Ticket Change Details
Overview

Artifact ID: 82f54b6b6e3a4feacb4ed5154d713f62e1c6b51b
Ticket: 8d79a6910690db6487dbe4771f3264f95771e484
TLS cert chain incomplete
User & Date: anonymous 2024-10-12 13:21:50
Changes

  1. icomment:
    ```
    $ fossil clone https://chiselapp.com/user/rkeene/repository/flint flint.fossil
    Unable to verify SSL cert from chiselapp.com
      subject:   CN = chiselapp.com
      issuer:    C = US, O = Let's Encrypt, CN = R11
      notBefore: 2024-10-07 03:41:38 UTC
      notAfter:  2025-01-05 03:41:37 UTC
      sha256:    2d654f473bb6291c1b0f79ee2cae8b75be64f3a6e2dcec221f44982f72b6dc80
    ```
    
    ```
    $ curl -v https://chiselapp.com
    * Host chiselapp.com:443 was resolved.
    * IPv6: 2607:f1c0:800:8902:68e8:7a3f:2812:3fc0
    * IPv4: 74.208.229.64
    *   Trying [2607:f1c0:800:8902:68e8:7a3f:2812:3fc0]:443...
    * Connected to chiselapp.com (2607:f1c0:800:8902:68e8:7a3f:2812:3fc0) port 443
    * ALPN: curl offers h2,http/1.1
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (OUT), TLS alert, unknown CA (560):
    * OpenSSL/3.0.14: error:16000069:STORE routines::unregistered scheme
    * closing connection #0
    curl: (35) OpenSSL/3.0.14: error:16000069:STORE routines::unregistered scheme
    ```
    
    I think the problem may be that Let's Encrypt now selects a random intermediate issuer on each renewal, so you must have the web server update this every time instead of using a hard-coded chain? https://letsencrypt.org/2024/03/19/new-intermediate-certificates/
    
    https://www.ssllabs.com/ssltest/analyze.html?d=chiselapp.com&s=74.208.229.64
    
  2. login: "anonymous"
  3. mimetype: "text/x-markdown"
  4. severity changed to: "Important"
  5. status changed to: "Open"
  6. title changed to: "TLS cert chain incomplete"
  7. type changed to: "Incident"