[alsa-devel] Console downloaders give *The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.*
[Please CC, as I am not subscribed.]
Dear ALSA folks,
Despite working in the browser (Mozilla Firefox), GNU Wget and curl give the error below trying to download the script `alsa-info.sh`.
$ wget https://www.alsa-project.org/alsa-info.sh --2018-12-18 17:27:57-- https://www.alsa-project.org/alsa-info.sh Resolving www.alsa-project.org (www.alsa-project.org)... 77.48.224.243 Connecting to www.alsa-project.org (www.alsa-project.org)|77.48.224.243|:443... connected. ERROR: The certificate of ‘www.alsa-project.org’ is not trusted. ERROR: The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.
Kind regards,
Paul
Dne 18.12.2018 v 18:30 Paul Menzel napsal(a):
[Please CC, as I am not subscribed.]
Dear ALSA folks,
Despite working in the browser (Mozilla Firefox), GNU Wget and curl give the error below trying to download the script `alsa-info.sh`.
$ wget https://www.alsa-project.org/alsa-info.sh --2018-12-18 17:27:57-- https://www.alsa-project.org/alsa-info.sh Resolving www.alsa-project.org (www.alsa-project.org)... 77.48.224.243 Connecting to www.alsa-project.org (www.alsa-project.org)|77.48.224.243|:443... connected. ERROR: The certificate of ‘www.alsa-project.org’ is not trusted. ERROR: The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.Kind regards,
We use Let's Encrypt (https://letsencrypt.org) certificates based on the domain verification. It appears that your system CA certificate package is missing the current CA key:
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
You can find this CA certificate here:
https://letsencrypt.org/certificates/
The browsers are using own CA certificate database, and the Let's Encrypt CA certificate is regularly updated there.
Jaroslav
Dear Jaroslav,
On 12/18/18 19:18, Jaroslav Kysela wrote:
Dne 18.12.2018 v 18:30 Paul Menzel napsal(a):
[Please CC, as I am not subscribed.]
Despite working in the browser (Mozilla Firefox), GNU Wget and curl give the error below trying to download the script `alsa-info.sh`.
$ wget https://www.alsa-project.org/alsa-info.sh --2018-12-18 17:27:57-- https://www.alsa-project.org/alsa-info.sh Resolving www.alsa-project.org (www.alsa-project.org)... 77.48.224.243 Connecting to www.alsa-project.org (www.alsa-project.org)|77.48.224.243|:443... connected. ERROR: The certificate of ‘www.alsa-project.org’ is not trusted. ERROR: The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.
We use Let's Encrypt (https://letsencrypt.org) certificates based on the domain verification. It appears that your system CA certificate package is missing the current CA key:
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
You can find this CA certificate here:
https://letsencrypt.org/certificates/
The browsers are using own CA certificate database, and the Let's Encrypt CA certificate is regularly updated there.
I believe, you need to add that certificate to the chain. The online SSL test also fails and complains about incomplete certificate chain [1].
This server's certificate chain is incomplete. Grade capped to B.
Here is what the test with `openssl` shows.
``` $ openssl s_client -connect www.alsa-project.org:443 CONNECTED(00000003) depth=0 CN = alsa-project.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = alsa-project.org verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:CN = alsa-project.org i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 --- […] ```
Does that work on your system?
Kind regards,
Paul
[1]: https://www.ssllabs.com/ssltest/analyze.html?d=www.alsa-project.org
Dear Jaroslav,
On 12/19/18 16:01, Paul Menzel wrote:
On 12/18/18 19:18, Jaroslav Kysela wrote:
Dne 18.12.2018 v 18:30 Paul Menzel napsal(a):
[Please CC, as I am not subscribed.]
Despite working in the browser (Mozilla Firefox), GNU Wget and curl give the error below trying to download the script `alsa-info.sh`.
