Science+Wine Repos: SSL certificate problem: unable to get local issuer certificate

johannesrs · October 26, 2023, 5:41pm

Hi people!

I’m having an issue at a computer at work: only the Science and Wine repositories (actually, the proxy that I want to use is also giving me the same issues and I need it added to whitelist websites here) are yielding the following error:

~> sudo zypper ref
Retrieving repository 'Science Repository' metadata ....................................................................................................................................[error]
Repository 'Science Repository' is invalid.
[Science|https://download.opensuse.org/repositories/science/15.5/] Valid metadata not found at specified URL
History:
 - [|] Error trying to read from 'https://download.opensuse.org/repositories/science/15.5/'
 - Download (curl) error for 'https://download.opensuse.org/repositories/science/15.5/content':
   Error code: Curl error 60
   Error message: SSL certificate problem: unable to get local issuer certificate

Please check if the URIs defined for this repository are pointing to a valid repository.
Skipping repository 'Science Repository' because of the above error.
Retrieving repository 'Wine Repository' metadata .......................................................................................................................................[error]
Repository 'Wine Repository' is invalid.
[Wine_Repository|https://download.opensuse.org/repositories/Emulators:/Wine/15.5/] Valid metadata not found at specified URL
History:
 - [|] Error trying to read from 'https://download.opensuse.org/repositories/Emulators:/Wine/15.5/'
 - Download (curl) error for 'https://download.opensuse.org/repositories/Emulators:/Wine/15.5/content':
   Error code: Curl error 60
   Error message: SSL certificate problem: unable to get local issuer certificate

Please check if the URIs defined for this repository are pointing to a valid repository.
Skipping repository 'Wine Repository' because of the above error.
Retrieving repository 'Packman Repository' metadata .....................................................................................................................................[done]
Building repository 'Packman Repository' cache ..........................................................................................................................................[done]
Repository 'Libdvdcss Repository' is up to date.                                                              
Repository 'Update repository of openSUSE Backports' is up to date.                                           
Repository 'Non-OSS Repository' is up to date.                                                                
Repository 'Open H.264 Codec (openSUSE Leap)' is up to date.                                                  
Repository 'Main Repository' is up to date.                                                                   
Repository 'Update repository with updates from SUSE Linux Enterprise 15' is up to date.                      
Repository 'Main Update Repository' is up to date.                                                            
Repository 'Update Repository (Non-Oss)' is up to date.                                                       
Repository 'trinity' is up to date.                                                                           
Repository 'trinity-noarch' is up to date.                                                                    
Some of the repositories have not been refreshed because of an error.

Does anybody knows how to solve this? Thanks a lot in advance!

404_UsernameNotFound · October 27, 2023, 10:21am

Hi johannesrs,
I just tried to access https://download.opensuse.org/repositories/science/15.5/content and https://download.opensuse.org/repositories/Emulators:/Wine/15.5/content through firefox without success because the folder “content” doesn’t exist (anymore supposingly). My guess is that there was a switch in the folder structure of those repos.

I would try to delete and re-add those two repos. I guess that should solve your problem.

johannesrs · October 27, 2023, 12:15pm

Hi @404_UsernameNotFound .

I hoped it was something as simple as that, but no: I removed the Science repository in Yast and added it back just to see the error message still being issued there too.

Any suggestions?

404_UsernameNotFound · October 27, 2023, 3:24pm

In /etc/zypp/repos.d/ there should be the .repo-files for these two repositories (among all repositories). Could you show the content of these two files please?

johannesrs · October 27, 2023, 3:57pm

Since I deleted the Science Repository to try to add it back again, I can’t show it. But fortunately I kept the Wine Repository, so:

~> cat /etc/zypp/repos.d/Wine_Repository.repo
[Wine_Repository]
name=Wine Repository
enabled=1
autorefresh=1
baseurl=https://download.opensuse.org/repositories/Emulators:/Wine/$releasever/
path=/
keeppackages=0

I can’t see any flaws in it, it’s a way too simple file…

404_UsernameNotFound · October 27, 2023, 4:04pm

So, I tried adding it with the baseurl you use. It didn’t work/refresh. So, I used the baseurl that’s naming the Leap version instead.

