Dear Jaroslav,
On 12/19/18 16:01, Paul Menzel wrote:
On 12/18/18 19:18, Jaroslav Kysela wrote:
Dne 18.12.2018 v 18:30 Paul Menzel napsal(a):
[Please CC, as I am not subscribed.]
Despite working in the browser (Mozilla Firefox), GNU Wget and curl give the error below trying to download the script `alsa-info.sh`.
$ wget https://www.alsa-project.org/alsa-info.sh --2018-12-18 17:27:57-- https://www.alsa-project.org/alsa-info.sh Resolving www.alsa-project.org (www.alsa-project.org)... 77.48.224.243 Connecting to www.alsa-project.org (www.alsa-project.org)|77.48.224.243|:443... connected. ERROR: The certificate of ‘www.alsa-project.org’ is not trusted. ERROR: The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.We use Let's Encrypt (https://letsencrypt.org) certificates based on the domain verification. It appears that your system CA certificate package is missing the current CA key:
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
You can find this CA certificate here:
https://letsencrypt.org/certificates/
The browsers are using own CA certificate database, and the Let's Encrypt CA certificate is regularly updated there.
I believe, you need to add that certificate to the chain. The online SSL test also fails and complains about incomplete certificate chain [1].
This server's certificate chain is incomplete. Grade capped to B.
Here is what the test with `openssl` shows.
$ openssl s_client -connect www.alsa-project.org:443 CONNECTED(00000003) depth=0 CN = alsa-project.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = alsa-project.org verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:CN = alsa-project.org i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 --- […]Does that work on your system?
It does not work for me with the certificates downloaded from [2], which should use the Mozilla database, and with Debian Stretch/stable.
Kind regards,
Paul