Curl install problem

What is the problem you are having with rclone?

cd && curl -O https://downloads.rclone.org/rclone-current-osx-amd64.zip
but I fall at the first hurdle because the rclone https certificate is invalid:

curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html


What is your rclone version (output from rclone version)

I dont have rclone yet. My problem is installing.

Which cloud storage system are you using? (eg Google Drive)

Onedrive

The command you were trying to run (eg rclone copy /tmp remote:tmp)

cd && curl -O https://downloads.rclone.org/rclone-current-osx-amd64.zip

The rclone config contents with secrets removed.

no config yet

A log from the command with the -vv flag

No logs yet

Sounds like you have an old OS.

What operating system are you running?

Try to add curl -k flag so it ignores bad certificate.

1 Like

rclone.org certificate fails for me on Ubuntu 18.04 bionic. Not too old IMHO
@Paul_Young I suggest the curl -k workaround for now

I specifically checked that rclone selfupdate is not affected on ubuntu 18.04 with latest updates and on ubuntu 16.04 with latest updates. Works for me :slight_smile:

Most likely you have to update your certificate store as the Lets Encrypt cert expired end of Sept this year and sounds you are not updated/patched on that install as 18.04 is a LTS release so good for some time.

OP didn't post their OS and they were downloading the MacOS version

osx-amd64

was on their curl.

I have performed apt-get dist-upgrade and rebooted.

Actual versions:

$ curl --version
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
$ openssl version
OpenSSL 1.1.1  11 Sep 2018
$ lsb_release -a
Description:    Ubuntu 18.04.6 LTS

Still got the problem

$ curl -O https://downloads.rclone.org/rclone-current-osx-amd64.zip
curl: (60) SSL certificate problem: unable to get issuer certificate
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it.

Looks like this needs some special manipulations :frowning:

I don't experience this problem on another box with newer ubuntu 20.04 and third box with pretty old 16.04 :open_mouth:

Perhaps try:

root@gemini:~# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Updating Mono key store
Mono Certificate Store Sync - version 6.12.0.122
Populate Mono certificate store from a concatenated list of certificates.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Importing into legacy system store:
I already trust 128, your new list has 128
Import process completed.

Importing into BTLS system store:
I already trust 128, your new list has 128
Import process completed.
Done
done.

Locally on your machine, you should see the new root cert:

image

root@gemini:/etc/ssl/certs# ls -al ISRG_Root_X1.pem
lrwxrwxrwx 1 root root 51 Feb  1  2021 ISRG_Root_X1.pem -> /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt

You can check that certificate on the machine if the root cert is installed:

root@gemini:/etc/ssl/certs# cat ISRG_Root_X1.pem | openssl x509 -noout -enddate
notAfter=Jun  4 11:04:38 2035 GMT

If that root certificate is missing/not installed on the machine, that would cause the issue.

$ sudo dpkg-reconfigure ca-certificates                                 Updating certificates in /etc/ssl/certs...0 added, 0 removed; done.
Processing triggers for ca-certificates (20210119~18.04.2) ...
Updating certificates in /etc/ssl/certs...0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
tificates
Updating certificates in /etc/ssl/certs...0 added, 0 removed; done.
Processing triggers for ca-certificates (20210119~18.04.2) ...
Updating certificates in /etc/ssl/certs...0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...                                   done.
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
$ ls -l /etc/ssl/certs/ISRG_Root_X1.pem
lrwxrwxrwx 1 root root 51 Jan 12  2020 /etc/ssl/certs/ISRG_Root_X1.pem -> /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
$ curl -O https://downloads.rclone.org/rclone-current-osx-amd64.zip
curl failed to verify the legitimacy of the server

:open_mouth: :open_mouth:

$ host=download.rclone.org; openssl s_client -showcerts -connect $host:443 -servername $host                      CONNECTED(00000005)                       140159237235136:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:../ssl/record/rec_layer_s3.c:1528:SSL alert number 80                            ---                                       no peer certificate available             ---                                       No client certificate CA names sent       ---
SSL handshake has read 7 bytes and written 321 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Can you run that to see what the expire date on your cert? I'd imagine it's the old one?