What you could try would be removing this one by:

sudo zypper rr  https://download.opensuse.org/repositories/Emulators:/Wine/$releasever/

and add it again with

sudo zypper ar https://download.opensuse.org/repositories/Emulators:/Wine/15.5/ Wine_repository

and see if it works then. If that works you can try the same with the science repo.

hcvv · October 27, 2023, 5:16pm

I am not quite sure what you want to test with this. It looks as if you think that zyyper does not replace the $releasever string. but the first post shows

where you can see that the replacement is done correct.

404_UsernameNotFound · October 28, 2023, 6:20pm

My thought was, since @johannesrs was adding his repositories with YaST that there might be a difference in the way how zypper adds repositories vs how YaST does it. The hardwireing to the version was just thought to rule out a possible source for errors in this process.

I looked a bit further into the .repo-config files that are supported by the repos themselves (https://download.opensuse.org/repositories/science/15.5/ and https://download.opensuse.org/repositories/Emulators:/Wine/15.5/).

result for the sciene.repo:

[science]
name=Software for Scientists and Engineers (15.5)
type=rpm-md
baseurl=https://download.opensuse.org/repositories/science/15.5/
gpgcheck=1
gpgkey=https://download.opensuse.org/repositories/science/15.5/repodata/repomd.xml.key
enabled=1

and for Emulators_Wine.repo:

[Emulators_Wine]
name=Wine (15.5)
type=rpm-md
baseurl=https://download.opensuse.org/repositories/Emulators:/Wine/15.5/
gpgcheck=1
gpgkey=https://download.opensuse.org/repositories/Emulators:/Wine/15.5/repodata/repomd.xml.key
enabled=1

The most obvious difference between the automatically generated config-files and those from the repo-URLs is that the one from the repo includes the source for the gpg-key.
So, besides re-adding the repo with zypper, maybe it would be worth a try to adjust the config file to the content that’s suggested by the repo. Just a wild guess: Is it possible that the gpg-key was available in /content and this was changed?

Just to be clear: I don’t have the same level of experience with zypper and it’s repo-management as with pacman (Arch Linux).

@hcvv I assume you probably have better knowledge of repo-management in openSUSE. Do you know if there is a way to manually adjust what exact mirror is used? (Like a pendandt to the pacman-mirrorlist in Arch). Do you have further suggestions in what other configurations connected to zypp could be checked in this regards?

hui · October 28, 2023, 6:23pm

https://en.opensuse.org/openSUSE:Mirrors

404_UsernameNotFound · October 28, 2023, 6:29pm

Thanks for the quick reply. I was looking into that earlier but still didn’t see an obvious option (e.g. a config-file on my system) that would give me the possibility to choose a specific mirror manually for permanent use instead of the mirror that’s chosen for me by the server. I know in general it wouldn’t make much sense.
That’s more of a hypothetical question to rule out issues with a specific mirror.

johannesrs · October 28, 2023, 6:33pm

Hi @404_UsernameNotFound , @hcvv and @hui !

Thanks for the series of replies! Unfortunately, I’ll only be able to try the suggestions, if I’m too fast with other duties at work, next tuesday. If not, I’ll certainly be able on next thrusday (yes, really crazzy job hours + a holiday this saturday that I would b at work).

I’ll keep you posted on the tests! Thanks again!

hui · October 28, 2023, 6:33pm

Simply edit the /etc/zypp/repos.d/xxxx files and adjust the repo URLs with the mirror URL you want…

404_UsernameNotFound · October 28, 2023, 6:34pm

Indeed. that’s quite obvious. how stupid of me…

Thanks

johannesrs · October 31, 2023, 6:34pm

Hi all.

Just tried editing the local wine repo file and refreshing it, as well as adding it again directly to the online science repo file: Both failed.

