On Wed, 6 Jan 2021 at 15:30, Stephen John Smoogen <smooge@gmail.com> wrote:


On Wed, 6 Jan 2021 at 14:40, Leon Fauster via CentOS-devel <centos-devel@centos.org> wrote:
On a C8 station:

LANG=C curl -I https://koji.mbox.centos.org
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

this worked a couple of days ago. Any hints?


works for me

[smooge@xanadu ~]$ rpm -qa | grep openssl
openssl-1.1.1g-11.el8.x86_64
apr-util-openssl-1.6.1-6.el8.x86_64
openssl-pkcs11-0.4.10-2.el8.x86_64
openssl-libs-1.1.1g-11.el8.x86_64
[smooge@xanadu ~]$ uname -a
Linux xanadu.int.smoogespace.com 4.18.0-193.19.1.el8_2.x86_64 #1 SMP Mon Sep 14 14:37:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[smooge@xanadu ~]$ LANG=C curl -I https://koji.mbox.centos.org
HTTP/1.1 302 Found
Date: Wed, 06 Jan 2021 20:30:08 GMT
Server: Apache/2.4.39 (Fedora) mod_wsgi/4.6.4 Python/2.7 OpenSSL/1.1.1b
Location: https://koji.mbox.centos.org/koji/
Connection: close
Content-Type: text/html; charset=iso-8859-1


Added some -v to see if that might give some clues to why it is working for me. Letsencrypt recently upgraded their middle keys so the older one  might be cached/installed somewhere?

[smooge@xanadu ~]$ LANG=C curl -vvv -I https://koji.mbox.centos.org
* Rebuilt URL to: https://koji.mbox.centos.org/
*   Trying 8.43.84.206...
* TCP_NODELAY set
* Connected to koji.mbox.centos.org (8.43.84.206) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=koji.mbox.centos.org
*  start date: Jan  4 06:56:29 2021 GMT
*  expire date: Apr  4 06:56:29 2021 GMT
*  subjectAltName: host "koji.mbox.centos.org" matched cert's "koji.mbox.centos.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> HEAD / HTTP/1.1
> Host: koji.mbox.centos.org
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Date: Wed, 06 Jan 2021 20:31:21 GMT
Date: Wed, 06 Jan 2021 20:31:21 GMT
< Server: Apache/2.4.39 (Fedora) mod_wsgi/4.6.4 Python/2.7 OpenSSL/1.1.1b
Server: Apache/2.4.39 (Fedora) mod_wsgi/4.6.4 Python/2.7 OpenSSL/1.1.1b
< Location: https://koji.mbox.centos.org/koji/
Location: https://koji.mbox.centos.org/koji/
< Connection: close
Connection: close
< Content-Type: text/html; charset=iso-8859-1
Content-Type: text/html; charset=iso-8859-1

<
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
 

 
--
Leon

_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
https://lists.centos.org/mailman/listinfo/centos-devel


--
Stephen J Smoogen.



--
Stephen J Smoogen.