$ cat /etc/ssl/certs/ISRG_Root_X1.pem | openssl x509 -noout -enddate
notAfter=Jun  4 11:04:38 2035 GMT

fresh enough.

i also checked that curl links in fresh openssl

$ ldd /usr/bin/curl | grep ssl
           libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f8722630000)

no luck

$  curl -O -4 -vvv https://downloads.rclone.org/rclone-current-osx-amd64.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 5.153.250.7...
* TCP_NODELAY set
* Connected to downloads.rclone.org (5.153.250.7) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Unknown (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3834 bytes data]
* TLSv1.3 (OUT), TLS alert, Server hello (2):
} [2 bytes data]
* SSL certificate problem: unable to get issuer certificate
* stopped the pause stream!
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (60) SSL certificate problem: unable to get issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it.

Neat.

What do you get if you do?

felix@gemini:~$ echo | openssl s_client -connect downloads.rclone.org:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = downloads.rclone.org
verify return:1
---
Certificate chain
 0 s:CN = downloads.rclone.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEYTCCA0mgAwIBAgISA4DyqFwaXJRtpDcfBQFCIcMaMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MDUwODI1MjNaFw0yMTEyMDQwODI1MjJaMB8xHTAbBgNVBAMT
FGRvd25sb2Fkcy5yY2xvbmUub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
2GvIuLvh0w/6Y+1Ss8olwJcDKDIIroKbTaD3eymnv5HWRTkq+bipZSmZNkSIFvj4
9Mg1s6FP/OVaKeZSb4ZPiKOCAk0wggJJMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
7T9FBt7uEuuDNYC4ETQ5dg2DDEUwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+v
nYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5s
ZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wHwYD
VR0RBBgwFoIUZG93bmxvYWRzLnJjbG9uZS5vcmcwTAYDVR0gBEUwQzAIBgZngQwB
AgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRz
ZW5jcnlwdC5vcmcwggECBgorBgEEAdZ5AgQCBIHzBIHwAO4AdQCUILwejtWNbIhz
H4KLIiwN0dpNXmxPlD1h204vWE2iwgAAAXu1RtY5AAAEAwBGMEQCICn25ZijHUjU
geUWuZbc7xl4aKQP4e3341D5VLIBxS6XAiAyuaqpDLv9inXPiK/gfewmUyGtVbk8
9LBlV/IuNpTuFwB1AH0+8viP/4hVaCTCwMqeUol5K8UOeAl/LmqXaJl+IvDXAAAB
e7VG1mEAAAQDAEYwRAIgYRjae9Qc7gA5xave/ejs0Ufc5aZAWtAZ6v4sGwD2WRsC
IHtbNhUpvrSwHiZG0wCZvzqU749AXkRpBxEOK9Bi1GF5MA0GCSqGSIb3DQEBCwUA
A4IBAQCJKRej5oRYhYo3UVcv/4sQ2WTNk5V+1ZHrbBZj9KLcJDfBTksryu01vvR1
fpH/LTkQTUHnTA+J7dOfqtlM+QFwFliAzK8rAje3qLIjyMQLKRQR1+bWjD7YDVnW
ZpycVAbpTGP1R7mz6S5mFVBeqV529ZWBGyRLb2/pH7uWgmxcDRW8l/xlWSbobibf
gjy6GN+FvHq8Qx/p575QBpe4SHwDcntKWGpExav3RTQTOT5lHc2YjVP51MWU5Fuf
3Ap8YsLOn6QThbL7K0Ij5d0ptocsH5cqDytDhx4lOa/oQfZ/sTz+nV2577liRAX6
afrGpkQf6aYlqKRTYjmEBtX394Y1
-----END CERTIFICATE-----
subject=CN = downloads.rclone.org

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4176 bytes and written 376 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: 08DB2E42042003A793B5255898B8B010B32A9E8344441106E401686DD6DC0869
    Session-ID-ctx:
    Resumption PSK: 92970FCB9AD83D21B1DE098B939A50D71493AF967296342C01B3115A2DB5C463
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 61 1f c3 10 36 1a 07 e4-f4 9a ab c9 26 09 dd 32   a...6.......&..2
    0010 - a0 fd 21 ce 3d 63 ae 9b-54 7c e2 1e 36 18 05 8f   ..!.=c..T|..6...
    0020 - 14 58 3f 87 5a b3 af 71-54 b2 20 ef f6 c3 58 d3   .X?.Z..qT. ...X.
    0030 - d8 31 eb b0 81 9b 52 ea-d4 7b 24 1e 72 3d 67 56   .1....R..{$.r=gV
    0040 - a4 2c cd c9 89 f3 43 e3-09 99 64 25 f3 b9 e6 cc   .,....C...d%....
    0050 - 5c 07 b3 4d 72 0d b8 46-3b 57 1e 72 1a 8e 32 3e   \..Mr..F;W.r..2>
    0060 - 50 a8 ba 58 32 c5 ff 0d-a9 84 54 ed 0e f1 8d 19   P..X2.....T.....
    0070 - b3                                                .

