenn hier noch am Ende das DST Root-Zertifikat erscheint, ist es das alte
> isrg root x1. Altes und neues Zertifikat haben den gleichen Hash!
> 
> In der Kette eines letyencrypt-Zertifikates taucht auch das r3 auf:
> 
> lrwxrwxrwx 1 root   root        6 Oct  5 20:52 8d33f237.0 -> r3.pem
> 
> lrwxrwxrwx 1 root   root        6 Oct  5 20:52 dec71a0b.0 -> r3.pem
> 
> -rw-r--r-- 1 root   root     6395 Sep 18 17:00 r3.pem

lh /var/certs/ssl/certs/ |grep r3.pem
lrwxrwxrwx 1 root root    6 Sep 18 17:25 8d33f237.0 -> r3.pem
lrwxrwxrwx 1 root root    6 Sep 18 17:25 dec71a0b.0 -> r3.pem
-rw-r--r-- 1 root root 6.3K Sep 18 17:00 r3.pem




> 
> Hast du nicht ein eigenes letsencrypt-Zertifikat? Wie sieht dess Chain aus?

Jupp, hier die Chain

/var/install/bin/certs-show-chain --nogui apache.pem
Show certificate chain (run as 'root')
*
| certificate : apache.pem (960bd6dc)
| subject     : CN = meinedomain.de
| issuer      : C = US O = Lets Encrypt CN = R3
| MD5 f-print : 62:13:60:69:40:CD:45:A9:FB:F4:A2:87:3C:47:A9:74
| SHA1 f-print: D6:59:C5:1D:2D:F4:B1:5F:F6:1D:67:F1:CB:D0:68:8E:05:65:AF:9F
|
+->| certificate : r3.pem (8d33f237)
    | subject     : C = US O = Lets Encrypt CN = R3
    | issuer      : C = US O = Internet Security Research Group CN = 
ISRG Root X1
    | MD5 f-print : E8:29:E6:5D:7C:43:07:D6:FB:C1:3C:17:9E:03:7A:36
    | SHA1 f-print: 
A0:53:37:5B:FE:84:E8:B7:48:78:2C:7C:EE:15:82:7A:6A:F5:A4:05
    |
    +->| certificate : isrg_root_x1.pem (4042bcee)
       | subject     : C = US O = Internet Security Research Group CN = 
ISRG Root X1
       | issuer      : C = US O = Internet Security Research Group CN = 
ISRG Root X1
       | MD5 f-print : 0C:D2:F9:E0:DA:17:73:E9:ED:86:4D:A5:E3:70:E7:4E
       | SHA1 f-print: 
CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8
       |
       +-> end of chain!

checking certificate chain:
* OCSP Response verify OK (online)
   apache.pem: good
     This Update: Oct 17 22:00:00 2021 GMT
     Next Update: Oct 24 21:59:58 2021 GMT

> 

Danke und Gruß

Olaf


-- 
Paketserver: https://ojaehrling.de/eis/index.txt

Mehr Informationen über die Mailingliste Eisfair