Created
December 27, 2020 03:37
-
-
Save KJTsanaktsidis/ee2efa514c1117184d7683920e94fcf7 to your computer and use it in GitHub Desktop.
nuxref tls
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Hey @l2g - thanks for putting this together. | |
| I tried to set this up today but I'm running into trouble with the TLS certificates on repo.nuxref.com: | |
| [code] | |
| kj@hyp01:~$ sudo rpm -Uhi https://repo.nuxref.com/fedora/fc33/en/x86_64/custom/nuxref-release-1.0.0-5.fc33.nuxref.noarch.rpm | |
| curl: (60) SSL certificate problem: unable to get local issuer certificate | |
| More details here: https://curl.haxx.se/docs/sslcerts.html | |
| curl failed to verify the legitimacy of the server and therefore could not | |
| establish a secure connection to it. To learn more about this situation and | |
| how to fix it, please visit the web page mentioned above. | |
| error: skipping https://repo.nuxref.com/fedora/fc33/en/x86_64/custom/nuxref-release-1.0.0-5.fc33.nuxref.noarch.rpm - transfer failed | |
| [/code] | |
| This is because your server is only sending the leaf certificate, and not the R3 letsencrypt intermediate required to complete the chain to DST Root CA X3: | |
| [code] | |
| kj@hyp01:~$ openssl s_client -connect repo.nuxref.com:443 -showcerts -verify 1 | |
| verify depth is 1 | |
| CONNECTED(00000003) | |
| depth=0 CN = nuxref.com | |
| verify error:num=20:unable to get local issuer certificate | |
| verify return:1 | |
| depth=0 CN = nuxref.com | |
| verify error:num=21:unable to verify the first certificate | |
| verify return:1 | |
| depth=0 CN = nuxref.com | |
| verify return:1 | |
| --- | |
| Certificate chain | |
| 0 s:CN = nuxref.com | |
| i:C = US, O = Let's Encrypt, CN = R3 | |
| -----BEGIN CERTIFICATE----- | |
| MIIGOzCCBSOgAwIBAgISA4nizBZvzTrx4O9A3qZDNbpvMA0GCSqGSIb3DQEBCwUA | |
| MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD | |
| EwJSMzAeFw0yMDEyMTUxMzI2NDJaFw0yMTAzMTUxMzI2NDJaMBUxEzARBgNVBAMT | |
| Cm51eHJlZi5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDN9l3u | |
| zu7mlW9QPQbIGOSIyvLtjKIv0qFvh71qDfylOziu/w7IvO+eSU2Cw9JlI4eNCETt | |
| qGzOJmIrgMu4pxonHVIYXen6Atq1mzjqG475iIdzYLLIIvdq82socv98IzLdkvTT | |
| wlXUUAEb9ejkolkpFyo/5rY1SkcuSl6m8lb6mSb8Rd3oKx2y1tFN39q0YmOQeHDz | |
| nPQhzsRktDraxoC+Ptc50TVMn5SMi0pEdCMFFPf2IV+ekOjtT53Ri6zA4J8kvoHs | |
| AHFvvAAdtRjn0lt2tvrG0qa87WVj1YFvkvneezUpv1U5VHQIyyGkAfBNgbcB+7Ur | |
| 7qnTgExczttBVBZ91Kc0UDA2JvsFJRS+2w8/QNlVZ/YTH6vNh7Vag7IR5N/idLmO | |