    Start Time: 1634916814
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
DONE

I did a docker install for 18.04 and did not install ca-certificates and got the error but after I installed that, it worked:

root@90bac59391ee:/# echo | openssl s_client -connect downloads.rclone.org:443
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:CN = downloads.rclone.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEYTCCA0mgAwIBAgISA4DyqFwaXJRtpDcfBQFCIcMaMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MDUwODI1MjNaFw0yMTEyMDQwODI1MjJaMB8xHTAbBgNVBAMT
FGRvd25sb2Fkcy5yY2xvbmUub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
2GvIuLvh0w/6Y+1Ss8olwJcDKDIIroKbTaD3eymnv5HWRTkq+bipZSmZNkSIFvj4
9Mg1s6FP/OVaKeZSb4ZPiKOCAk0wggJJMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
7T9FBt7uEuuDNYC4ETQ5dg2DDEUwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+v
nYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5s
ZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wHwYD
VR0RBBgwFoIUZG93bmxvYWRzLnJjbG9uZS5vcmcwTAYDVR0gBEUwQzAIBgZngQwB
AgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRz
ZW5jcnlwdC5vcmcwggECBgorBgEEAdZ5AgQCBIHzBIHwAO4AdQCUILwejtWNbIhz
H4KLIiwN0dpNXmxPlD1h204vWE2iwgAAAXu1RtY5AAAEAwBGMEQCICn25ZijHUjU
geUWuZbc7xl4aKQP4e3341D5VLIBxS6XAiAyuaqpDLv9inXPiK/gfewmUyGtVbk8
9LBlV/IuNpTuFwB1AH0+8viP/4hVaCTCwMqeUol5K8UOeAl/LmqXaJl+IvDXAAAB
e7VG1mEAAAQDAEYwRAIgYRjae9Qc7gA5xave/ejs0Ufc5aZAWtAZ6v4sGwD2WRsC
IHtbNhUpvrSwHiZG0wCZvzqU749AXkRpBxEOK9Bi1GF5MA0GCSqGSIb3DQEBCwUA
A4IBAQCJKRej5oRYhYo3UVcv/4sQ2WTNk5V+1ZHrbBZj9KLcJDfBTksryu01vvR1
fpH/LTkQTUHnTA+J7dOfqtlM+QFwFliAzK8rAje3qLIjyMQLKRQR1+bWjD7YDVnW
ZpycVAbpTGP1R7mz6S5mFVBeqV529ZWBGyRLb2/pH7uWgmxcDRW8l/xlWSbobibf
gjy6GN+FvHq8Qx/p575QBpe4SHwDcntKWGpExav3RTQTOT5lHc2YjVP51MWU5Fuf
3Ap8YsLOn6QThbL7K0Ij5d0ptocsH5cqDytDhx4lOa/oQfZ/sTz+nV2577liRAX6
afrGpkQf6aYlqKRTYjmEBtX394Y1
-----END CERTIFICATE-----
subject=CN = downloads.rclone.org

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4176 bytes and written 386 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: 23CF0AF6E2B37CC37F0875B8764C3D7284F8036F9816843076571C3F9904CFB1
    Session-ID-ctx:
    Resumption PSK: EC44CCF71DC30DE7B7B3955CEAC77F38710E550B993502E7F1569D1F341172EB
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 61 1f c3 10 36 1a 07 e4-f4 9a ab c9 26 09 dd 32   a...6.......&..2
    0010 - e9 77 0f f8 62 5e 27 39-0f 11 01 73 5d 09 f1 81   .w..b^'9...s]...
    0020 - 36 6c c6 98 d2 d7 7f 3c-67 03 0a cc 73 78 8a 9b   6l.....<g...sx..
    0030 - fe ac 18 88 5b 9b 48 78-fb da 2e 60 d3 9f e2 43   ....[.Hx...`...C
    0040 - fa d3 4a 45 79 c3 ac 79-db 71 92 95 a2 bc 00 f6   ..JEy..y.q......
    0050 - 4f 1b 23 c7 9a 36 e0 74-95 b0 b4 08 81 03 16 18   O.#..6.t........
    0060 - 7f ec 7b 9e 34 4a 62 5d-0b 94 a7 6b 28 91 a7 db   ..{.4Jb]...k(...
    0070 - 75                                                u

