SSL cert issue with downloading

hlship · February 20, 2020, 6:30pm

==> Upgrading vickio/dialog/dialog-if
==> Downloading https://hd0.linusakesson.net/files/dialog-0j01_0_35.zip

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
Error: An exception occurred within a child process:
  DownloadError: Failed to download resource "dialog-if"
Download failed: https://hd0.linusakesson.net/files/dialog-0j01_0_35.zip

lft · February 20, 2020, 7:10pm

Will investigate.

Is it just curl, or do you get the same problem with a web browser?

lft · February 21, 2020, 9:53am

I can’t reproduce this problem with curl (version 7.52.1). What options are you passing to curl?

According to a quick web search, this can happen when the web server fails to include the intermediate certificate for letsencrypt in its response. Curl knows the root cert, which can be used to verify the letsencrypt cert. The letsencrypt cert is necessary in turn to verify the site’s cert, and the site’s cert is sent by the web server. But if you don’t have a copy of the letsencrypt cert, the chain is broken. Meanwhile, web browsers are likely to have visited another letsencrypt site earlier, and therefore have a cached copy of the letsencrypt cert.

However, I have run checks using three different online service, and each of them reports that the certificate chain is transmitted properly.

Are you able to connect directly with openssl?

openssl s_client --connect hd0.linusakesson.net:443

Then press return, and you should see an HTTP Bad Request from the web server.

hlship · February 22, 2020, 5:48am

I hoped a reboot would fix it, it did not. It may be something specific about my machine, or about OS X. I shelled into a VM I have at digital-ocean and had not problems downloading it from there.

When I use a browser to downloaded, I get a 404 page.

hlship · February 22, 2020, 5:50am

Again, at digital ocean, it works. From my mac, nope:

