On a C8 station:
LANG=C curl -I https://koji.mbox.centos.org curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html
this worked a couple of days ago. Any hints?
-- Leon
On Wed, 6 Jan 2021 at 14:40, Leon Fauster via CentOS-devel < centos-devel@centos.org> wrote:
On a C8 station:
LANG=C curl -I https://koji.mbox.centos.org curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html
this worked a couple of days ago. Any hints?
works for me
[smooge@xanadu ~]$ rpm -qa | grep openssl openssl-1.1.1g-11.el8.x86_64 apr-util-openssl-1.6.1-6.el8.x86_64 openssl-pkcs11-0.4.10-2.el8.x86_64 openssl-libs-1.1.1g-11.el8.x86_64 [smooge@xanadu ~]$ uname -a Linux xanadu.int.smoogespace.com 4.18.0-193.19.1.el8_2.x86_64 #1 SMP Mon Sep 14 14:37:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux [smooge@xanadu ~]$ LANG=C curl -I https://koji.mbox.centos.org HTTP/1.1 302 Found Date: Wed, 06 Jan 2021 20:30:08 GMT Server: Apache/2.4.39 (Fedora) mod_wsgi/4.6.4 Python/2.7 OpenSSL/1.1.1b Location: https://koji.mbox.centos.org/koji/ Connection: close Content-Type: text/html; charset=iso-8859-1
-- Leon
CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
On Wed, 6 Jan 2021 at 15:30, Stephen John Smoogen smooge@gmail.com wrote:
On Wed, 6 Jan 2021 at 14:40, Leon Fauster via CentOS-devel < centos-devel@centos.org> wrote:
On a C8 station:
LANG=C curl -I https://koji.mbox.centos.org curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html
this worked a couple of days ago. Any hints?
works for me
[smooge@xanadu ~]$ rpm -qa | grep openssl openssl-1.1.1g-11.el8.x86_64 apr-util-openssl-1.6.1-6.el8.x86_64 openssl-pkcs11-0.4.10-2.el8.x86_64 openssl-libs-1.1.1g-11.el8.x86_64 [smooge@xanadu ~]$ uname -a Linux xanadu.int.smoogespace.com 4.18.0-193.19.1.el8_2.x86_64 #1 SMP Mon Sep 14 14:37:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux [smooge@xanadu ~]$ LANG=C curl -I https://koji.mbox.centos.org HTTP/1.1 302 Found Date: Wed, 06 Jan 2021 20:30:08 GMT Server: Apache/2.4.39 (Fedora) mod_wsgi/4.6.4 Python/2.7 OpenSSL/1.1.1b Location: https://koji.mbox.centos.org/koji/ Connection: close Content-Type: text/html; charset=iso-8859-1
Added some -v to see if that might give some clues to why it is working for me. Letsencrypt recently upgraded their middle keys so the older one might be cached/installed somewhere?
[smooge@xanadu ~]$ LANG=C curl -vvv -I https://koji.mbox.centos.org * Rebuilt URL to: https://koji.mbox.centos.org/ * Trying 8.43.84.206... * TCP_NODELAY set * Connected to koji.mbox.centos.org (8.43.84.206) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=koji.mbox.centos.org * start date: Jan 4 06:56:29 2021 GMT * expire date: Apr 4 06:56:29 2021 GMT * subjectAltName: host "koji.mbox.centos.org" matched cert's " koji.mbox.centos.org" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok.
HEAD / HTTP/1.1 Host: koji.mbox.centos.org User-Agent: curl/7.61.1 Accept: */*
< HTTP/1.1 302 Found HTTP/1.1 302 Found < Date: Wed, 06 Jan 2021 20:31:21 GMT Date: Wed, 06 Jan 2021 20:31:21 GMT < Server: Apache/2.4.39 (Fedora) mod_wsgi/4.6.4 Python/2.7 OpenSSL/1.1.1b Server: Apache/2.4.39 (Fedora) mod_wsgi/4.6.4 Python/2.7 OpenSSL/1.1.1b < Location: https://koji.mbox.centos.org/koji/ Location: https://koji.mbox.centos.org/koji/ < Connection: close Connection: close < Content-Type: text/html; charset=iso-8859-1 Content-Type: text/html; charset=iso-8859-1
< * Closing connection 0 * TLSv1.2 (OUT), TLS alert, close notify (256):
-- Leon
CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
-- Stephen J Smoogen.