    Start Time: 1634916993
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
DONE
root@90bac59391ee:/#
root@90bac59391ee:/#
root@90bac59391ee:/#
root@90bac59391ee:/# apt install ca-certificates
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  ca-certificates
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 145 kB of archives.
After this operation, 388 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com/ubuntu-ports bionic-updates/main arm64 ca-certificates all 20210119~18.04.2 [145 kB]
Fetched 145 kB in 0s (2099 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package ca-certificates.
(Reading database ... 4629 files and directories currently installed.)
Preparing to unpack .../ca-certificates_20210119~18.04.2_all.deb ...
Unpacking ca-certificates (20210119~18.04.2) ...
Setting up ca-certificates (20210119~18.04.2) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (Can't locate Term/ReadLine.pm in @INC (you may need to install the Term::ReadLine module) (@INC contains: /etc/perl /usr/local/lib/aarch64-linux-gnu/perl/5.26.1 /usr/local/share/perl/5.26.1 /usr/lib/aarch64-linux-gnu/perl5/5.26 /usr/share/perl5 /usr/lib/aarch64-linux-gnu/perl/5.26 /usr/share/perl/5.26 /usr/local/lib/site_perl /usr/lib/aarch64-linux-gnu/perl-base) at /usr/share/perl5/Debconf/FrontEnd/Readline.pm line 7.)
debconf: falling back to frontend: Teletype
Updating certificates in /etc/ssl/certs...
128 added, 0 removed; done.
Processing triggers for ca-certificates (20210119~18.04.2) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@90bac59391ee:/# echo | openssl s_client -connect downloads.rclone.org:443
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = downloads.rclone.org
verify return:1
---
Certificate chain
 0 s:CN = downloads.rclone.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEYTCCA0mgAwIBAgISA4DyqFwaXJRtpDcfBQFCIcMaMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MDUwODI1MjNaFw0yMTEyMDQwODI1MjJaMB8xHTAbBgNVBAMT
FGRvd25sb2Fkcy5yY2xvbmUub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
2GvIuLvh0w/6Y+1Ss8olwJcDKDIIroKbTaD3eymnv5HWRTkq+bipZSmZNkSIFvj4
9Mg1s6FP/OVaKeZSb4ZPiKOCAk0wggJJMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
7T9FBt7uEuuDNYC4ETQ5dg2DDEUwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+v
nYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5s
ZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wHwYD
VR0RBBgwFoIUZG93bmxvYWRzLnJjbG9uZS5vcmcwTAYDVR0gBEUwQzAIBgZngQwB
AgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRz
ZW5jcnlwdC5vcmcwggECBgorBgEEAdZ5AgQCBIHzBIHwAO4AdQCUILwejtWNbIhz
H4KLIiwN0dpNXmxPlD1h204vWE2iwgAAAXu1RtY5AAAEAwBGMEQCICn25ZijHUjU
geUWuZbc7xl4aKQP4e3341D5VLIBxS6XAiAyuaqpDLv9inXPiK/gfewmUyGtVbk8
9LBlV/IuNpTuFwB1AH0+8viP/4hVaCTCwMqeUol5K8UOeAl/LmqXaJl+IvDXAAAB
e7VG1mEAAAQDAEYwRAIgYRjae9Qc7gA5xave/ejs0Ufc5aZAWtAZ6v4sGwD2WRsC
IHtbNhUpvrSwHiZG0wCZvzqU749AXkRpBxEOK9Bi1GF5MA0GCSqGSIb3DQEBCwUA
A4IBAQCJKRej5oRYhYo3UVcv/4sQ2WTNk5V+1ZHrbBZj9KLcJDfBTksryu01vvR1
fpH/LTkQTUHnTA+J7dOfqtlM+QFwFliAzK8rAje3qLIjyMQLKRQR1+bWjD7YDVnW
ZpycVAbpTGP1R7mz6S5mFVBeqV529ZWBGyRLb2/pH7uWgmxcDRW8l/xlWSbobibf
gjy6GN+FvHq8Qx/p575QBpe4SHwDcntKWGpExav3RTQTOT5lHc2YjVP51MWU5Fuf
3Ap8YsLOn6QThbL7K0Ij5d0ptocsH5cqDytDhx4lOa/oQfZ/sTz+nV2577liRAX6
afrGpkQf6aYlqKRTYjmEBtX394Y1
-----END CERTIFICATE-----
subject=CN = downloads.rclone.org

