Unable to fetch areas due to SSL problem

[sicelo]

Hi,

I am unable to fetch maps/areas using osm2go. The program fails with "Download failed with message 'SSL certificate problem: unable to get local issuer certificate'".

However, I have the latest openssl/libssl as published at https://github.com/osm2go/openssl/releases

Nokia-N900:~# dpkg -l openssl libssl* osm2go
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name           Version        Description
+++-==============-==============-============================================
un  libssl         <none>         (no description available)
ii  libssl0.9.8    0.9.8zh-1+maem SSL shared libraries
un  libssl096-dev  <none>         (no description available)
ii  libssl1.0.2    1.0.2o-1+maemo SSL shared libraries
ii  openssl        1.0.2o-1+maemo Secure Socket Layer (SSL) binary and related
ii  osm2go         1:0.9.13-maemo A mobile OpenStreetMap Editor

[DerDakon]

This has sadly nothing to do with OpenSSL, this part uses libsoup, which uses the system crypto libraries. However, it works for me, which could be that I manually installed the proper certificate in the correct system location.

[sicelo]

Thanks for responding.

I did a quick test with the system crypto (cmcli), and (surprised!), it verified the certs correctly:
I used api.openstreetmap.org and tile.openstreetmap.org and both had the same behaviour

Nokia-N900:~$ cmcli -T common-ca -v tile.openstreetmap.org:443
c9ee6d90ab2160d9ec0514ea68670fb9b7cd0232 tile.openstreetmap.org
 trust chain(2):
   c4a7b1a47b2c71fadbe14b9075ffc41560858910 DST Root CA X3
   +->a84a6a63047dddbae6d139b7a64565eff3a8eca1 Let's Encrypt Authority X3
Verified OK

However, running openssl s_client -connect tile:openstreetmap.org:443 does come up with the error above:

Nokia-N900:~$ openssl version
OpenSSL 1.0.2o  27 Mar 2018
Nokia-N900:~$ openssl s_client -connect tile.openstreetmap.org:443
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate

I am not sure what other debug/troubleshooting steps I could do. If you can suggest something, I am willing to test

[DerDakon]

Ah, sorry. So you can do the area selection correctly, but not the actual data download. The former is indeed using the system crypto, the latter is curl/OpenSSL. I think that is what is missing:

Nokia-N900:/home/user# ls -l /etc/ssl/certs/
lrwxrwxrwx    1 root     root            7 May 17  2017 2e5ac55d.0 -> dst.pem
-rw-r--r--    1 root     root         1200 May 17  2017 dst.pem

This is the Let's Encrypt X3 certificate.

[sicelo]

Thanks!

Steps (for those of us with the problem):

• obtain the DST Root CA X3 certificate. (I copied mine from my Debian installation, but, according to https://api.data.gov/docs/https/ you can also get it at https://ssl-tools.net/certificates/dac9024f54d8f6df94935fb1732638ca6ad77c13.pem at your own risk)
• save the PEM file to /etc/ssl/certs on N900
• edit the first line of /usr/bin/c_rehash so that it looks like #!/usr/bin/perl
• run c_rehash command
• reboot

Now openssl s_client -connect tile.openstreetmap.org:443 will not come up with an error.

However, osm2go still shows the same error

[sicelo]

Tested with curl, and got the same SSL problem:

Nokia-N900:~$ dpkg -l | grep curl
ii  curl                                                7.26.0-1maemo1+0cssu4                     command line tool for transferring data with URL syntax
ii  libcurl3                                            7.26.0-1maemo1+0cssu4                     easy-to-use client-side URL transfer library (OpenSSL flavour)


Nokia-N900:~$ curl -v https://b.tile.openstreetmap.org/17/71964/44884.png -o /home/user/MyDocs/44884.png
* About to connect() to b.tile.openstreetmap.org port 443 (#0)
*   Trying 196.10.54.165...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* connected
* Connected to b.tile.openstreetmap.org (196.10.54.165) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS alert, Server hello (2):
} [data not shown]
* SSL certificate problem: unable to get local issuer certificate
* Closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate

So probably curl/libcurl needs to be recompiled against the newer openssl? Which version do you have @DerDakon ?

[sicelo]

Tried to specify cacert or capath to curl:

Nokia-N900:~$ curl --cacert /etc/ssl/certs/2e5ac55d.0 https://b.tile.openstreetmap.org/17/71964/44884.png -o /home/user/MyDocs/44884.png
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 18188  100 18188    0     0   6860      0  0:00:02  0:00:02 --:--:--  7052

Nokia-N900:~$ curl --capath /etc/ssl/certs/ https://b.tile.openstreetmap.org/17/71964/44884.png -o /home/user/MyDocs/44884.png
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: unable to get local issuer certificate
...

Nokia-N900:~$ curl --capath /etc/certs/common-ca/ https://b.tile.openstreetmap.org/17/71964/44884.png -o /home/user/MyDocs/44884.png
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 18188  100 18188    0     0   6408      0  0:00:02  0:00:02 --:--:--  6594

So it seems recompiling isn't really necessary, but i cannot understand why curl doesn't 'see' the certificate when it looks in etc/ssl/certs but can find it when it looks in /etc/certs/common-ca (the system's cert location)

More importantly, what is a way to fix this?

[DerDakon]

The curl on N900 is still the old version. OSM2go is linked statically against a version of curl that uses OpenSSL 1.*. I'll look into this later.

[DerDakon]

Ok, it looks like /etc/ssl is a dead end, sorry for that. I just downloaded an area on my N900 and that is what it looks at:

6085 open("/etc/certs/common-ca/2e5ac55d.0", O_RDONLY|O_LARGEFILE) = 16

Just a bit of background: the new OpenSSL library has different soversion than the system one, so it can be installed in parallel. The current curl still has the same soversion as the system one, so I can upgrade it, but only use the system OpenSSL. If the curl library would suddenly use a different OpenSSL than it could break other binaries that link to curl and openssl, as they would suddenly get duplicate symbols. That's why I have a static curl for OSM2go, which then uses the additional (new) OpenSSL.

[DerDakon]

And the secret is: curl. My curl is built with:

LDFLAGS=-L/opt/openssl-1.0.2k/lib ./configure --disable-shared --disable-ftp --disable-ldap --disable-ldaps --disable-rtsp --disable-dict --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-manual --disable-sspi --with-ssl=/opt/openssl-1.0.2k/ --without-libssh2 --prefix=/opt/curl-7.54.1 --with-ca-path=/etc/certs/ca-common/ && make -j 10

So, it uses the system default certificate location. The one of OpenSSL itself is different, that is why OpenSSL alone does not work, but OSM2go should.

[sicelo]

I moved the certificate created in the earlier post to /etc/certs/common-ca and osm2go now works as expected.

On a side note, I wonder if osm2go shouldn't either:

• ship this cert (because the system certificate location actually has it, but with a different/longer name)
• or, find a way to integrate with the system framework for certificate (no idea how difficult this would be)

I suggest this since it would help other new osm2go users

[DerDakon]

I think I had this somewhere built as deb, I just have to find it again. Or do it again.

[sicelo]

Thanks.
I guess it's ok to to close the Issue now, but will leave it up to you, in case it will help with tracking, etc.

[mfrasca]

I'm having the same issue, on a fresh install, and what I miss is instructions. can they be distilled from this conversation, and put in the front page?

[DerDakon]

Try to get the certificates in the extra-ca-certificates package from here: https://github.com/osm2go/openssl/releases/tag/OpenSSL-1.0.2u-1%2Bmaemo1%2B0osm2go0