21:49:26 ~ > openssl s_client -connect hd0.linusakesson.net:443
CONNECTED(00000005)
depth=0 C = US, postalCode = 19103, ST = PA, L = Philadelphia, street = 1 Comcast Center, O = Comcast Corporation, OU = Hosted by Comcast Corporation, OU = EliteSSL, CN = low-xdns.xfinity.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, postalCode = 19103, ST = PA, L = Philadelphia, street = 1 Comcast Center, O = Comcast Corporation, OU = Hosted by Comcast Corporation, OU = EliteSSL, CN = low-xdns.xfinity.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/postalCode=19103/ST=PA/L=Philadelphia/street=1 Comcast Center/O=Comcast Corporation/OU=Hosted by Comcast Corporation/OU=EliteSSL/CN=low-xdns.xfinity.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF8TCCBNmgAwIBAgIRANha3UJUpGlsYXmy6GiEqrgwDQYJKoZIhvcNAQELBQAw
gZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTwwOgYD
VQQDEzNDT01PRE8gUlNBIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIFNlY3VyZSBT
ZXJ2ZXIgQ0EwHhcNMTcwODA4MDAwMDAwWhcNMTkwODA4MjM1OTU5WjCB1DELMAkG
A1UEBhMCVVMxDjAMBgNVBBETBTE5MTAzMQswCQYDVQQIEwJQQTEVMBMGA1UEBxMM
UGhpbGFkZWxwaGlhMRkwFwYDVQQJExAxIENvbWNhc3QgQ2VudGVyMRwwGgYDVQQK
ExNDb21jYXN0IENvcnBvcmF0aW9uMSYwJAYDVQQLEx1Ib3N0ZWQgYnkgQ29tY2Fz
dCBDb3Jwb3JhdGlvbjERMA8GA1UECxMIRWxpdGVTU0wxHTAbBgNVBAMTFGxvdy14
ZG5zLnhmaW5pdHkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
mopjEEufS7r8FYVwr3dQf4RCQNFnpvRO4F57aE5+msSkLRKVcY3tLxLi7Ve8A5tp
24VxGQEowT9sXyCoEh8TeKN01ebaQUgAfDdtnOKFRv74Pyct4oNzk7PiWpxRrSEX
9t+AW1DAHFWgQO7aO2eYTZfkFV6A2wHnhGXjEV5xUHFor2tNrrVTUAVXSu8xvyCL
JXREI/IGnp//jp89ydYRKgWp3t/ZS4n9CvenYN1zNn7hFecpNR+aduedBAa6MwZX
7JRqys+w5tg47iwze10heEkXX7tj1obcgpHl9Nqz2jcRgAR8oh5clT+P0fnwrct6
sOyx7a7LeUHcoIQ6dAGxvwIDAQABo4IB+DCCAfQwHwYDVR0jBBgwFoAUmvMr2s+t
T7YvuypISCoStxtCwSQwHQYDVR0OBBYEFDvmFAgrMvg3WA1WEla1VDjifH2ZMA4G
A1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjBQBgNVHSAESTBHMDsGDCsGAQQBsjEBAgEDBDArMCkGCCsGAQUF
BwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwBAgIwWgYD
VR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNB
T3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBiwYIKwYB
BQUHAQEEfzB9MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9D
T01PRE9SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0
MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wOQYDVR0RBDIw
MIIUbG93LXhkbnMueGZpbml0eS5jb22CGHd3dy5sb3cteGRucy54ZmluaXR5LmNv
bTANBgkqhkiG9w0BAQsFAAOCAQEADu8b5oT3fD6HRbY3wNoKmnbfKvPwDvJblES0
wrns3PJ7B3YlVlXzyJhbscfuvopfAAYgl2LynGvV71EiPhL3tesNSDSaQKGwFBJT
ewNE16DhCh12cbTI6Scdp12SR+YQPPAgK1BtzcIjX8jF6iDHzBVvdWdqQLz6nVAE
FUlJ0bkqBUOMhHz+tv4/rm/EtbpI9lOhq1bywLs0oPTRMqWMuXX7Ni4TKY2nt0qW
dadInPwjTu6d22uf8V2Vido7Sbb0VW2zvv9tyEnIPgi7X+jWgiFYyW6EJti5nkQ3
wZJaNsrWLjZIuewNYJ9nEdJ07iChXZc5WINwQoPY9Rq6JNHlHA==
-----END CERTIFICATE-----
subject=/C=US/postalCode=19103/ST=PA/L=Philadelphia/street=1 Comcast Center/O=Comcast Corporation/OU=Hosted by Comcast Corporation/OU=EliteSSL/CN=low-xdns.xfinity.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2195 bytes and written 326 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 73D97A7ECCEF05740EC7334E99372A048AF5837D897F38066BBCEAEBBFA4EBAD
    Session-ID-ctx:
    Master-Key: ED4744EC2CAB2168FDB3A8D72BAAA6B36108D0D208479E397E381C4B929CEF018AD56EF3CD90B0BECFBD516260DEE2CF
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - 02 51 77 51 39 e5 5b 98-89 f9 74 4e 91 86 7d 15   .QwQ9.[...tN..}.
    0010 - 52 78 a8 a8 40 68 33 e2-ac f8 de 92 9e c9 2c b1   Rx..@h3.......,.
    0020 - 5b 00 8e 64 d0 bb a2 be-5f b6 15 70 c6 86 51 59   [..d...._..p..QY
    0030 - aa 08 40 ce 27 68 83 5e-9c 30 9f 1f ad 55 83 24   ..@.'h.^.0...U.$
    0040 - b0 d4 56 5a 15 01 5e 2f-39 3d f2 9c b7 b6 ae 1e   ..VZ..^/9=......
    0050 - 38 38 63 c7 48 ef 76 cc-3e dd 5f bb 74 2f 3e 69   88c.H.v.>._.t/>i
    0060 - 82 74 08 c4 10 09 76 c6-fb 44 7b e4 04 ca 98 11   .t....v..D{.....
    0070 - a0 a6 16 91 2b 32 1a 70-b8 c1 e7 99 1d e5 a0 12   ....+2.p........
    0080 - 04 9b 0c 80 f5 db 81 6c-52 6d 2b c1 1e 7f a1 b2   .......lRm+.....
    0090 - 91 36 5d aa 8f 75 dd ee-74 38 da 14 79 2f cb 2f   .6]..u..t8..y/./
    00a0 - 92 26 92 66 ca 62 49 9d-17 66 50 1d ad 02 d7 95   .&.f.bI..fP.....

    Start Time: 1582350579
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

hlship · February 22, 2020, 6:17am

Might actually be a problem with Comcast DNS based on what I’m seeing my log.

hlship · February 23, 2020, 6:14pm

Yep, it was a comcast issue, I had to disable a wonky security setting in my cable modem.