#62599 closed defect (invalid)
curl-ca-bundle @7.75.0 - unable to get local issuer certificate for https://chiselapp.com
| Reported by: | snowflake (Dave Evans) | Owned by: | ryandesign (Ryan Carsten Schmidt) |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | 2.6.99 |
| Keywords: | Cc: | ||
| Port: | curl-ca-bundle |
Description
https://chiselapp.com/ is a site which serves fossil repositories. I noticed that one of my repositories was failing to update with a certificate error.
It failed on FreeBSD 12.2, El Capitan and Big Sur, so it is most likely an upstream problem. chiselapp.com uses Lets Encrypt as its root certificate provider I tried accessing the site with Google Chrome and found no problems with the certificate chain.
Here's the diagnostics from curl -v
Script started on Thu Apr 1 18:58:31 2021 command: curl -v https://chiselapp.com/ * Trying 2607:f1c0:84b:4b02:68e8:7a3f:2812:3fc0:443... * Immediate connect fail for 2607:f1c0:84b:4b02:68e8:7a3f:2812:3fc0: No route to host * Trying 74.208.146.128:443... * Connected to chiselapp.com (74.208.146.128) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /opt/local/share/curl/curl-ca-bundle.crt * CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. Script done on Thu Apr 1 18:58:32 2021
Change History (2)
comment:1 Changed 3 years ago by ryandesign (Ryan Carsten Schmidt)
| Resolution: | → invalid |
|---|---|
| Status: | assigned → closed |
comment:2 Changed 3 years ago by snowflake (Dave Evans)
Reported to chiselapp as issue
https://chiselapp.com/user/rkeene/repository/flint/tktview?name=e21707776d
Note: See
TracTickets for help on using
tickets.
I agree that this happens, but I don't think it's our fault.
www.macports.org also uses Let's Encrypt for its certificate and it works fine with our curl and curl-ca-bundle ports.
I ran an SSL report on chiselapp.com and it reported that:
and that the additional certificate provided for "Let's Encrypt Authority X3" expired 15 days ago. The administrators of the server need to fix this.
Compare with the report for macports.org which shows no issues with the additional certificates.