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4177 bytes and written 386 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: E67CE39CFCCDFA44E878B9B6C0A3D9CCA58D124B6C77D284E798E94D421122F2
    Session-ID-ctx:
    Resumption PSK: 06F16A9DF5C6914E1CA96B582A2F3C66E5D9FB8757BCE576A42DCB8E1DCFA29D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 61 1f c3 10 36 1a 07 e4-f4 9a ab c9 26 09 dd 32   a...6.......&..2
    0010 - d0 4a c0 f3 b6 ae 76 71-a3 d7 88 a2 94 92 dd 97   .J....vq........
    0020 - 35 a3 d8 db 99 f6 8d 6b-48 60 92 0a a5 bf 3b 02   5......kH`....;.
    0030 - d2 df 1a 1e 50 37 0a 7f-ab d2 db 3b 9d 32 f3 ed   ....P7.....;.2..
    0040 - 9c 98 29 6a ad 67 3b 5d-fe 38 8a e2 bc 5d c8 31   ..)j.g;].8...].1
    0050 - ed 6f dd 13 7e f6 04 9a-dc 8e 83 57 ee dd 99 6d   .o..~......W...m
    0060 - 11 a1 c2 fc 89 61 1c 27-ca 49 fc 6f af bc 42 4c   .....a.'.I.o..BL
    0070 - 13                                                .

    Start Time: 1634917064
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
DONE
root@90bac59391ee:/#
deex@hardy:~$ echo | openssl s_client -connect downloads.rclone.org:443             CONNECTED(00000005)
depth=1 C = US, O = Let's Encrypt, CN = R3verify error:num=2:unable to get issuer certificate
issuer= O = Digital Signature Trust Co., CN = DST Root CA X3
---
Certificate chain
 0 s:CN = downloads.rclone.org
   i:C = US, O = Let's Encrypt, CN = R3

EB/wQEAwIHgDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
7T9FBt7uEuuDNYC4ETQ5dg2DDEUwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+v
nYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5s
ZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wHwYD
VR0RBBgwFoIUZG93bmxvYWRzLnJjbG9uZS5vcmcwTAYDVR0gBEUwQzAIBgZngQwB
AgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRz
ZW5jcnlwdC5vcmcwggECBgorBgEEAdZ5AgQCBIHzBIHwAO4AdQCUILwejtWNbIhz
H4KLIiwN0dpNXmxPlD1h204vWE2iwgAAAXu1RtY5AAAEAwBGMEQCICn25ZijHUjU
geUWuZbc7xl4aKQP4e3341D5VLIBxS6XAiAyuaqpDLv9inXPiK/gfewmUyGtVbk8
9LBlV/IuNpTuFwB1AH0+8viP/4hVaCTCwMqeUol5K8UOeAl/LmqXaJl+IvDXAAAB
e7VG1mEAAAQDAEYwRAIgYRjae9Qc7gA5xave/ejs0Ufc5aZAWtAZ6v4sGwD2WRsC
IHtbNhUpvrSwHiZG0wCZvzqU749AXkRpBxEOK9Bi1GF5MA0GCSqGSIb3DQEBCwUA

    0000 - 61 1f c3 10 36 1a 07 e4-f4 9a ab c9 26 09 dd 32   a...6.......&..2
    0010 - 5b 58 62 11 52 c6 3a a9-84 95 cd 6d b8 d9 a6 7b   [Xb.R.:....m...{
    0020 - 12 c9 c9 50 e2 6f cb d9-f4 b1 06 7f 53 95 de 72   ...P.o......S..r
    0030 - af d0 c4 41 64 cc 82 61-be 9c 12 0e 32 2b 33 72   ...Ad..a....2+3r
    0040 - 1a e9 c1 92 a7 04 d9 0f-7d 28 44 d8 c5 ba b8 f3   ........}(D.....
    0050 - 4f be 32 5b e5 1f 7d 10-13 97 b7 81 84 b5 d4 2c   O.2[..}........,
    0060 - b0 b9 9b 36 c4 05 73 d2-23 fb 34 0c 65 03 41 cc   ...6..s.#.4.e.A.
    0070 - 5b                                                [

