New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Let's Encrypt CA not included in Ubuntu's CA bundle #2026

Closed
pmontrasio opened this Issue Dec 26, 2015 · 2 comments

Comments

Projects
None yet
2 participants
@pmontrasio

pmontrasio commented Dec 26, 2015

I can't connect with curl and wget to my server from Ubuntu after I installed the certificate issued by Let's Encrypt. Firefox and Opera do. I must turn off certificate validation to get them to connect. The reason is that Let's Encrypt CA not included in Ubuntu's CA bundle. This might be distribution dependent because other distributions could already have Let's Encrypt in their list of CAs.
Tested on both Ubuntu 14.04 and 12.04.

14.04 $ dpkg -l curl wget ca-certificates
ii  ca-certificates    20141019ubuntu0.12 Common CA certificates
ii  curl               7.22.0-3ubuntu4.14 Get a file from an HTTP, HTTPS or FTP server
ii  wget               1.13.4-2ubuntu1.2  retrieves files from the web

12.04 $ dpkg -l curl wget ca-certificates
ii  ca-certificates    20141019ubuntu all            Common CA certificates
ii  curl               7.35.0-1ubuntu amd64          command line tool for transferring data wi
ii  wget               1.15-1ubuntu1. amd64          retrieves files from the web

According to both OSes the 3 packages are "already the newest version."
Given that Ubuntu is quite used on servers and that curl and wget could be used for server side automation tasks I suggest to work with the distributions and get Let's Encrypt added to the CAs bundle. Furthermore there are many other programs that fail to connect to Let's Encrypt sites possibly because of this reason. Example: this Ruby one liner fails

(I replaced the name of my server with example.com)

> HTTParty.get("https://www.example.com")
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
...

This means that we can't use Let's Encrypt for sites that serve APIs consumed by other backend programs, unless we ask them to manually add Let's Encrypt to their CAs bundle.

Details of the curl and wget errors:

$ curl https://www.example.com

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

$ wget https://www.example.com
--2015-12-26 11:34:56--  https://www.example.com
Resolving www.example.com (www.example.com)... x.x.x.x
Connecting to www.example.com (www.example.com)|x.x.x.x|:443... connected.
ERROR: cannot verify www.example.com's certificate, issued by `/C=US/O=Let\'s Encrypt/CN=Let\'s Encrypt Authority X1':
  Unable to locally verify the issuer's authority.
To connect to www.example.com insecurely, use `--no-check-certificate'.
@schoen

This comment has been minimized.

Show comment
Hide comment
@schoen

schoen Dec 26, 2015

Contributor

The Let's Encrypt CA isn't supposed to be included in anybody's CA
bundle yet. There was no prior attempt to get anyone to do so, and these
efforts are not a required part of how Let's Encrypt will be trusted. See

https://letsencrypt.org/certificates/

The Let's Encrypt CA is signed by IdenTrust, which is trusted by
Ubuntu. When you get an error about unknown CA, it probably means that
you forgot to serve the intermediate cert (the chain, which you can find
in chain.pem or fullchain.pem depending on what server software
you're using). You might not notice this in a browser because the
browsers cache intermediate certs, while curl doesn't.

If you can get curl to accept https://helloworld.letsencrypt.org/ (as
I can on Ubuntu), try checking that you're serving the chain, not just
the end-entity cert.

Contributor

schoen commented Dec 26, 2015

The Let's Encrypt CA isn't supposed to be included in anybody's CA
bundle yet. There was no prior attempt to get anyone to do so, and these
efforts are not a required part of how Let's Encrypt will be trusted. See

https://letsencrypt.org/certificates/

The Let's Encrypt CA is signed by IdenTrust, which is trusted by
Ubuntu. When you get an error about unknown CA, it probably means that
you forgot to serve the intermediate cert (the chain, which you can find
in chain.pem or fullchain.pem depending on what server software
you're using). You might not notice this in a browser because the
browsers cache intermediate certs, while curl doesn't.

If you can get curl to accept https://helloworld.letsencrypt.org/ (as
I can on Ubuntu), try checking that you're serving the chain, not just
the end-entity cert.

@pmontrasio

This comment has been minimized.

Show comment
Hide comment
@pmontrasio

pmontrasio Dec 26, 2015

Thanks! I used fullchain.pem instead of cert.pem and curl and wget started working. I was mislead by my ignorance and by an answer to #1736. To skew the odds in favour of the correct configuration I wrote a short post about it. I'll also write a comment to that issue.

pmontrasio commented Dec 26, 2015

Thanks! I used fullchain.pem instead of cert.pem and curl and wget started working. I was mislead by my ignorance and by an answer to #1736. To skew the odds in favour of the correct configuration I wrote a short post about it. I'll also write a comment to that issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment