Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[SOLVED] Jessie wget: certificate not trusted, was: Jessie iceweasel: This Connection is Untrusted
735 views
Skip to first unread message
Thomas Schmitt
Oct 4, 2021, 6:00:05 AM10/4/21
to
Hi,
mett wrote:
> the final solution is:
> -disable the certs with an ! before the cert name
> (vi /etc/ca-certificates.conf: !DST_Root_CA_X3.crt)
> -then, rebuild the cert directory (update-ca-certificates --fresh)
Indeed this brought success with wget on the Debian 8 machine.
$ wget https://lists.debian.org
...
2021-10-04 11:48:12 (7.34 MB/s) - ‘index.html’ saved [7533/7533]
$
I copied
/usr/share/ca-certificates
/etc/ca-certificates.conf
/etc/ssl/certs
from the Debian 10 machine (dist-upgraded last week) to the Debian 8.
But with or without a run of
update-ca-certificates --fresh
wget did not work.
The proposal of mett finally got wget to download lists.debian.org with
certificate check enabled.
Now i am puzzled why this operation is not necessary on Debian 10 from
where the file /etc/ca-certificates.conf was copied.
The entry is in /etc/ca-certificates.conf,
DST_Root_CA_X3.crt exists in /usr/share/ca-certificates,
the link DST_Root_CA_X3.pem exists in /etc/ssl/certs.
Nevertheless wget works on my Debian 10 with https://lists.debian.org.
> -then, restart your servers.
I am not aware of any servers on the Debian 8 machine which would have to
do with certificates. I had not to restart anything after
update-ca-certificates --fresh
wget worked immediately after.
Do SSL clients depend on a local service ?
Have a nice day :)
Thomas
mett wrote:
> the final solution is:
> -disable the certs with an ! before the cert name
> (vi /etc/ca-certificates.conf: !DST_Root_CA_X3.crt)
> -then, rebuild the cert directory (update-ca-certificates --fresh)
Indeed this brought success with wget on the Debian 8 machine.
$ wget https://lists.debian.org
...
2021-10-04 11:48:12 (7.34 MB/s) - ‘index.html’ saved [7533/7533]
$
I copied
/usr/share/ca-certificates
/etc/ca-certificates.conf
/etc/ssl/certs
from the Debian 10 machine (dist-upgraded last week) to the Debian 8.
But with or without a run of
update-ca-certificates --fresh
wget did not work.
The proposal of mett finally got wget to download lists.debian.org with
certificate check enabled.
Now i am puzzled why this operation is not necessary on Debian 10 from
where the file /etc/ca-certificates.conf was copied.
The entry is in /etc/ca-certificates.conf,
DST_Root_CA_X3.crt exists in /usr/share/ca-certificates,
the link DST_Root_CA_X3.pem exists in /etc/ssl/certs.
Nevertheless wget works on my Debian 10 with https://lists.debian.org.
> -then, restart your servers.
I am not aware of any servers on the Debian 8 machine which would have to
do with certificates. I had not to restart anything after
update-ca-certificates --fresh
wget worked immediately after.
Do SSL clients depend on a local service ?
Have a nice day :)
Thomas
mett
Oct 5, 2021, 10:40:06 AM10/5/21
to
are different on Debian 8 and Debian 9/10.
>
> > -then, restart your servers.
>
> I am not aware of any servers on the Debian 8 machine which would have to
> do with certificates. I had not to restart anything after
> update-ca-certificates --fresh
> wget worked immediately after.
>
> Do SSL clients depend on a local service ?
Just I had a similar problem with
different parameters:
-a debian 8 server
-and php.
That is why I said restart your servers
(thinking apache and php-fpm).
Sorry for that.
>
>
> Have a nice day :)
>
> Thomas
>
Thomas Schmitt
Oct 5, 2021, 12:00:06 PM10/5/21
to
Hi,
i wrote:
> > The proposal of mett finally got wget to download lists.debian.org with
> > certificate check enabled.
> > [...]
problems are related to a bug in SSL software. One of the links given is:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
Your proposal is there mentioned as
"Workaround 1 (on clients with OpenSSL 1.0.2)"
So my three certificate problems each have a different solution:
- Debian 8 iceweasel (firefox) did not know the new certificate ISRG_Root_X1
before i copied it from Debian (as of juli 2020). I had to "import"
this certificate by the browser's GUI.