| ouaFiYWaiMVeXi8/orf9V7CuR456gkOsA5Wwr6AdlTrag54KwECQ6fPPZbs4DDoA | |
| EptEE1AyL9iZyFG4Kn1P0FxP8Lk3whFf+Y1q22h4MfCAwUac06LpeZWI3b8EG5ry | |
| S54HmqguLeJpiGusYafgFgFGSYnSKNi0RD2psMa8rcCpnkUTYxT43qS92Y5gQohH | |
| S2/ajtiCYkxwEgTlxHEp1xpPOJ7+SIbfbF0QO0DuDV7aXf+LUtaQMe1XmGXt+vCZ | |
| JddMiwLcnt9rChL0f4Z8ytIX2Rta/fo6rt43WQIDAQABo4ICZjCCAmIwDgYDVR0P | |
| AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB | |
| Af8EAjAAMB0GA1UdDgQWBBQ8z9MXRONt47q+KvnaIVWDJsXhkDAfBgNVHSMEGDAW | |
| gBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUH | |
| MAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3Iz | |
| LmkubGVuY3Iub3JnLzA2BgNVHREELzAtggpudXhyZWYuY29tgg9yZXBvLm51eHJl | |
| Zi5jb22CDnd3dy5udXhyZWYuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysG | |
| AQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQu | |
| b3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAlCC8Ho7VjWyIcx+CiyIsDdHa | |
| TV5sT5Q9YdtOL1hNosIAAAF2ZsvTewAABAMARzBFAiEAp7uYZTtMpM8BXFkztIgW | |
| GhBIXutIe7HgFaAi32pNYUgCICqhIp6KewWTOFWLhLsvor2jhasOvnQPbpqwB1AB | |
| 9SVWAHYA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF2ZsvTvAAA | |
| BAMARzBFAiBe0ZlHc4+uECKjIyT0XW1z+N6OwI8HtzpdYLHRA8LXmgIhAIzb4yLb | |
| +QSHGs9PNLVCl3uPc18IOpLLX33L2jf2CPciMA0GCSqGSIb3DQEBCwUAA4IBAQCL | |
| QmiRbunQ1g/L6MJKYdabML0XU7sjqWoF/hYQbJn5BbN46rQsPSzEG6Jxp38tFuSd | |
| YfKVJ2BfNL9mhYRA5MaBMqgbzwmJkR4mkisUKRjjVb7ppG4/gE2iRD5hY44ZAhzF | |
| Ef5GsiV3DSs/XOfqKvpzCNTCuPUxNXSCAsRzl7NRn2QB8EZXM8mX0L7VhVQWkLN+ | |
| 2Uqt1lAqgQ4U7vM9/1aFMTKMAmhGdpaz6Nr6+q6i3fXVEzmL2glCpAzIYXtFc8DE | |
| upwHAb5NNHiBmdGGbTryzRPyWTtaGTBRLxVFJU1yd5czUQb074Ol7nTxYOJV2+Wu | |
| 0Z7xWa7v6TuB3OFDD0x5 | |
| -----END CERTIFICATE----- | |
| --- | |
| Server certificate | |
| subject=CN = nuxref.com | |
| issuer=C = US, O = Let's Encrypt, CN = R3 | |
| --- | |
| No client certificate CA names sent | |
| Peer signing digest: SHA256 | |
| Peer signature type: RSA-PSS | |
| Server Temp Key: X25519, 253 bits | |
| --- | |
| SSL handshake has read 2516 bytes and written 402 bytes | |
| Verification error: unable to verify the first certificate | |
| --- | |
| New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 | |
| Server public key is 4096 bit | |
| Secure Renegotiation IS supported | |
| Compression: NONE | |
| Expansion: NONE | |
| No ALPN negotiated | |
| SSL-Session: | |
| Protocol : TLSv1.2 | |
| Cipher : ECDHE-RSA-AES128-GCM-SHA256 | |
| Session-ID: 31327EF79B67A1F3CDD74EF03CD5A42791E29ADE7EA7CB945CEC5F186ED5A0E9 | |
