HTTP MIrrobrain.org SSL certificate (or TLS) has a problem

[kelson42]

$ curl https://mirrorbrain.org
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[poeml]

Nope. Works fine here. Your curl must be a bit dated.

% curl -v https://mirrorbrain.org

• Rebuilt URL to: https://mirrorbrain.org/
• Trying 178.254.54.228...
• TCP_NODELAY set
• Connected to mirrorbrain.org (178.254.54.228) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
• successfully set certificate verify locations:
• CAfile: /etc/ssl/cert.pem CApath: none
• TLSv1.2 (OUT), TLS handshake, Client hello (1):
• TLSv1.2 (IN), TLS handshake, Server hello (2):
• TLSv1.0 (IN), TLS handshake, Certificate (11):
• TLSv1.0 (IN), TLS handshake, Server key exchange (12):
• TLSv1.0 (IN), TLS handshake, Server finished (14):
• TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
• TLSv1.0 (OUT), TLS change cipher, Client hello (1):
• TLSv1.0 (OUT), TLS handshake, Finished (20):
• TLSv1.0 (IN), TLS change cipher, Client hello (1):
• TLSv1.0 (IN), TLS handshake, Finished (20):
• SSL connection using TLSv1.0 / DHE-RSA-AES256-SHA
• ALPN, server did not agree to a protocol
• Server certificate:
• subject: CN=mirrorbrain.org
• start date: Sep 24 19:03:43 2019 GMT
• expire date: Dec 23 19:03:43 2019 GMT
• subjectAltName: host "mirrorbrain.org" matched cert's "mirrorbrain.org"
• issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3

• SSL certificate verify ok.

  GET / HTTP/1.1 Host: mirrorbrain.org User-Agent: curl/7.54.0 Accept: /

  < HTTP/1.1 200 OK

  % curl --version curl 7.54.0 (x86_64-apple-darwin18.0) libcurl/7.54.0 LibreSSL/2.6.5 zlib/1.2.11 nghttp2/1.24.1 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy

[kelson42]

Something is still wrong for me (Ubuntu 18.04)... but "yes" nothing to do with the expiration_date:

$ curl --version
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL 
$ curl -v https://mirrorbrain.org
* Rebuilt URL to: https://mirrorbrain.org/
*   Trying 178.254.54.228...
* TCP_NODELAY set
* Connected to mirrorbrain.org (178.254.54.228) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

It seems the problem is around the issuer.

Firefox complains too:

Qualys confirms: https://www.ssllabs.com/ssltest/analyze.html?d=mirrorbrain.org

[poeml]

Qualys confirms that the certificate is 100% valid and trusted. Qualys complains that obsolete SSL protocol versions are not disabled, which I ought to fix.

Some older user agents are not able to verify the certificate chain, if they don’t have the Let’s Encrypt root CA installed. Typically, it is installed by default in all current systems. So that I won’t fix. Also, the user agent needs to support SNI. Nevertheless, I am very happy as it is.