Overview
Artifact ID: | 82f54b6b6e3a4feacb4ed5154d713f62e1c6b51b |
---|---|
Ticket: | 8d79a6910690db6487dbe4771f3264f95771e484
TLS cert chain incomplete |
User & Date: | anonymous 2024-10-12 13:21:50 |
Changes
- icomment:
``` $ fossil clone https://chiselapp.com/user/rkeene/repository/flint flint.fossil Unable to verify SSL cert from chiselapp.com subject: CN = chiselapp.com issuer: C = US, O = Let's Encrypt, CN = R11 notBefore: 2024-10-07 03:41:38 UTC notAfter: 2025-01-05 03:41:37 UTC sha256: 2d654f473bb6291c1b0f79ee2cae8b75be64f3a6e2dcec221f44982f72b6dc80 ``` ``` $ curl -v https://chiselapp.com * Host chiselapp.com:443 was resolved. * IPv6: 2607:f1c0:800:8902:68e8:7a3f:2812:3fc0 * IPv4: 74.208.229.64 * Trying [2607:f1c0:800:8902:68e8:7a3f:2812:3fc0]:443... * Connected to chiselapp.com (2607:f1c0:800:8902:68e8:7a3f:2812:3fc0) port 443 * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS alert, unknown CA (560): * OpenSSL/3.0.14: error:16000069:STORE routines::unregistered scheme * closing connection #0 curl: (35) OpenSSL/3.0.14: error:16000069:STORE routines::unregistered scheme ``` I think the problem may be that Let's Encrypt now selects a random intermediate issuer on each renewal, so you must have the web server update this every time instead of using a hard-coded chain? https://letsencrypt.org/2024/03/19/new-intermediate-certificates/ https://www.ssllabs.com/ssltest/analyze.html?d=chiselapp.com&s=74.208.229.64
- login: "anonymous"
- mimetype: "text/x-markdown"
- severity changed to: "Important"
- status changed to: "Open"
- title changed to: "TLS cert chain incomplete"
- type changed to: "Incident"