Arch Linux

renatolond

Member

Registered: 2012-01-30

Posts: 11

[SOLVED] OpenSSL issues with curl and ruby

Hello!

So, here's the issue I have. If I try to connect to certain sites using curl (or ruby), I get an error:

$ irb
2.3.4 :001 > require 'net/http'
 => true 
2.3.4 :002 > Net::HTTP.get(URI('https://otr.to/'))
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
        from /home/renatolond/.rvm/rubies/ruby-2.3.4/lib/ruby/2.3.0/net/http.rb:933:in `connect_nonblock'
        from /home/renatolond/.rvm/rubies/ruby-2.3.4/lib/ruby/2.3.0/net/http.rb:933:in `connect'
        from /home/renatolond/.rvm/rubies/ruby-2.3.4/lib/ruby/2.3.0/net/http.rb:863:in `do_start'
        from /home/renatolond/.rvm/rubies/ruby-2.3.4/lib/ruby/2.3.0/net/http.rb:852:in `start'
        from /home/renatolond/.rvm/rubies/ruby-2.3.4/lib/ruby/2.3.0/net/http.rb:584:in `start'
        from /home/renatolond/.rvm/rubies/ruby-2.3.4/lib/ruby/2.3.0/net/http.rb:479:in `get_response'
        from /home/renatolond/.rvm/rubies/ruby-2.3.4/lib/ruby/2.3.0/net/http.rb:456:in `get'
        from (irb):2
        from /home/renatolond/.rvm/rubies/ruby-2.3.4/bin/irb:11:in `<main>'

Using curl instead:

$ curl -v https://otr.to/
*   Trying 136.243.60.155...
* TCP_NODELAY set
* Connected to otr.to (136.243.60.155) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

My openssl version:

$ openssl version
OpenSSL 1.1.0g  2 Nov 2017

If I try with openssl:

$  openssl s_client -connect otr.to:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = otr.to
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = otr.to
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=otr.to
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=otr.to
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2009 bytes and written 302 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 1C5B7B2ED6F51889AF806F7D5647AE635E266AD4A096F99A05D787791E40E6F7
    Session-ID-ctx: 
    Master-Key: 7A1DB3C484DC2D028C6FA2B0E57824BE4AF3A6A4209E0D5914BF6197CBC062BAA9FF36C696149203AC3237557534E140
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)

If I try to connect to that same website using my browsers (either Chromium or Firefox), it works too. So I'm quite confused. Does anyone has an idea on what it could be?

Last edited by renatolond (2018-01-22 14:09:41)

lo1

Member

Registered: 2017-09-25

Posts: 584

Re: [SOLVED] OpenSSL issues with curl and ruby

* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Seems to me that whoever developed curl was kind enough to leave an URL to follow when this kind of error occurs. Have you gone through it?

---

How To Ask Questions The Smart Way && Tacts Filters && K.I.S.S. &&
Rootless Root

renatolond

Member

Registered: 2012-01-30

Posts: 11

Re: [SOLVED] OpenSSL issues with curl and ruby

* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Seems to me that whoever developed curl was kind enough to leave an URL to follow when this kind of error occurs. Have you gone through it?

Hi!
I did, my curl does have a ca set which is:

$ curl-config --ca
/etc/ssl/certs/ca-certificates.crt

In that file, which exists, there is several entries for COMODO, the issuer for the website in question, but I'm not sure if there is a new one. There's no new ca-certificates or ca-certificates-mozilla package, so I'm not sure if I should a certificate manually.
Also, I can't figure out why openssl works and curl doesn't.

I've tried following instructions from that page, download a new cacert.pem and use it with curl, but the error persists.

$ curl -v --cacert ~/Downloads/cacert.pem https://otr.to/
*   Trying 136.243.60.155...
* TCP_NODELAY set
* Connected to otr.to (136.243.60.155) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /home/xxx/Downloads/cacert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

lo1

Member

Registered: 2017-09-25

Posts: 584

Re: [SOLVED] OpenSSL issues with curl and ruby

https://stackoverflow.com/questions/246 … ertificate

I don't know if this applies to you, but in short you can:
-ignore any kind of certificates with `curl -k` (not so right)
-use `curl --cacert file` (which didn't work)
-update your certificates as per this guide

Also, I can't figure out why openssl works and curl doesn't.

That's something I couldn't explain, you can try to do your own research and get back to us when you have some news.

---

How To Ask Questions The Smart Way && Tacts Filters && K.I.S.S. &&
Rootless Root

renatolond

Member

Registered: 2012-01-30

Posts: 11

Re: [SOLVED] OpenSSL issues with curl and ruby

So, from what I can understand, this comes from some partial misconfiguration in some domains. Openssl seems to work, but it also issues the warning:

Verification error: unable to verify the first certificate

SSL Labs seems to point out that there's in an incomplete certificate chain.

That's also why just pointing the file with --cacert didn't work. If I use the bundle that can be found at the COMODO website as the cacert file it works.

For some servers I was able to solve it by downloading the COMODO bundle from their website and then add it following the link you posted to add new certificate bundles. Since the problem is with incorrect chains, it's basically not a problem from Arch and actually by the websites which I think the browsers ignore to improve user experience.

Thanks for the attention!