$ git rev-parse HEAD
0910518f0037d763d44a310ea0e52e1f46804f42
$ cargo run --bin hc_service_check -- signal -u wss://sbd-main-0.holo.host
Finished dev [unoptimized + debuginfo] target(s) in 0.51s
Running `target/debug/hc_service_check signal -u 'wss://sbd-main-0.holo.host'`
signal check of wss://sbd-main-0.holo.host
Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) }
for comparison i also brought up ngins SSL on port 444, and openssl seems happy with that.
$ openssl s_client -showcerts -connect sbd-main-0.holo.host:443 </dev/null > openssl-sbd.log
openssl s_client -showcerts -connect sbd-main-0.holo.host:444 </dev/null > openssl-nginx.log
diff openssl-nginx.log openssl-sbd.log
depth=0 CN = sbd-main-0.holo.host
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = sbd-main-0.holo.host
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = sbd-main-0.holo.host
verify return:1
DONE
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = sbd-main-0.holo.host
verify return:1
DONE
sbd is started with the following options, whereas cert.pem points to acme's fullchain.pem via systemd service configuration.
i'm running into issues with SSL.
for comparison i also brought up ngins SSL on port 444, and openssl seems happy with that.
sbd is started with the following options, whereas
cert.pem
points to acme'sfullchain.pem
via systemd service configuration.here's a snippet from the nginx config file:
i'm just showing this config because sbd doesn't have an equivalent option to
ssl_trusted_certificate
. i don't know whether that's relevant here.i did double-check that the certificates used by nginx and sbd are identical:
Originally posted by @steveej in https://github.com/holochain/holochain-infra/issues/96#issuecomment-2127689799