$ wget https://www.alsa-project.org/alsa-info.sh --2018-12-18 17:27:57-- https://www.alsa-project.org/alsa-info.sh Resolving www.alsa-project.org (www.alsa-project.org)... 77.48.224.243 Connecting to www.alsa-project.org (www.alsa-project.org)|77.48.224.243|:443... connected. ERROR: The certificate of ‘www.alsa-project.org’ is not trusted. ERROR: The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.We use Let's Encrypt (https://letsencrypt.org) certificates based on the domain verification. It appears that your system CA certificate package is missing the current CA key:
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
You can find this CA certificate here:
https://letsencrypt.org/certificates/
The browsers are using own CA certificate database, and the Let's Encrypt CA certificate is regularly updated there.
I believe, you need to add that certificate to the chain. The online SSL test also fails and complains about incomplete certificate chain [1].
This server's certificate chain is incomplete. Grade capped to B.
Here is what the test with `openssl` shows.
$ openssl s_client -connect www.alsa-project.org:443 CONNECTED(00000003) depth=0 CN = alsa-project.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = alsa-project.org verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:CN = alsa-project.org i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 --- […]Does that work on your system?
It does not work for me with the certificates downloaded from [2], which should use the Mozilla database, and with Debian Stretch/stable.
Kind regards,
Paul
Dne 19.12.2018 v 16:01 Paul Menzel napsal(a):
Dear Jaroslav,
On 12/18/18 19:18, Jaroslav Kysela wrote:
Dne 18.12.2018 v 18:30 Paul Menzel napsal(a):
[Please CC, as I am not subscribed.]
Despite working in the browser (Mozilla Firefox), GNU Wget and curl give the error below trying to download the script `alsa-info.sh`.
$ wget https://www.alsa-project.org/alsa-info.sh --2018-12-18 17:27:57-- https://www.alsa-project.org/alsa-info.sh Resolving www.alsa-project.org (www.alsa-project.org)... 77.48.224.243 Connecting to www.alsa-project.org (www.alsa-project.org)|77.48.224.243|:443... connected. ERROR: The certificate of ‘www.alsa-project.org’ is not trusted. ERROR: The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.We use Let's Encrypt (https://letsencrypt.org) certificates based on the domain verification. It appears that your system CA certificate package is missing the current CA key:
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
You can find this CA certificate here:
https://letsencrypt.org/certificates/
The browsers are using own CA certificate database, and the Let's Encrypt CA certificate is regularly updated there.
I believe, you need to add that certificate to the chain. The online SSL test also fails and complains about incomplete certificate chain [1].
This server's certificate chain is incomplete. Grade capped to B.
Here is what the test with `openssl` shows.
$ openssl s_client -connect www.alsa-project.org:443 CONNECTED(00000003) depth=0 CN = alsa-project.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = alsa-project.org verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:CN = alsa-project.org i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 --- […]Does that work on your system?
You're right. It should be fixed now. Thank you for your notice.
Jaroslav
Dear Jaroslav,
On 12/19/18 17:33, Jaroslav Kysela wrote:
Dne 19.12.2018 v 16:01 Paul Menzel napsal(a):
On 12/18/18 19:18, Jaroslav Kysela wrote:
Dne 18.12.2018 v 18:30 Paul Menzel napsal(a):
[Please CC, as I am not subscribed.]
Despite working in the browser (Mozilla Firefox), GNU Wget and curl give the error below trying to download the script `alsa-info.sh`.
$ wget https://www.alsa-project.org/alsa-info.sh --2018-12-18 17:27:57-- https://www.alsa-project.org/alsa-info.sh Resolving www.alsa-project.org (www.alsa-project.org)... 77.48.224.243 Connecting to www.alsa-project.org (www.alsa-project.org)|77.48.224.243|:443... connected. ERROR: The certificate of ‘www.alsa-project.org’ is not trusted. ERROR: The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.
[…]
You're right. It should be fixed now. Thank you for your notice.
Thank you for improving the situation so quickly.
Kind regards,
Paul
PS: As a side note, it looks like browsers (at least Chromium) are going to start deprecating old TLS versions soon. The Web server probably also needs to be updated to support at least TLS 1.2. Currently TLS 1.0 seems to be the highest supported version.
$ curl -I --tlsv1.2 https://www.alsa-project.org/ curl: (35) error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
participants (2)
-
Jaroslav Kysela -
Paul Menzel