Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#62599 closed defect (invalid)

curl-ca-bundle @7.75.0 - unable to get local issuer certificate for https://chiselapp.com

Reported by: snowflake (Dave Evans) Owned by: ryandesign (Ryan Carsten Schmidt)
Priority: Normal Milestone:
Component: ports Version: 2.6.99
Keywords: Cc:
Port: curl-ca-bundle

Description

https://chiselapp.com/ is a site which serves fossil repositories. I noticed that one of my repositories was failing to update with a certificate error.

It failed on FreeBSD 12.2, El Capitan and Big Sur, so it is most likely an upstream problem. chiselapp.com uses Lets Encrypt as its root certificate provider I tried accessing the site with Google Chrome and found no problems with the certificate chain.

Here's the diagnostics from curl -v

Script started on Thu Apr  1 18:58:31 2021
command: curl -v https://chiselapp.com/
*   Trying 2607:f1c0:84b:4b02:68e8:7a3f:2812:3fc0:443...
* Immediate connect fail for 2607:f1c0:84b:4b02:68e8:7a3f:2812:3fc0: No route to host
*   Trying 74.208.146.128:443...
* Connected to chiselapp.com (74.208.146.128) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /opt/local/share/curl/curl-ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Script done on Thu Apr  1 18:58:32 2021

Change History (2)

comment:1 Changed 4 years ago by ryandesign (Ryan Carsten Schmidt)

Resolution: invalid
Status: assignedclosed

I agree that this happens, but I don't think it's our fault.

www.macports.org also uses Let's Encrypt for its certificate and it works fine with our curl and curl-ca-bundle ports.

I ran an SSL report on chiselapp.com and it reported that:

This server's certificate chain is incomplete

and that the additional certificate provided for "Let's Encrypt Authority X3" expired 15 days ago. The administrators of the server need to fix this.

Compare with the report for macports.org which shows no issues with the additional certificates.

comment:2 Changed 4 years ago by snowflake (Dave Evans)

Note: See TracTickets for help on using tickets.