    Start Time: 1634917189
    Timeout   : 7200 (sec)
    Verify return code: 2 (unable to get issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
DONE
deex@hardy:~$
deex@hardy:~$ host downloads.rclone.org

downloads.rclone.org has address 5.153.250.7
downloads.rclone.org has IPv6 address 2a02:24e0:8:61f9::1
deex@hardy:~$

also tried reinstalling certs from scratch

sudo dpkg-reconfigure ca-certificates
sudo update-ca-certificates
sudo dpkg --purge --force-depends ca-certificates
sudo apt-get install ca-certificates
sudo update-ca-certificates

and alternative tool

$ wget https://downloads.rclone.org/rclone-current-osx-amd64.zip
        --2021-10-22 18:50:22--  https://downloads.rclone.org/rclone-current-osx-amd64.zip
Resolving downloads.rclone.org (downloads.rclone.org)... 2a02:24e0:8:61f9::1, 5.153.250.7
Connecting to downloads.rclone.org (downloads.rclone.org)|2a02:24e0:8:61f9::1|:443... connected.
ERROR: cannot verify downloads.rclone.org's certificate, issued by ‘CN=R3,O=Let's Encrypt,C=US’:
  unable to get issuer certificate
To connect to downloads.rclone.org insecurely, use `--no-check-certificate'.

something is deeply broken on my dev box
luckily the stuff i need is working

Yeah, that seems really strange.

I did a docker install so that's as bare bones as can be and an install of ca-certificates and had no issue.

docker run -it ubuntu:18.04

and when I installed curl, I get an ca-certificates install, which works out of the box for me.

oot@5cafddeabdc3:/# apt-get install curl
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  ca-certificates krb5-locales libasn1-8-heimdal libcurl4 libgssapi-krb5-2 libgssapi3-heimdal libhcrypto4-heimdal libheimbase1-heimdal libheimntlm0-heimdal
  libhx509-5-heimdal libk5crypto3 libkeyutils1 libkrb5-26-heimdal libkrb5-3 libkrb5support0 libldap-2.4-2 libldap-common libnghttp2-14 libpsl5 libroken18-heimdal librtmp1
  libsasl2-2 libsasl2-modules libsasl2-modules-db libsqlite3-0 libssl1.1 libwind0-heimdal openssl publicsuffix

I can't imagine why the purge/re-add wouldn't fix it. That's super strange and probably something really buried in the chain somewhere.

I rechecked and reinstalled cleanly all 3 parts - curl, openssl, certs.
And found the problem. It was a crafted PEM file forcing letsencrypt chain into DST X3 root. It wasn't purged as it was adhoc-made.
I can vaguely remember that in 2020 there was another wide known problem with letsencrypt chain. I guess I was fixing or preparing to fix it and left the chain enforcer kludge forgotten on disk.
After having expired DST X3, the PEM started to force the chain into dead end.

# which openssl
/usr/bin/openssl
# dpkg -S /usr/bin/openssl
openssl: /usr/bin/openssl
# ldd /usr/bin/openssl
libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1
libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
...
# dpkg -S /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
libssl1.1:amd64: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
# dpkg --purge --force-depends curl
# dpkg --purge --force-depends libssl1.1
# dpkg --purge --force-depends ca-certificates
# ls -l /etc/ssl/certs/
lrwxrwxrwx 1 root root   21 Mar 29  2020 /etc/ssl/certs/2d486ed6.0 -> ssl-cert-snakeoil.pem
lrwxrwxrwx 1 root root   21 Apr  7  2021 /etc/ssl/certs/8d33f237.0 -> letsencrypt-chain.pem
lrwxrwxrwx 1 root root   54 Apr  7  2021 /etc/ssl/certs/letsencrypt-chain.pem -> /usr/local/share/ca-certificates/letsencrypt-chain.crt
-rw-r--r-- 1 root root 1034 Mar 29  2020 /etc/ssl/certs/ssl-cert-snakeoil.pem
# ls -l /usr/local/share/ca-certificates/
-rw-r--r-- 1 root root 1586 Apr  7  2021 letsencrypt-chain.crt
# rm -rf /usr/local/share/ca-certificates/* /etc/ssl/certs/*
# apt-get install libssl1.1 curl ca-certificates
...
Updating certificates in /etc/ssl/certs...128 added, 0 removed; done.
...
# curl -O https://downloads.rclone.org/rclone-current-osx-amd64.zip
36.9M      0 --:--:-- --:--:-- --:--:-- 36.9M

After removing the kludge everything works fine.
Sorry about wasting your time :frowning:
:pray:

1 Like