Issue about ssl certificates

Hi there ans, as usual, thx for readinding ans answering this post

I’m trying to download files from internet with ssl based apps such as wget.

I

 give u an example:

wget --verbose https://invent.kde.org/frameworks/extra-cmake-modules.git
--2024-12-24 19:17:00--  https://invent.kde.org/frameworks/extra-cmake-modules.git
Resolving invent.kde.org (invent.kde.org)... 2a01:4f8:221:1dd0::2, 188.40.133.145
Connecting to invent.kde.org (invent.kde.org)|2a01:4f8:221:1dd0::2|:443... connected.
ERROR: cannot verify invent.kde.org's certificate, issued by 'CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB':
  Unable to locally verify the issuer's authority.
To connect to invent.kde.org insecurely, use `--no-check-certificate'.

That being said:, I also issued a

update-ca-certificates -f

but without success. It doesn’t change anything.

What’s wrong ?

notice that I got the same results with curl

Show output of

curl -ILv https://invent.kde.org/frameworks/extra-cmake-modules.git

And

curl -IL -w '%{certs}' https://invent.kde.org/frameworks/extra-cmake-modules.git
curl -ILv https://invent.kde.org/frameworks/extra-cmake-modules.git
* Host invent.kde.org:443 was resolved.
* IPv6: 2a01:4f8:221:1dd0::2
* IPv4: 188.40.133.145
*   Trying [2a01:4f8:221:1dd0::2]:443...
* Connected to invent.kde.org (2a01:4f8:221:1dd0::2) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

and

curl -IL -w '%{certs}' https://invent.kde.org/frameworks/extra-cmake-modules.git
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

OK, then

openssl s_client -showcerts invent.kde.org:443 < /dev/null

just wait. Issue with libcrypto

openssl s_client -showcerts invent.kde.org:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.kde.org
verify return:1
---
Certificate chain
 0 s:CN = *.kde.org
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep 20 00:00:00 2024 GMT; NotAfter: Oct 20 23:59:59 2025 GMT
-----BEGIN CERTIFICATE-----
MIIHIzCCBgugAwIBAgIRALhQd05xv3k7zP/uvZ+zWM8wDQYJKoZIhvcNAQELBQAw
gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0yNDA5MjAwMDAwMDBaFw0yNTEwMjAyMzU5NTlaMBQxEjAQBgNVBAMMCSou
a2RlLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANNEwRdj0Sfm
CS8zvxmm/pmdtTSB8A1wg3Latb+WHzHh1Uf67DmLvcPAysw+mEoY3WMimhX2gT4K
yC+zJxA7etMFjLEgRISTC74AYO5Dg3e382Hnly6Enu0na4aGQAw9HbzC+2PaMNDk
n31guIocBtPKVNTXqSjr3DTDz06Q3mK/Ww2DiRLmHT3YC8fbsNBQk/G1sfyyx1BT
gnmqfv4nM2XGADPvved8kO4kDmA8rNS8mU/49sxI4PwXJk4N4E0zgtQWsx2AfatS
lO6mh2iwwZ38dmubbChimMYceeoHK5i0JAnB+sMlLiy5QRo6+1Z5VKZjSFfAClGo
hCuxiyWY72z/+5mwMdRDxAsURIyeeGCKYuoT4y46xXwcQD/nqZq0Gc/H2kPcBVXj
vE7dX6RtZErVmSaRi7Al9/2DwbIelOsQtlfFCuWJ51gPYQ2sk3rwjLpf7oe2DiRk
slLMSgO9morifO1qxH6Z3U4TPUO8b8rZGBe3pCJDDSknLLLdP6nVnhZylRxl+sYM
TJlyT9YHDjtrpWCMX6cS2SBqwsjFGJpm5I9dJG9mUvBSYVk20kmckUPtNS15mMgt
leDAQfKWNV6K0cxbj4MqiPIjJDtsmA0hgcNEABbhRRwe4evjiuYDYwuJg/Gzu2xI
oN33EcA81Mlzx2MvdfXY8Ycrxygtio/fAgMBAAGjggLyMIIC7jAfBgNVHSMEGDAW
gBSNjF7EVK2K4Xfpm/mbBeG4AY1h4TAdBgNVHQ4EFgQUoTN0AIES80zAHF+y91Yq
jNXFtZMwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAgcwJTAj
BggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIBMIGE
BggrBgEFBQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuc2VjdGlnby5j
b20vU2VjdGlnb1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQw
IwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMB0GA1UdEQQWMBSC
CSoua2RlLm9yZ4IHa2RlLm9yZzCCAXwGCisGAQQB1nkCBAIEggFsBIIBaAFmAHUA
3dzKNJXX4RYF55Uy+sef+D0cUN/bADoUEnYKLKy7yCoAAAGSDxEKVwAABAMARjBE
AiA5MvDRm012dNzOWmmSR9Tj7fGj12vBvc1z3L47UQocWQIgOhFWmhprBf6ozeFV
mgQ4HTkNpLokzahpK3ky4Q8oDrkAdgDM+w9qhXEJZf6Vm1PO6bJ8IumFXA2Xjbap
flTA/kwNsAAAAZIPEQpgAAAEAwBHMEUCIB86VxK2ymOUWdMyhpCeC8BFTP5wjjRP
lLii5wbqW/GwAiEArS5mWt9Mm+KQtAQi5tKNDeORrx1znpMTiRzGzb/hDz0AdQAS
8U40vVNyTIQGGcOPP3oT+Oe1YoeInG0wBYTr5YYmOgAAAZIPEQo1AAAEAwBGMEQC
IG+wLlKHa3k/uftVDmQ/FAqjPzFyWwtY+klF6Cbj1TUsAiAsqvdw+mmSDCoZFPhy
VSXDPtA61lXqJXV2Pk03mUttRzANBgkqhkiG9w0BAQsFAAOCAQEANFK5D+e1uO5v
WLu4Kv+k2ggT9//eQz7f/JISOYwoISRNoehTI6fGrRzxKRlddR/4WkCV3WoiPj8g
U/W73vRbL5zBWq3bZVBhYcaf3tyNICOftb+6ecwP3FVS/DhzG/55BjLZ6uLpYB6p
qzg6qlj+yIf4W1vWp1OKenvoZHhgaaX1mSxGgus/4JW9OWA8GFDvyZlXKkhUq4h5
aqkAySEFSylhrbcr0dqxfzYbNl78SKzyFEJvr4Ioyb0qbwbN4bFDAil/6V7G4h9T
7XKxT68+JCbBj+t34g8fPzpLqhho4SiO2IEP24vvnsxV5RPIAXiAlGhK5xXbhd/4
nWeESitQcw==
-----END CERTIFICATE-----
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
   v:NotBefore: Nov  2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
+ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.kde.org
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4211 bytes and written 398 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

Looks good. Do you still have problems with curl or wget?

seems ok with wget. Testing curl.

Testing zef. Seems ok too.

You solved the problem. What did you do ?

In any case, Thx for your help. You really helped me… :slight_smile:

Nothing. Quoting your own post:

I presume, you did something to resolve this issue which also fixed certificate validation as a result.

removed an old libcrypto in /usr/local/lib64. Was it the root of my problem ?

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.