2.4.10(20410051) : 12 : <stron

Curl doesn't like your server response: <div class="snippet-clipboard-content notr

Trust anchor for certification path not found (openHAB / GPSTracker / Apache proxy / Let's Encrypt / ISRG Root X1 root CA) about android HOT 3 CLOSED

nikagl commented on June 15, 2024

Trust anchor for certification path not found (openHAB / GPSTracker / Apache proxy / Let's Encrypt / ISRG Root X1 root CA)

from android.

Comments (3)

nikagl commented on June 15, 2024 1

Well... it took a while to debug, but the cause was the way the certificates are extracted from the Windows certificate store using certutil, extracting the key and certs from it. It only exctracted the key and main cert and not the root/intermediate ca certs. I have added extracting those as well, concate the two extracted files (main cert first, root/intermediate after it) and now it seems to work fine 👍

Thanks again @growse !

from android.

growse commented on June 15, 2024

Curl doesn't like your server response:

$ curl https://openhab.gersonlohman.nl/gpstracker/owntracks
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Openssl doesn't like it either:

$  </dev/null openssl s_client -connect openhab.gersonlohman.nl:443 -showcerts  2>/dev/null
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = gersonlohman.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct 20 07:09:34 2022 GMT; NotAfter: Jan 18 07:09:33 2023 GMT
-----BEGIN CERTIFICATE-----
MII[...]Q==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = gersonlohman.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2365 bytes and written 418 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: A086E3F56D522C3382B414C8F9FA9D93FC08AE9D9276D10ABF344308F73F03EA
    Session-ID-ctx:
    Master-Key: 33EAFCE430A8A914E87DE15D996403314EA5D9C9F8443A20B74E528D31136EEFDEA44C4A717703CF5E5FB1AA892B0C49
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - c1 0b 1c c7 c4 49 b7 6e-66 e5 64 20 d2 a7 78 d5   .....I.nf.d ..x.
    0010 - 59 14 bb c5 7c 8d a1 80-4d e2 4e ba 6b c1 c2 0b   Y...|...M.N.k...
    0020 - 02 9c e0 18 ff b6 06 f9-1e c8 0c 5b 07 94 59 35   ...........[..Y5
    0030 - 1f 19 f5 e5 22 3d d4 13-1e 7a 4f c8 e2 2d ee 4e   ...."=...zO..-.N
    0040 - 6b 08 43 75 0b 53 03 62-18 f5 5f 0b 5f b8 81 78   k.Cu.S.b.._._..x
    0050 - 9e 01 35 3b 91 e6 1b 23-97 f7 ad 70 1a e9 83 98   ..5;...#...p....
    0060 - 8d ef a8 ce 98 2e 38 0f-c5 ef 99 06 a7 8f 3a 42   ......8.......:B
    0070 - bb 83 8d 68 b5 1b 0c 31-c2 82 ee bf 31 1d 7d cf   ...h...1....1.}.
    0080 - 6f 25 bb a7 4e 4e df 35-b7 30 b1 76 1d 13 ad f5   o%..NN.5.0.v....
    0090 - 8c c8 33 2d d9 cd 2c c9-6c 79 cf 27 02 a5 fc a6   ..3-..,.ly.'....
    00a0 - 15 f7 4b d1 41 73 e2 65-fc f5 78 10 42 45 b5 d9   ..K.As.e..x.BE..
    00b0 - 82 2d a5 85 80 48 4d 16-2c fc 97 ff 4c 51 a2 02   .-...HM.,...LQ..
    00c0 - 97 47 2c 1b cf ef a5 e1-56 6f f0 ba ff ad 94 3c   .G,.....Vo.....<
    00d0 - aa a4 55 a4 ca 77 19 95-b6 36 ff 98 72 be 24 47   ..U..w...6..r.$G

    Start Time: 1666377396
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: yes
---

The key bit here is Verification error: unable to verify the first certificate. The webserver is only sending a single certificate, where it actually needs to be sending the whole chain. Compare the openssl output with what you get if you query example.com, where you see both the leaf cert (for example.com) and the DigiCert Global Root CA cert that signed it.

from android.

nikagl commented on June 15, 2024

Superb Andrew, absolutely appreciate the help (great troubleshooting steps which will help me with any SSL issues in near future). Will investigate why apache is only sending the main cert and not the whole chain. Might be the way I generate the certificate (with Certify the web) or the way the certificate is used in httpd-ssl.conf. Will close the issue (as it seems to be my tooling, not owntracks) but will update here when I figure it out to make sure the solution is still tracked.

from android.

Trust anchor for certification path not found (openHAB / GPSTracker / Apache proxy / Let's Encrypt / ISRG Root X1 root CA) about android HOT 3 CLOSED

Comments (3)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

Jobs