You are not logged in.
- Topics: Active | Unanswered
#1 2016-04-03 06:01:43
- Salkay
- Member
- Registered: 2014-05-22
- Posts: 619
[SOLVED] Missing "Let's Encrypt" certificate
I'm using the latest units 2.11-3. I have an anacron job to update the currency rates daily, but it's currently failing.
$ sudo /usr/bin/units_cur
Error connecting to currency server. <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)>I checked the source, and it's attempting to connect to `https://rss.timegenie.com/forex.xml`. The certificate is fine in Firefox and Chromium, and has been verified by "Let's Encrypt". I tried to directly download the page using the command line and got the following error.
$ wget https://rss.timegenie.com/forex.xml
--2016-04-03 15:53:59-- https://rss.timegenie.com/forex.xml
Resolving rss.timegenie.com (rss.timegenie.com)... 178.63.47.14
Connecting to rss.timegenie.com (rss.timegenie.com)|178.63.47.14|:443... connected.
ERROR: cannot verify rss.timegenie.com's certificate, issued by ‘CN=Let's Encrypt Authority X1,O=Let's Encrypt,C=US’:
Unable to locally verify the issuer's authority.
To connect to rss.timegenie.com insecurely, use `--no-check-certificate'.Is this a missing certificate in Arch Linux?
Last edited by Salkay (2016-04-06 01:18:29)
Offline
#2 2016-04-03 09:34:49
- x33a
- Forum Fellow
- Registered: 2009-08-15
- Posts: 4,587
Re: [SOLVED] Missing "Let's Encrypt" certificate
Perhaps this can help.
Offline
#3 2016-04-03 09:58:08
- Salkay
- Member
- Registered: 2014-05-22
- Posts: 619
Re: [SOLVED] Missing "Let's Encrypt" certificate
Thanks x33a. I don't understand all of that thread. However, I can wget from https://helloworld.letsencrypt.org/ perfectly, so I think that means that I need to "try checking that you're serving the chain, not just the end-entity cert." (I'm not sure what that means.)
Also, I followed the links, and it may be related to this bug, which was fixed in the last week. But I'm not sure what that even fixes, and if it's something running on the original server. (Nor why the certificate works fine in Firefox and Chromium.)
Offline
#4 2016-04-04 06:20:56
- x33a
- Forum Fellow
- Registered: 2009-08-15
- Posts: 4,587
Re: [SOLVED] Missing "Let's Encrypt" certificate
I was playing around with curl and found that https://curl.haxx.se/ itself is using a certificate issued by Let’s Encrypt Authority X1, but that works fine with curl! I am not sure why that works.
In any case, after playing around a bit with https://rss.timegenie.com, I got it to work by exporting the "DST Root CA X3" and "Let’s Encrypt Authority X1" certificates using Firefox and concatenating them into a single file. Finally, pass the file to curl using --cacert.
Something like
curl --cacert ./timegenie.crt https://rss.timegenie.com/forex.xml -IEdit: For wget, use
wget --ca-certificate=./timegenie.crt https://rss.timegenie.com/forex.xmlLast edited by x33a (2016-04-04 06:22:45)
Offline
#5 2016-04-04 07:07:03
- Salkay
- Member
- Registered: 2014-05-22
- Posts: 619
Re: [SOLVED] Missing "Let's Encrypt" certificate
Wow, thanks for the great detective work! However, I'm wondering how this could apply to the `units` package. Presumably we could hack the code (of /usr/bin/units_cur) to check elsewhere for the certificate, but I wondered if it were just some "system" certificate that was missing in Arch (and present in Firefox and Chromium). Either way, I guess this is a bug in the `units` package, whether it's upstream's responsibility or Arch's failure to provide the correct certificate, so I should file a bug. If it's the former, then I'd file it for units, but if it's the latter, and a lack of the correct "system" certificate, then I guess it should be filed elsewhere?
Offline
#6 2016-04-04 07:19:14
- x33a
- Forum Fellow
- Registered: 2009-08-15
- Posts: 4,587
Re: [SOLVED] Missing "Let's Encrypt" certificate
AFAIK, no distro supports the Let's Encrypt certs at this time. Browsers use their own bundles. I tested it on ubuntu as well, same error there.
Edit: As for getting it to work with units, I am not able to see which library it is using for connecting to ssl hosts. In any case, it probably relies on the distro for the cert store. Try opening a bug report on the Arch Linux bugtracker.
Last edited by x33a (2016-04-04 07:24:46)
Offline
#7 2016-04-04 11:59:58
- Salkay
- Member
- Registered: 2014-05-22
- Posts: 619
Re: [SOLVED] Missing "Let's Encrypt" certificate
Thanks. Bug reported.
Offline
#8 2016-04-06 01:18:12
- Salkay
- Member
- Registered: 2014-05-22
- Posts: 619
Re: [SOLVED] Missing "Let's Encrypt" certificate
This appears to have resolved itself in the last day or so. I guess a recent update must have fixed the certificate. Thanks for your help.
Offline
#9 2016-04-06 04:59:13
- x33a
- Forum Fellow
- Registered: 2009-08-15
- Posts: 4,587
Re: [SOLVED] Missing "Let's Encrypt" certificate
A recent update couldn't have solved the problem since I haven't even updated my system for the past 3-4 days. I guess something changed server side.
Offline
#10 2016-04-06 05:14:16
- Salkay
- Member
- Registered: 2014-05-22
- Posts: 619
Re: [SOLVED] Missing "Let's Encrypt" certificate
Oh ok. Perhaps it was a misconfiguration at their end then. Thanks again for your help.
Offline