search

dehydrated-io / dehydrated

letsencrypt/acme client implemented as a shell-script – just add water
https://dehydrated.io
MIT License
5.96k stars 716 forks source link

Failed to renew - Problem connecting to server [FreeBSD, curl, SSL cert problem] #902

Closed petr-fischer closed 1 year ago

petr-fischer commented 1 year ago

In the last months, dehydrated -c on my FreeBSD failed to renew some domain certs.

Is there some problem with root certificates? (But I have them installed, see below).

Should the FreeBSD port maintainer do something? https://www.freshports.org/security/dehydrated/

Thanks!

Details:

dehydrated -c

# INFO: Using main config file /usr/local/etc/dehydrated/config
ERROR: Problem connecting to server (get for https://acme-v02.api.letsencrypt.org/directory; curl returned with 60)
EXPECTED value GOT EOF

curl -v https://acme-v02.api.letsencrypt.org/directory

*   Trying 172.65.32.248:443...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: none
*  CApath: /etc/ssl/certs/
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

dehydrated -v

# INFO: Using main config file /usr/local/etc/dehydrated/config
Dehydrated by Lukas Schauer
https://dehydrated.io

Dehydrated version: 0.7.1
GIT-Revision: unknown

OS: FreeBSD 12.4-RELEASE
Used software:
 bash: 5.2.15(0)-release
 curl: 7.87.0
 awk, sed, mktemp, grep, diff: BSD base system versions
 openssl: OpenSSL 1.1.1q-freebsd  5 Jul 2022

uname -a

FreeBSD xxx 12.4-RELEASE FreeBSD 12.4-RELEASE r372781 GENERIC  amd64

pkg info | grep -i cert

ca_root_nss-3.86               Root certificate bundle from the Mozilla Project
einsiedlerkrebs commented 1 year ago

I experience the same!

cristianyxen commented 1 year ago

"CAfile: none" indicates that curl is not using /usr/local/share/certs/ca-root-nss.crt for certificate validation and cert material in /etc is too old to verify. I'm guessing that your curl port was not compiled with the CA_BUNDLE=on option?

cristianyxen commented 1 year ago

I'm also guessing /etc/ssl/certs/ is not populated in your setup, you can do that with "certctl rehash"

einsiedlerkrebs commented 1 year ago

Works for me. Thanks!

sadok commented 1 year ago

portupugrade security/ca_root_nss -- or -- pkg upgrade security/ca_root_nss

Well, or whatever. Root certificates need to be renewed. Current version - 3.88.1

petr-fischer commented 1 year ago

certctl rehash is the solution! Thanks to all!

But IMHO the FreeBSD ca_cert package postinstall section or something should be responsible for rehashing certificates. Is it appropriate to do something about it (freebsd forums, freebsd bugzilla)? Or is it ok?

sadok commented 1 year ago

Or is it ok?

No. That should be enough.

cristianyxen commented 1 year ago

But IMHO the FreeBSD ca_cert package postinstall section or something should be responsible for rehashing certificates. Is it appropriate to do something about it (freebsd forums, freebsd bugzilla)? Or is it ok?

No it shouldn't. Software in the ports either uses the ca_root_nss certificate bundle (/usr/local/share/certs/ca-root-nss.crt) directly or it relies on the trustststore of openssl (/etc/ssl/certs) being managed by the admin. For example the curl port has the CA_BUNDLE option for exactly this purpose, deactivate it and rely on the truststore, activate it and rely on ca_root_nss.

certctl is triggered by freebsd-update, so in case of updates to the CA certificates that are provided by FreeBSD itself it is taken care to have an up to date truststore.

So the question, while having nothing to do with dehydrated, is more.. why wasn't your /etc/ssl/certs updated by the tools in place and why isn't your curl port using the ca_root_nss without you knowing.

kulmosen commented 7 months ago

Just to chime in for others trying to find a solution for ERROR: Problem connecting to server (get for https://acme-v02.api.letsencrypt.org/directory; curl returned with 60) If your host has the wrong time, it will do this also. So check with date to see if your time has drifted or changed completely. In my case, my host had reset its time to "Sat Dec 21 00:26:16 CET 2013" when the correct time is "Fri Jan 19 12:07:07 CET 2024".