[alsa-devel] Console downloaders give *The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.*

Paul Menzel pmenzel at molgen.mpg.de
Wed Dec 19 16:01:37 CET 2018 

Dear Jaroslav,


On 12/18/18 19:18, Jaroslav Kysela wrote:
> Dne 18.12.2018 v 18:30 Paul Menzel napsal(a):
>> [Please CC, as I am not subscribed.]

>> Despite working in the browser (Mozilla Firefox), GNU Wget and curl give
>> the error below trying to download the script `alsa-info.sh`.
>>
>>     $ wget https://www.alsa-project.org/alsa-info.sh
>>     --2018-12-18 17:27:57--  https://www.alsa-project.org/alsa-info.sh
>>     Resolving www.alsa-project.org (www.alsa-project.org)... 77.48.224.243
>>     Connecting to www.alsa-project.org (www.alsa-project.org)|77.48.224.243|:443... connected.
>>     ERROR: The certificate of ‘www.alsa-project.org’ is not trusted.
>>     ERROR: The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.

> We use Let's Encrypt (https://letsencrypt.org) certificates based on the
> domain verification. It appears that your system CA certificate package
> is missing the current CA key:
> 
> issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> 
> You can find this CA certificate here:
> 
> https://letsencrypt.org/certificates/
> 
> The browsers are using own CA certificate database, and the Let's
> Encrypt CA certificate is regularly updated there.

I believe, you need to add that certificate to the chain. The online
SSL test also fails and complains about incomplete certificate
chain [1].

> This server's certificate chain is incomplete. Grade capped to B.

Here is what the test with `openssl` shows.

```
$ openssl s_client -connect www.alsa-project.org:443
CONNECTED(00000003)
depth=0 CN = alsa-project.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = alsa-project.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:CN = alsa-project.org
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
[…]
```

Does that work on your system?


Kind regards,

Paul


[1]: https://www.ssllabs.com/ssltest/analyze.html?d=www.alsa-project.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5174 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.alsa-project.org/pipermail/alsa-devel/attachments/20181219/a11a64bf/attachment-0001.p7s>

More information about the Alsa-devel mailing list