~> export LC_ALL=C
~> sudo zypper ref
Retrieving repository 'Wine Repository' metadata .......................................................................................................................................[error]
Repository 'Wine Repository' is invalid.
[Wine_Repository|https://download.opensuse.org/repositories/Emulators:/Wine/15.5/] Valid metadata not found at specified URL
History:
 - [|] Error trying to read from 'https://download.opensuse.org/repositories/Emulators:/Wine/15.5/'
 - Download (curl) error for 'https://download.opensuse.org/repositories/Emulators:/Wine/15.5/content':
   Error code: Curl error 60
   Error message: SSL certificate problem: unable to get local issuer certificate

Please check if the URIs defined for this repository are pointing to a valid repository.
Skipping repository 'Wine Repository' because of the above error.
Repository 'Packman Repository' is up to date.                                                                                                                                                 
Repository 'Libdvdcss Repository' is up to date.                                                                                                                                               
Repository 'Update repository of openSUSE Backports' is up to date.                                                                                                                            
Repository 'Non-OSS Repository' is up to date.                                                                                                                                                 
Repository 'Open H.264 Codec (openSUSE Leap)' is up to date.                                                                                                                                   
Repository 'Main Repository' is up to date.                                                                                                                                                    
Repository 'Update repository with updates from SUSE Linux Enterprise 15' is up to date.                                                                                                       
Repository 'Main Update Repository' is up to date.                                                                                                                                             
Repository 'Update Repository (Non-Oss)' is up to date.                                                                                                                                        
Repository 'trinity' is up to date.                                                                                                                                                            
Repository 'trinity-noarch' is up to date.                                                                                                                                                     
Some of the repositories have not been refreshed because of an error.
~> sudo zypper ar https://download.opensuse.org/repositories/science/15.5/science.repo
Download (curl) error for 'https://download.opensuse.org/repositories/science/15.5/science.repo':
Error code: Curl error 60
Error message: SSL certificate problem: unable to get local issuer certificate

Abort, retry, ignore? [a/r/i/...? shows all options] (a): r
Download (curl) error for 'https://download.opensuse.org/repositories/science/15.5/science.repo':
Error code: Curl error 60
Error message: SSL certificate problem: unable to get local issuer certificate

Abort, retry, ignore? [a/r/i/...? shows all options] (a): i
Problem encountered while trying to read the file at the specified URI:
SKIP request: User-requested skipping of a file
History:
 - Download (curl) error for 'https://download.opensuse.org/repositories/science/15.5/science.repo':
   Error code: Curl error 60
   Error message: SSL certificate problem: unable to get local issuer certificate

Any new ideas?

arvidjaar · November 1, 2023, 7:04am

You could finally show us the actual certificate that causes this problem.

johannesrs · November 1, 2023, 8:57am

And how could I possibly do that? I just get the error messages concerning “SSL certificate problem” from typical and common commands as zypper ref or zypper ar <address>, it is not like I’m adding some unusual flag or other command to pass the certificate.

arvidjaar · November 1, 2023, 9:12am

curl -ILv https://download.opensuse.org/repositories/Emulators:/Wine/15.5/content

will show more details about error. And certificate itself can be fetched using s_client, assuming verbose output confirms this is the problem.

johannesrs · November 3, 2023, 1:20pm

Hi @arvidjaar !

Finally could do what you suggested (sorry for taking too long):

~> curl -ILv https://download.opensuse.org/repositories/Emulators:/Wine/15.5/content
*   Trying 195.135.221.134:443...
* Connected to download.opensuse.org (195.135.221.134) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

~> curl -ILv https://download.opensuse.org/repositories/Emulators:/Wine/15.5
*   Trying 195.135.221.134:443...
* Connected to download.opensuse.org (195.135.221.134) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Also did it for the Science repository:

~> curl -ILv https://download.opensuse.org/repositories/science/15.5/content
*   Trying 195.135.221.134:443...
* Connected to download.opensuse.org (195.135.221.134) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

~> curl -ILv https://download.opensuse.org/repositories/science/15.5
*   Trying 195.135.221.134:443...
* Connected to download.opensuse.org (195.135.221.134) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Unfortunately, both still fail in the same (non-understandable) way to me.

Any clues/suggestions? I really have no idea on what these outputs mean…

arvidjaar · November 3, 2023, 4:50pm

Sorry, I expected it to show certificate information. Apparently it does it only for “good” certificates.

Please, show

openssl s_client -showcerts download.opensuse.org:443 < /dev/null

johannesrs · November 4, 2023, 4:04pm

Hi @arvidjaar !

