Hi there ans, as usual, thx for readinding ans answering this post
I’m trying to download files from internet with ssl based apps such as wget.
I
give u an example:
wget --verbose https://invent.kde.org/frameworks/extra-cmake-modules.git
--2024-12-24 19:17:00-- https://invent.kde.org/frameworks/extra-cmake-modules.git
Resolving invent.kde.org (invent.kde.org)... 2a01:4f8:221:1dd0::2, 188.40.133.145
Connecting to invent.kde.org (invent.kde.org)|2a01:4f8:221:1dd0::2|:443... connected.
ERROR: cannot verify invent.kde.org's certificate, issued by 'CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB':
Unable to locally verify the issuer's authority.
To connect to invent.kde.org insecurely, use `--no-check-certificate'.
That being said:, I also issued a
update-ca-certificates -f
but without success. It doesn’t change anything.
What’s wrong ?
notice that I got the same results with curl
Show output of
curl -ILv https://invent.kde.org/frameworks/extra-cmake-modules.git
And
curl -IL -w '%{certs}' https://invent.kde.org/frameworks/extra-cmake-modules.git
curl -ILv https://invent.kde.org/frameworks/extra-cmake-modules.git
* Host invent.kde.org:443 was resolved.
* IPv6: 2a01:4f8:221:1dd0::2
* IPv4: 188.40.133.145
* Trying [2a01:4f8:221:1dd0::2]:443...
* Connected to invent.kde.org (2a01:4f8:221:1dd0::2) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
and
curl -IL -w '%{certs}' https://invent.kde.org/frameworks/extra-cmake-modules.git
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
OK, then
openssl s_client -showcerts invent.kde.org:443 < /dev/null
just wait. Issue with libcrypto
openssl s_client -showcerts invent.kde.org:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.kde.org
verify return:1
---
Certificate chain
0 s:CN = *.kde.org
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 20 00:00:00 2024 GMT; NotAfter: Oct 20 23:59:59 2025 GMT
-----BEGIN CERTIFICATE-----
MIIHIzCCBgugAwIBAgIRALhQd05xv3k7zP/uvZ+zWM8wDQYJKoZIhvcNAQELBQAw
gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0yNDA5MjAwMDAwMDBaFw0yNTEwMjAyMzU5NTlaMBQxEjAQBgNVBAMMCSou
a2RlLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANNEwRdj0Sfm
CS8zvxmm/pmdtTSB8A1wg3Latb+WHzHh1Uf67DmLvcPAysw+mEoY3WMimhX2gT4K
yC+zJxA7etMFjLEgRISTC74AYO5Dg3e382Hnly6Enu0na4aGQAw9HbzC+2PaMNDk
n31guIocBtPKVNTXqSjr3DTDz06Q3mK/Ww2DiRLmHT3YC8fbsNBQk/G1sfyyx1BT
gnmqfv4nM2XGADPvved8kO4kDmA8rNS8mU/49sxI4PwXJk4N4E0zgtQWsx2AfatS
lO6mh2iwwZ38dmubbChimMYceeoHK5i0JAnB+sMlLiy5QRo6+1Z5VKZjSFfAClGo
hCuxiyWY72z/+5mwMdRDxAsURIyeeGCKYuoT4y46xXwcQD/nqZq0Gc/H2kPcBVXj
vE7dX6RtZErVmSaRi7Al9/2DwbIelOsQtlfFCuWJ51gPYQ2sk3rwjLpf7oe2DiRk
slLMSgO9morifO1qxH6Z3U4TPUO8b8rZGBe3pCJDDSknLLLdP6nVnhZylRxl+sYM
TJlyT9YHDjtrpWCMX6cS2SBqwsjFGJpm5I9dJG9mUvBSYVk20kmckUPtNS15mMgt
leDAQfKWNV6K0cxbj4MqiPIjJDtsmA0hgcNEABbhRRwe4evjiuYDYwuJg/Gzu2xI
oN33EcA81Mlzx2MvdfXY8Ycrxygtio/fAgMBAAGjggLyMIIC7jAfBgNVHSMEGDAW
gBSNjF7EVK2K4Xfpm/mbBeG4AY1h4TAdBgNVHQ4EFgQUoTN0AIES80zAHF+y91Yq
jNXFtZMwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAgcwJTAj
BggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIBMIGE
BggrBgEFBQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuc2VjdGlnby5j
b20vU2VjdGlnb1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQw
IwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMB0GA1UdEQQWMBSC
CSoua2RlLm9yZ4IHa2RlLm9yZzCCAXwGCisGAQQB1nkCBAIEggFsBIIBaAFmAHUA
3dzKNJXX4RYF55Uy+sef+D0cUN/bADoUEnYKLKy7yCoAAAGSDxEKVwAABAMARjBE
AiA5MvDRm012dNzOWmmSR9Tj7fGj12vBvc1z3L47UQocWQIgOhFWmhprBf6ozeFV
mgQ4HTkNpLokzahpK3ky4Q8oDrkAdgDM+w9qhXEJZf6Vm1PO6bJ8IumFXA2Xjbap
flTA/kwNsAAAAZIPEQpgAAAEAwBHMEUCIB86VxK2ymOUWdMyhpCeC8BFTP5wjjRP
lLii5wbqW/GwAiEArS5mWt9Mm+KQtAQi5tKNDeORrx1znpMTiRzGzb/hDz0AdQAS
8U40vVNyTIQGGcOPP3oT+Oe1YoeInG0wBYTr5YYmOgAAAZIPEQo1AAAEAwBGMEQC
IG+wLlKHa3k/uftVDmQ/FAqjPzFyWwtY+klF6Cbj1TUsAiAsqvdw+mmSDCoZFPhy
VSXDPtA61lXqJXV2Pk03mUttRzANBgkqhkiG9w0BAQsFAAOCAQEANFK5D+e1uO5v
WLu4Kv+k2ggT9//eQz7f/JISOYwoISRNoehTI6fGrRzxKRlddR/4WkCV3WoiPj8g
U/W73vRbL5zBWq3bZVBhYcaf3tyNICOftb+6ecwP3FVS/DhzG/55BjLZ6uLpYB6p
qzg6qlj+yIf4W1vWp1OKenvoZHhgaaX1mSxGgus/4JW9OWA8GFDvyZlXKkhUq4h5
aqkAySEFSylhrbcr0dqxfzYbNl78SKzyFEJvr4Ioyb0qbwbN4bFDAil/6V7G4h9T
7XKxT68+JCbBj+t34g8fPzpLqhho4SiO2IEP24vvnsxV5RPIAXiAlGhK5xXbhd/4
nWeESitQcw==
-----END CERTIFICATE-----
1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
v:NotBefore: Nov 2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
+ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.kde.org
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4211 bytes and written 398 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE
skylendar:
Verification: OK
Looks good. Do you still have problems with curl
or wget
?
seems ok with wget. Testing curl.
Testing zef. Seems ok too.
You solved the problem. What did you do ?
In any case, Thx for your help. You really helped me…
skylendar:
What did you do ?
Nothing. Quoting your own post:
I presume, you did something to resolve this issue which also fixed certificate validation as a result.
removed an old libcrypto in /usr/local/lib64. Was it the root of my problem ?
system
Closed
January 2, 2025, 6:54pm
14
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.