| Session-ID-ctx: | |
| Master-Key: 69B91DF2105EA093A8E5C58455815DF3B6224FB2FE13BD32F921D06286FDC432978DEAF3A23205D5766CBC0E682C3572 | |
| PSK identity: None | |
| PSK identity hint: None | |
| SRP username: None | |
| TLS session ticket lifetime hint: 300 (seconds) | |
| TLS session ticket: | |
| 0000 - c6 49 02 64 cb 4f fe 1c-41 d8 d6 49 f1 23 5e 12 .I.d.O..A..I.#^. | |
| 0010 - d2 77 a7 61 a2 01 55 db-5d a8 66 be 06 8c db a1 .w.a..U.].f..... | |
| 0020 - 05 2d c3 d8 ae 92 de 26-11 a7 62 93 d3 8e 71 a2 .-.....&..b...q. | |
| 0030 - e9 c3 9e c5 35 21 c7 ec-7a 7c 07 bd b8 19 d8 28 ....5!..z|.....( | |
| 0040 - 41 08 c7 b8 e1 cf 53 37-14 bf 57 d8 c6 66 36 d2 A.....S7..W..f6. | |
| 0050 - dd 63 e6 00 98 37 50 23-98 1d 25 e1 e3 36 57 a9 .c...7P#..%..6W. | |
| 0060 - e3 3f 17 a0 cb 4e ac e4-9c 00 7a fc 8d 97 ce 05 .?...N....z..... | |
| 0070 - 17 ab be c6 5b bc d4 9a-31 92 6d 25 2a ba 6a 7c ....[...1.m%*.j| | |
| 0080 - 14 54 3f 9b 36 3a 97 db-86 c4 0e d5 e2 45 91 8d .T?.6:.......E.. | |
| 0090 - c6 ff b8 7c ac 0b b1 9a-e7 0f 7f cf a2 52 af 6d ...|.........R.m | |
| 00a0 - 0d 99 8e 87 22 e4 34 dc-28 c3 fd 1d b1 69 b2 2d ....".4.(....i.- | |
| 00b0 - 5d 2a bb 23 59 ae 47 18-91 9a c8 fc 08 9b 4a 21 ]*.#Y.G.......J! | |
| Start Time: 1609039733 | |
| Timeout : 7200 (sec) | |
| Verify return code: 21 (unable to verify the first certificate) | |
| Extended master secret: yes | |
| --- | |
| ^C | |
| [/code] | |
| It actually works in browsers because your certificate has an Authority Information Access (AIA) section pointing at r3.i.lencr.org. Browsers can use this to chase down the R3 letsencrypt intermedate required to complete the chain, but openssl (and hence rpm/dnf/etc) don't (see https:github.com/openssl/openssl/issues/5168). | |
| [code] | |
| kj@hyp01:~$ cat thecert.pem | openssl x509 -noout -text | |
| Certificate: | |
| Data: | |
| Version: 3 (0x2) | |
| Serial Number: | |
| 03:89:e2:cc:16:6f:cd:3a:f1:e0:ef:40:de:a6:43:35:ba:6f | |
| Signature Algorithm: sha256WithRSAEncryption | |
| Issuer: C = US, O = Let's Encrypt, CN = R3 | |
| Validity | |
| Not Before: Dec 15 13:26:42 2020 GMT | |
| Not After : Mar 15 13:26:42 2021 GMT | |
| Subject: CN = nuxref.com | |
| Subject Public Key Info: | |
| Public Key Algorithm: rsaEncryption | |
| RSA Public-Key: (4096 bit) | |
| Modulus: | |
| 00:cd:f6:5d:ee:ce:ee:e6:95:6f:50:3d:06:c8:18: | |
| e4:88:ca:f2:ed:8c:a2:2f:d2:a1:6f:87:bd:6a:0d: | |