Iceweasel does not suffer from the bug that lets the outdated
DST_Root_CA_X3 spoil the certification handshake.
- Debian 10 wget as of juli 2020 had the ISRG_Root_X1 certificate but also
the bug, which came out of its egg on september 30, 2021, 14:01:15 GMT.
dist-upgrade to october 2021 obviously fixed the bug.
Now the old DST_Root_CA_X3 still exists but does not spoil wget any more.
- Debian 8 wget has the bug and lacked the ISRG_Root_X1 certificate.
So it needed that certificate file from Debian 10 in /etc/ssl/certs.
Because of the bug it needed DST_Root_CA_X3 to be hidden.
mett wrote:
> > > -then, restart your servers.
i wrote:
> > Do SSL clients depend on a local service ?
least problem. I have to thank you for giving the decisive hint several
days before i found a plausible explantion.
------------------------------------------------------------------------
I meanwhile learned that
openssl s_client -CApath /etc/ssl/certs -showcerts \
-connect lists.debian.org:443 < /dev/null
tells the certificates which are involved.
Now it says in the beginning of its output
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
instead of previously when wget did not work:
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
Googling "DST_Root_CA_X3" then gives good hints.
(Googling "unable to get local issuer certificate" gives new riddles.)
i wrote:
> > The proposal of mett finally got wget to download lists.debian.org with
> > certificate check enabled.
> > Now i am puzzled why this operation is not necessary on Debian 10 from
> > where the file /etc/ca-certificates.conf was copied.
> > The entry is in /etc/ca-certificates.conf,
> > DST_Root_CA_X3.crt exists in /usr/share/ca-certificates,
> > the link DST_Root_CA_X3.pem exists in /etc/ssl/certs.
> > Nevertheless wget works on my Debian 10 with https://lists.debian.org.
> > where the file /etc/ca-certificates.conf was copied.
> > The entry is in /etc/ca-certificates.conf,
> > DST_Root_CA_X3.crt exists in /usr/share/ca-certificates,
> > the link DST_Root_CA_X3.pem exists in /etc/ssl/certs.
> > Nevertheless wget works on my Debian 10 with https://lists.debian.org.
met wrote:
> Maybe the default CA for Let's Encrypt
> are different on Debian 8 and Debian 9/10.
Meanwhile the users of the GNU savannah server got informed that such
> Maybe the default CA for Let's Encrypt
> are different on Debian 8 and Debian 9/10.
problems are related to a bug in SSL software. One of the links given is:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
Your proposal is there mentioned as
"Workaround 1 (on clients with OpenSSL 1.0.2)"
So my three certificate problems each have a different solution:
- Debian 8 iceweasel (firefox) did not know the new certificate ISRG_Root_X1
before i copied it from Debian (as of juli 2020). I had to "import"
this certificate by the browser's GUI.
Iceweasel does not suffer from the bug that lets the outdated
DST_Root_CA_X3 spoil the certification handshake.
- Debian 10 wget as of juli 2020 had the ISRG_Root_X1 certificate but also
the bug, which came out of its egg on september 30, 2021, 14:01:15 GMT.
dist-upgrade to october 2021 obviously fixed the bug.
Now the old DST_Root_CA_X3 still exists but does not spoil wget any more.
- Debian 8 wget has the bug and lacked the ISRG_Root_X1 certificate.
So it needed that certificate file from Debian 10 in /etc/ssl/certs.
Because of the bug it needed DST_Root_CA_X3 to be hidden.
mett wrote:
> > > -then, restart your servers.
i wrote:
> > Do SSL clients depend on a local service ?
mett wrote:
> SSL clients do not depend on a local service.
> SSL clients do not depend on a local service.
> I said restart your servers
> (thinking apache and php-fpm).
> Sorry for that.
Among all my confusions and all the red herrings in the web, this was the
> (thinking apache and php-fpm).
> Sorry for that.
least problem. I have to thank you for giving the decisive hint several
days before i found a plausible explantion.
------------------------------------------------------------------------
I meanwhile learned that
openssl s_client -CApath /etc/ssl/certs -showcerts \
-connect lists.debian.org:443 < /dev/null
tells the certificates which are involved.
Now it says in the beginning of its output
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
instead of previously when wget did not work:
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
Googling "DST_Root_CA_X3" then gives good hints.
(Googling "unable to get local issuer certificate" gives new riddles.)
0 new messages