Re: [SOLVED] Jessie wget: certificate not trusted
Hi,
i wrote:
> > The proposal of mett finally got wget to download lists.debian.org with
> > certificate check enabled.
> > [...]
> > Now i am puzzled why this operation is not necessary on Debian 10 from
> > where the file /etc/ca-certificates.conf was copied.
> > The entry is in /etc/ca-certificates.conf,
> > DST_Root_CA_X3.crt exists in /usr/share/ca-certificates,
> > the link DST_Root_CA_X3.pem exists in /etc/ssl/certs.
> > Nevertheless wget works on my Debian 10 with https://lists.debian.org.
met wrote:
> Maybe the default CA for Let's Encrypt
> are different on Debian 8 and Debian 9/10.
Meanwhile the users of the GNU savannah server got informed that such
problems are related to a bug in SSL software. One of the links given is:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
Your proposal is there mentioned as
"Workaround 1 (on clients with OpenSSL 1.0.2)"
So my three certificate problems each have a different solution:
- Debian 8 iceweasel (firefox) did not know the new certificate ISRG_Root_X1
before i copied it from Debian (as of juli 2020). I had to "import"
this certificate by the browser's GUI.
Iceweasel does not suffer from the bug that lets the outdated
DST_Root_CA_X3 spoil the certification handshake.
- Debian 10 wget as of juli 2020 had the ISRG_Root_X1 certificate but also
the bug, which came out of its egg on september 30, 2021, 14:01:15 GMT.
dist-upgrade to october 2021 obviously fixed the bug.
Now the old DST_Root_CA_X3 still exists but does not spoil wget any more.
- Debian 8 wget has the bug and lacked the ISRG_Root_X1 certificate.
So it needed that certificate file from Debian 10 in /etc/ssl/certs.
Because of the bug it needed DST_Root_CA_X3 to be hidden.
mett wrote:
> > > -then, restart your servers.
i wrote:
> > Do SSL clients depend on a local service ?
mett wrote:
> SSL clients do not depend on a local service.
> I said restart your servers
> (thinking apache and php-fpm).
> Sorry for that.
Among all my confusions and all the red herrings in the web, this was the
least problem. I have to thank you for giving the decisive hint several
days before i found a plausible explantion.
------------------------------------------------------------------------
I meanwhile learned that
openssl s_client -CApath /etc/ssl/certs -showcerts \
-connect lists.debian.org:443 < /dev/null
tells the certificates which are involved.
Now it says in the beginning of its output
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
instead of previously when wget did not work:
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
Googling "DST_Root_CA_X3" then gives good hints.
(Googling "unable to get local issuer certificate" gives new riddles.)
Have a nice day :)
Thomas
Reply to: