$ curl -L https://cloud.centos.org/centos/7/images/ curl: (60) SSL certificate problem: unable to get local issuer certificate
Oops, it's obviously not expired. And yet https downloads still worked this morning, and now they fail. So something regressed with the certificate, I just can't put my finger on it yet.
So cloud.centos.org sends a chain with (1) the actual certificate:
Data: Version: 3 (0x2) Serial Number: 03:d7:1b:be:db:60:0b:7a:71:01:cc:a6:da:6a:6f:7a:f7:2a Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = R3 Validity Not Before: Jan 4 06:38:29 2021 GMT Not After : Apr 4 06:38:29 2021 GMT Subject: CN = cloud.centos.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:98:e8:b5:8a:9d:42:c5:55:9a:45:03:f3:e5:e3: e3:e3:1a:90:fe:10:b3:68:2a:0e:dd:cf:8c:7b:c5: a3:ee:f0:55:61:c7:c1:15:2a:fc:64:3a:56:81:a7: 5a:c3:90:96:5e:a4:f0:1a:b4:4d:e7:01:88:b8:b8: f4:0c:08:2d:09:57:a7:bb:c7:61:6b:9e:e1:0a:14: 75:a4:79:6f:3a:06:97:60:39:b7:ea:2b:24:d7:4c: ba:b8:50:60:d2:a7:35:9e:4c:01:e2:c4:3c:c5:fe: 97:89:89:ba:9d:56:f3:a3:a1:95:8d:5d:dd:7e:4b: 24:83:8a:24:d4:39:fe:ad:8c:67:12:09:72:f4:af: ce:b4:69:ff:d1:0f:be:26:dc:e2:c2:2b:61:00:a5: 9b:86:22:54:fe:4e:7e:f9:e7:52:0e:7a:0e:e1:5a: 43:4b:87:fe:98:62:e0:66:df:3f:63:ff:9e:c5:02: 47:74:26:40:ff:b7:73:c8:6a:f7:4d:df:78:d6:ff: 35:f9:04:7e:e8:6d:d7:e5:40:55:df:c1:f1:d9:42: d1:61:2d:fd:7d:c5:8c:5c:89:47:e0:d2:5c:b0:66: 97:84:52:71:92:5c:fa:06:dc:ef:0f:40:e8:82:05: da:99:8d:5f:61:d5:8d:ef:1c:8b:82:58:56:98:89: 5f:33 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 6A:5D:2D:02:55:42:82:97:D5:36:30:51:37:4A:23:D4:5F:D3:87:35 X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:buildlogs.centos.org, DNS:cloud.centos.org X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 94:20:BC:1E:8E:D5:8D:6C:88:73:1F:82:8B:22:2C:0D: D1:DA:4D:5E:6C:4F:94:3D:61:DB:4E:2F:58:4D:A2:C2 Timestamp : Jan 4 07:38:30.027 2021 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:DA:7B:01:84:77:C1:BA:19:8E:5C:36: EE:94:9B:1D:CF:B6:29:E6:68:26:80:DC:90:C0:05:F7: 67:A4:BD:0C:71:02:20:67:8A:AD:13:AE:02:EC:5B:2E: 37:04:28:9F:CC:26:3A:59:AE:4E:4D:73:64:A4:A7:04: AD:CE:B8:E9:1B:A8:C7 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : F6:5C:94:2F:D1:77:30:22:14:54:18:08:30:94:56:8E: E3:4D:13:19:33:BF:DF:0C:2F:20:0B:CC:4E:F1:64:E3 Timestamp : Jan 4 07:38:30.032 2021 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:CB:56:B1:A9:E2:84:EB:80:06:98:DC: 6E:9F:1A:3B:3B:E9:31:9A:B8:6C:9B:83:46:1A:98:EA: 0E:65:4A:4F:82:02:20:15:E1:B4:F0:23:8F:CD:7B:F1: B7:54:A7:F7:2E:CF:73:DB:42:48:41:84:11:0A:D0:72: 7D:15:FF:45:A6:47:63 Signature Algorithm: sha256WithRSAEncryption
and (2) the LetsEncrypt CA cert:
Data: Version: 3 (0x2) Serial Number: 0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08 Signature Algorithm: sha256WithRSAEncryption Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 Validity Not Before: Mar 17 16:40:46 2016 GMT Not After : Mar 17 16:40:46 2021 GMT Subject: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:9c:d3:0c:f0:5a:e5:2e:47:b7:72:5d:37:83:b3: 68:63:30:ea:d7:35:26:19:25:e1:bd:be:35:f1:70: 92:2f:b7:b8:4b:41:05:ab:a9:9e:35:08:58:ec:b1: 2a:c4:68:87:0b:a3:e3:75:e4:e6:f3:a7:62:71:ba: 79:81:60:1f:d7:91:9a:9f:f3:d0:78:67:71:c8:69: 0e:95:91:cf:fe:e6:99:e9:60:3c:48:cc:7e:ca:4d: 77:12:24:9d:47:1b:5a:eb:b9:ec:1e:37:00:1c:9c: ac:7b:a7:05:ea:ce:4a:eb:bd:41:e5:36:98:b9:cb: fd:6d:3c:96:68:df:23:2a:42:90:0c:86:74:67:c8: 7f:a5:9a:b8:52:61:14:13:3f:65:e9:82:87:cb:db: fa:0e:56:f6:86:89:f3:85:3f:97:86:af:b0:dc:1a: ef:6b:0d:95:16:7d:c4:2b:a0:65:b2:99:04:36:75: 80:6b:ac:4a:f3:1b:90:49:78:2f:a2:96:4f:2a:20: 25:29:04:c6:74:c0:d0:31:cd:8f:31:38:95:16:ba: a8:33:b8:43:f1:b1:1f:c3:30:7f:a2:79:31:13:3d: 2d:36:f8:e3:fc:f2:33:6a:b9:39:31:c5:af:c4:8d: 0d:1d:64:16:33:aa:fa:84:29:b6:d4:0b:c0:d8:7d: c3:93 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Authority Information Access: OCSP - URI:http://isrg.trustid.ocsp.identrust.com CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c X509v3 Authority Key Identifier: keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.root-x1.letsencrypt.org X509v3 CRL Distribution Points: Full Name: URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl X509v3 Subject Key Identifier: A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 Signature Algorithm: sha256WithRSAEncryption
Both are not expired, the (1) cert is brand new. But I don't know where to go from here..
If I use curl with --cacert /tmp/ca where that file is the CA PEM extracted from above, I still get an error. So at first sight the error is with the cert itself, the CA is ok.
curl
--cacert /tmp/ca
@martinpitt : renewed LetsEncrypt certificates are now using different intermediate CA (R3, instead of X1, see https://letsencrypt.org/certificates/) .. but let me investigate as it was reflected in how renewed certs were pushed out (and browser doesn't complain either)
Should be fixed as just that one was pointing to wrong CA chain, now (re)deployed/pushed :
openssl s_client -connect cloud.centos.org:443 CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = cloud.centos.org verify return:1 --- SSL handshake has read 3182 bytes and written 482 bytes Verification: OK
Metadata Update from @arrfab: - Issue assigned to arrfab
Metadata Update from @arrfab: - Issue tagged with: centos-common-infra, low-gain, low-trouble
Metadata Update from @arrfab: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Yay, many thanks for the super-fast fix! Confirming that it works again. :clap:
Login to comment on this ticket.