No problem. It outputs:

~> openssl s_client -showcerts download.opensuse.org:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = opensuse.org
verify return:1
---
Certificate chain
 0 s:CN = opensuse.org
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIF9jCCBN6gAwIBAgISA4g5bJUsV9fteQ2BQFVeSwM+MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA5MDkwMDQ2NTNaFw0yMzEyMDgwMDQ2NTJaMBcxFTATBgNVBAMT
DG9wZW5zdXNlLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALGE
rS6Hx40XyykN9VkSxGJt4SI3tygXXiveLuJldaDcUCh/9AR+gLzGzcgsbllCq2Fy
pS0GSKaPjH7CH5J6RVzx0YvLm54UkmKtoL4HIBHAC4AQwRSS2Y0K983YFsGnBlHH
l66ylpMlH7uJ+mbRTvG/hu7RIDr09E5TSZeL2eBi6gXfL5LQNo7z3NLaC0K8XOC5
zccp0c5f89jGw65ZDpdnPVHrv+bbDt1SYfHMW+pWwoJ58nXfar4XmqJgT/E92PEh
REYNFuK3W2wl+Bv6hWi9GBeJU9rsKm5C+Dz6PRCh6QYfrqgpJV261NQwSy/hXHrf
V5ga5RwUfzZrOxyCfQKO8REyfOnV7xgfi9wEUk8UR8bkUy28s6TwyoNtdI92HRE/
UAbJGAuADlyzmKE8MdnQxWE59r6bzNOgn30TAbnJccFNufiCXmz2lokgH+i5QUpS
uPJBvdi7GNuqfAuvVuYy6np4LvhxBbmSNsIyi5yog2QlYFdL0jtvoJY1AePbTYUw
qONt4iYU35HZQ+dz13JpfZNM3S9KzU/OgQgBtVSFJ5JTRmvvBZG+BDScdKfvvnRS
qHWCloAIAGDKh85ptnfRmTpPAF5LFre5jAeJ8BrcsZZzsAPXeNHfhY5cyHNQHy7x
N8TflaSKXVyIvsbTag2QHdklFxUcjzTf3nN+XZ6HAgMBAAGjggIfMIICGzAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFNUOy2Cw94PUL/Ye0V816Wbwo5YLMB8GA1UdIwQY
MBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEF
BQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8v
cjMuaS5sZW5jci5vcmcvMCcGA1UdEQQgMB6CDioub3BlbnN1c2Uub3JnggxvcGVu
c3VzZS5vcmcwEwYDVR0gBAwwCjAIBgZngQwBAgEwggEFBgorBgEEAdZ5AgQCBIH2
BIHzAPEAdwC3Pvsk35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYp3ntdn
AAAEAwBIMEYCIQDUC2eK6LDPRFOJS9C/1biJfPt6fbnELGncQLOOQPahtgIhAMAT
4vMLAKKZfiPQ9lM8JxSIqxZRBGGXK2gegcDWxtQ2AHYAejKMVNi3LbYg6jjgUh7p
hBZwMhOFTTvSK8E6V6NS61IAAAGKd57XnAAABAMARzBFAiEAsKxsLsVafMSrjxzl
u/PGGpfzRlkrKxA/M18VKM4R+TECICmBj0bTK3hNa216A4NMeKGQE9AUgrGWE/ah
EYlBqQN9MA0GCSqGSIb3DQEBCwUAA4IBAQByyNxSaoPVr0ecOviqvlUHxk5tCNdB
Wr1aGFR2bUqziwLX7ibaUQxdLOqAL79kfxDNnvSPJaPCnz7o5tq5qELkmubfREvW
aj8qLfct1e3ZCAUqokO2T+km8OjOJQjjEQHFVu9pqI3PjpdAN834jtfC/cR7u1JR
wP2lBVrydMj+h1boVdrt5edKnALklw5f8dVm2EC9wkve4EswgpRAjG2iFttJ8oat
OR+FtDv5Qm/D0Aqcpf2Qs8qAAeLD4D0W+y4vzYKwO91W97Su9hUwXZkJEL154ivs
hj9p7LYObYmWpscYPgZ3+edw+e4A5yRoy8bRHEEcTDuR8mRBfQhrQX4U
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = opensuse.org

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5042 bytes and written 411 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
DONE