Am 06.01.21 um 21:30 schrieb Stephen John Smoogen:
On Wed, 6 Jan 2021 at 14:40, Leon Fauster via CentOS-devel <centos-devel@centos.org mailto:centos-devel@centos.org> wrote:
On a C8 station: LANG=C curl -I https://koji.mbox.centos.org <https://koji.mbox.centos.org> curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html <https://curl.haxx.se/docs/sslcerts.html> this worked a couple of days ago. Any hints?works for me
[smooge@xanadu ~]$ rpm -qa | grep openssl openssl-1.1.1g-11.el8.x86_64 apr-util-openssl-1.6.1-6.el8.x86_64 openssl-pkcs11-0.4.10-2.el8.x86_64 openssl-libs-1.1.1g-11.el8.x86_64 [smooge@xanadu ~]$ uname -a Linux xanadu.int.smoogespace.com http://xanadu.int.smoogespace.com 4.18.0-193.19.1.el8_2.x86_64 #1 SMP Mon Sep 14 14:37:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux [smooge@xanadu ~]$ LANG=C curl -I https://koji.mbox.centos.org https://koji.mbox.centos.org HTTP/1.1 302 Found Date: Wed, 06 Jan 2021 20:30:08 GMT Server: Apache/2.4.39 (Fedora) mod_wsgi/4.6.4 Python/2.7 OpenSSL/1.1.1b Location: https://koji.mbox.centos.org/koji/ https://koji.mbox.centos.org/koji/ Connection: close Content-Type: text/html; charset=iso-8859-1
Two hours later: Its works again here, now. I have no idea what caused the above response. Sorry for the noise. Thanks for the feedback, Leon
On 06/01/2021 23:45, Leon Fauster via CentOS-devel wrote:
Am 06.01.21 um 21:30 schrieb Stephen John Smoogen:
<snip>
Two hours later: Its works again here, now. I have no idea what caused the above response. Sorry for the noise. Thanks for the feedback, Leon
Hi Leon,
Reading inbox and so commenting just today :
As smooge pointed out, LetsEncrypt recently switched Intermediate CA cert (see https://letsencrypt.org/certificates/) from X1 to R3
It was reflected in our ansible automation *but* for that particular haproxy chain in front of openshift (for koji.mbox) it wasn't pointing to correct CAChain crt file (that needs to be concatenated)
That was identified and fixed in the mean time and extra-step added to automatically recheck before pushing to git the certs deployed then by ansible (as LetsEncrypt new CA validity is clearly shorter than before so they'll even rotate intermediate CA more frequently)
So I guess you tried just before the following fix was pushed/deployed :-)
Kind Regards,
Am 07.01.21 um 08:41 schrieb Fabian Arrotin:
On 06/01/2021 23:45, Leon Fauster via CentOS-devel wrote:
Two hours later: Its works again here, now. I have no idea what caused the above response. Sorry for the noise. Thanks for the feedback, Leon
Hi Leon,
Reading inbox and so commenting just today :
As smooge pointed out, LetsEncrypt recently switched Intermediate CA cert (see https://letsencrypt.org/certificates/) from X1 to R3
It was reflected in our ansible automation *but* for that particular haproxy chain in front of openshift (for koji.mbox) it wasn't pointing to correct CAChain crt file (that needs to be concatenated)
That was identified and fixed in the mean time and extra-step added to automatically recheck before pushing to git the certs deployed then by ansible (as LetsEncrypt new CA validity is clearly shorter than before so they'll even rotate intermediate CA more frequently)
So I guess you tried just before the following fix was pushed/deployed :-)
A classical race condition :-) Thanks for depicting it.
-- Leon
-
Fabian Arrotin -
Leon Fauster -
Stephen John Smoogen