| fc:a5:3b:38:ae:ff:0e:c8:bc:ef:9e:49:4d:82:c3: | |
| d2:65:23:87:8d:08:44:ed:a8:6c:ce:26:62:2b:80: | |
| cb:b8:a7:1a:27:1d:52:18:5d:e9:fa:02:da:b5:9b: | |
| 38:ea:1b:8e:f9:88:87:73:60:b2:c8:22:f7:6a:f3: | |
| 6b:28:72:ff:7c:23:32:dd:92:f4:d3:c2:55:d4:50: | |
| 01:1b:f5:e8:e4:a2:59:29:17:2a:3f:e6:b6:35:4a: | |
| 47:2e:4a:5e:a6:f2:56:fa:99:26:fc:45:dd:e8:2b: | |
| 1d:b2:d6:d1:4d:df:da:b4:62:63:90:78:70:f3:9c: | |
| f4:21:ce:c4:64:b4:3a:da:c6:80:be:3e:d7:39:d1: | |
| 35:4c:9f:94:8c:8b:4a:44:74:23:05:14:f7:f6:21: | |
| 5f:9e:90:e8:ed:4f:9d:d1:8b:ac:c0:e0:9f:24:be: | |
| 81:ec:00:71:6f:bc:00:1d:b5:18:e7:d2:5b:76:b6: | |
| fa:c6:d2:a6:bc:ed:65:63:d5:81:6f:92:f9:de:7b: | |
| 35:29:bf:55:39:54:74:08:cb:21:a4:01:f0:4d:81: | |
| b7:01:fb:b5:2b:ee:a9:d3:80:4c:5c:ce:db:41:54: | |
| 16:7d:d4:a7:34:50:30:36:26:fb:05:25:14:be:db: | |
| 0f:3f:40:d9:55:67:f6:13:1f:ab:cd:87:b5:5a:83: | |
| b2:11:e4:df:e2:74:b9:8e:a2:e6:85:89:85:9a:88: | |
| c5:5e:5e:2f:3f:a2:b7:fd:57:b0:ae:47:8e:7a:82: | |
| 43:ac:03:95:b0:af:a0:1d:95:3a:da:83:9e:0a:c0: | |
| 40:90:e9:f3:cf:65:bb:38:0c:3a:00:12:9b:44:13: | |
| 50:32:2f:d8:99:c8:51:b8:2a:7d:4f:d0:5c:4f:f0: | |
| b9:37:c2:11:5f:f9:8d:6a:db:68:78:31:f0:80:c1: | |
| 46:9c:d3:a2:e9:79:95:88:dd:bf:04:1b:9a:f2:4b: | |
| 9e:07:9a:a8:2e:2d:e2:69:88:6b:ac:61:a7:e0:16: | |
| 01:46:49:89:d2:28:d8:b4:44:3d:a9:b0:c6:bc:ad: | |
| c0:a9:9e:45:13:63:14:f8:de:a4:bd:d9:8e:60:42: | |
| 88:47:4b:6f:da:8e:d8:82:62:4c:70:12:04:e5:c4: | |
| 71:29:d7:1a:4f:38:9e:fe:48:86:df:6c:5d:10:3b: | |
| 40:ee:0d:5e:da:5d:ff:8b:52:d6:90:31:ed:57:98: | |
| 65:ed:fa:f0:99:25:d7:4c:8b:02:dc:9e:df:6b:0a: | |
| 12:f4:7f:86:7c:ca:d2:17:d9:1b:5a:fd:fa:3a:ae: | |
| de:37:59 | |
| Exponent: 65537 (0x10001) | |
| X509v3 extensions: | |
| X509v3 Key Usage: critical | |
| Digital Signature, Key Encipherment | |
| X509v3 Extended Key Usage: | |
| TLS Web Server Authentication, TLS Web Client Authentication | |
| X509v3 Basic Constraints: critical | |
| CA:FALSE | |
| X509v3 Subject Key Identifier: | |
| 3C:CF:D3:17:44:E3:6D:E3:BA:BE:2A:F9:DA:21:55:83:26:C5:E1:90 | |
| X509v3 Authority Key Identifier: | |
| keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 | |
| Authority Information Access: | |
| OCSP - URI:http://r3.o.lencr.org | |
| CA Issuers - URI:http://r3.i.lencr.org | |
| X509v3 Subject Alternative Name: | |
| DNS:nuxref.com, DNS:repo.nuxref.com, DNS:www.nuxref.com | |
| X509v3 Certificate Policies: | |
| Policy: 2.23.140.1.2.1 | |
| Policy: 1.3.6.1.4.1.44947.1.1.1 | |
| CPS: http://cps.letsencrypt.org | |
| CT Precertificate SCTs: | |
| Signed Certificate Timestamp: | |
| Version : v1 (0x0) | |
| Log ID : 94:20:BC:1E:8E:D5:8D:6C:88:73:1F:82:8B:22:2C:0D: | |
| D1:DA:4D:5E:6C:4F:94:3D:61:DB:4E:2F:58:4D:A2:C2 | |
| Timestamp : Dec 15 14:26:42.683 2020 GMT | |
| Extensions: none | |
| Signature : ecdsa-with-SHA256 | |
| 30:45:02:21:00:A7:BB:98:65:3B:4C:A4:CF:01:5C:59: | |
| 33:B4:88:16:1A:10:48:5E:EB:48:7B:B1:E0:15:A0:22: | |
| DF:6A:4D:61:48:02:20:2A:A1:22:9E:8A:7B:05:93:38: | |
| 55:8B:84:BB:2F:A2:BD:A3:85:AB:0E:BE:74:0F:6E:9A: | |
| B0:07:50:01:F5:25:56 | |
| Signed Certificate Timestamp: | |
| Version : v1 (0x0) | |
| Log ID : F6:5C:94:2F:D1:77:30:22:14:54:18:08:30:94:56:8E: | |
| E3:4D:13:19:33:BF:DF:0C:2F:20:0B:CC:4E:F1:64:E3 | |
| Timestamp : Dec 15 14:26:42.748 2020 GMT | |
| Extensions: none | |
| Signature : ecdsa-with-SHA256 | |
| 30:45:02:20:5E:D1:99:47:73:8F:AE:10:22:A3:23:24: | |
| F4:5D:6D:73:F8:DE:8E:C0:8F:07:B7:3A:5D:60:B1:D1: | |
| 03:C2:D7:9A:02:21:00:8C:DB:E3:22:DB:F9:04:87:1A: | |
| CF:4F:34:B5:42:97:7B:8F:73:5F:08:3A:92:CB:5F:7D: | |
| CB:DA:37:F6:08:F7:22 | |
| Signature Algorithm: sha256WithRSAEncryption | |
| 8b:42:68:91:6e:e9:d0:d6:0f:cb:e8:c2:4a:61:d6:9b:30:bd: | |
| 17:53:bb:23:a9:6a:05:fe:16:10:6c:99:f9:05:b3:78:ea:b4: | |
| 2c:3d:2c:c4:1b:a2:71:a7:7f:2d:16:e4:9d:61:f2:95:27:60: | |
| 5f:34:bf:66:85:84:40:e4:c6:81:32:a8:1b:cf:09:89:91:1e: | |
| 26:92:2b:14:29:18:e3:55:be:e9:a4:6e:3f:80:4d:a2:44:3e: | |
| 61:63:8e:19:02:1c:c5:11:fe:46:b2:25:77:0d:2b:3f:5c:e7: | |
| ea:2a:fa:73:08:d4:c2:b8:f5:31:35:74:82:02:c4:73:97:b3: | |
| 51:9f:64:01:f0:46:57:33:c9:97:d0:be:d5:85:54:16:90:b3: | |
| 7e:d9:4a:ad:d6:50:2a:81:0e:14:ee:f3:3d:ff:56:85:31:32: | |
| 8c:02:68:46:76:96:b3:e8:da:fa:fa:ae:a2:dd:f5:d5:13:39: | |
| 8b:da:09:42:a4:0c:c8:61:7b:45:73:c0:c4:ba:9c:07:01:be: | |
| 4d:34:78:81:99:d1:86:6d:3a:f2:cd:13:f2:59:3b:5a:19:30: | |
| 51:2f:15:45:25:4d:72:77:97:33:51:06:f4:ef:83:a5:ee:74: | |
| f1:60:e2:55:db:e5:ae:d1:9e:f1:59:ae:ef:e9:3b:81:dc:e1: | |
| 43:0f:4c:79 | |
| [/code] | |
| So I think you need to wrangle your server into serving up a full certificate chain for this to work properly. Thanks again for your work packaging this! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you so much for such a thorough investigation! ❤️
I really appreciate you pointing this out. I think I've fixed the issue now, but I would have never known if it weren't for your help!