Console downloaders give *The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.*

Console downloaders give *The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.*

[Paul Menzel]

[-- Attachment #1.1: Type: text/plain, Size: 687 bytes --]

[Please CC, as I am not subscribed.]

Dear ALSA folks,


Despite working in the browser (Mozilla Firefox), GNU Wget and curl give
the error below trying to download the script `alsa-info.sh`.

    $ wget https://www.alsa-project.org/alsa-info.sh
    --2018-12-18 17:27:57--  https://www.alsa-project.org/alsa-info.sh
    Resolving www.alsa-project.org (www.alsa-project.org)... 77.48.224.243
    Connecting to www.alsa-project.org (www.alsa-project.org)|77.48.224.243|:443... connected.
    ERROR: The certificate of ‘www.alsa-project.org’ is not trusted.
    ERROR: The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.


Kind regards,

Paul


[-- Attachment #1.2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 5174 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Console downloaders give *The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.*

[Jaroslav Kysela]

Dne 18.12.2018 v 18:30 Paul Menzel napsal(a):
> [Please CC, as I am not subscribed.]
> 
> Dear ALSA folks,
> 
> 
> Despite working in the browser (Mozilla Firefox), GNU Wget and curl give
> the error below trying to download the script `alsa-info.sh`.
> 
>     $ wget https://www.alsa-project.org/alsa-info.sh
>     --2018-12-18 17:27:57--  https://www.alsa-project.org/alsa-info.sh
>     Resolving www.alsa-project.org (www.alsa-project.org)... 77.48.224.243
>     Connecting to www.alsa-project.org (www.alsa-project.org)|77.48.224.243|:443... connected.
>     ERROR: The certificate of ‘www.alsa-project.org’ is not trusted.
>     ERROR: The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.
> 
> 
> Kind regards,

We use Let's Encrypt (https://letsencrypt.org) certificates based on the
domain verification. It appears that your system CA certificate package
is missing the current CA key:

issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

You can find this CA certificate here:

https://letsencrypt.org/certificates/

The browsers are using own CA certificate database, and the Let's
Encrypt CA certificate is regularly updated there.

					Jaroslav

-- 
Jaroslav Kysela <perex@perex.cz>
Linux Sound Maintainer; ALSA Project; Red Hat, Inc.
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
http://mailman.alsa-project.org/mailman/listinfo/alsa-devel

Re: Console downloaders give *The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.*

[Paul Menzel]

[-- Attachment #1.1: Type: text/plain, Size: 2087 bytes --]

Dear Jaroslav,


On 12/18/18 19:18, Jaroslav Kysela wrote:
> Dne 18.12.2018 v 18:30 Paul Menzel napsal(a):
>> [Please CC, as I am not subscribed.]

>> Despite working in the browser (Mozilla Firefox), GNU Wget and curl give
>> the error below trying to download the script `alsa-info.sh`.
>>
>>     $ wget https://www.alsa-project.org/alsa-info.sh
>>     --2018-12-18 17:27:57--  https://www.alsa-project.org/alsa-info.sh
>>     Resolving www.alsa-project.org (www.alsa-project.org)... 77.48.224.243
>>     Connecting to www.alsa-project.org (www.alsa-project.org)|77.48.224.243|:443... connected.
>>     ERROR: The certificate of ‘www.alsa-project.org’ is not trusted.
>>     ERROR: The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.

> We use Let's Encrypt (https://letsencrypt.org) certificates based on the
> domain verification. It appears that your system CA certificate package
> is missing the current CA key:
> 
> issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> 
> You can find this CA certificate here:
> 
> https://letsencrypt.org/certificates/
> 
> The browsers are using own CA certificate database, and the Let's
> Encrypt CA certificate is regularly updated there.

I believe, you need to add that certificate to the chain. The online
SSL test also fails and complains about incomplete certificate
chain [1].

> This server's certificate chain is incomplete. Grade capped to B.

Here is what the test with `openssl` shows.

```
$ openssl s_client -connect www.alsa-project.org:443
CONNECTED(00000003)
depth=0 CN = alsa-project.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = alsa-project.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:CN = alsa-project.org
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
[…]
```

Does that work on your system?


Kind regards,

Paul


[1]: https://www.ssllabs.com/ssltest/analyze.html?d=www.alsa-project.org


[-- Attachment #1.2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 5174 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Console downloaders give *The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.*

[Paul Menzel]

[-- Attachment #1.1: Type: text/plain, Size: 2350 bytes --]

Dear Jaroslav,


On 12/19/18 16:01, Paul Menzel wrote:

> On 12/18/18 19:18, Jaroslav Kysela wrote:
>> Dne 18.12.2018 v 18:30 Paul Menzel napsal(a):
>>> [Please CC, as I am not subscribed.]
> 
>>> Despite working in the browser (Mozilla Firefox), GNU Wget and curl give
>>> the error below trying to download the script `alsa-info.sh`.
>>>
>>>     $ wget https://www.alsa-project.org/alsa-info.sh
>>>     --2018-12-18 17:27:57--  https://www.alsa-project.org/alsa-info.sh
>>>     Resolving www.alsa-project.org (www.alsa-project.org)... 77.48.224.243
>>>     Connecting to www.alsa-project.org (www.alsa-project.org)|77.48.224.243|:443... connected.
>>>     ERROR: The certificate of ‘www.alsa-project.org’ is not trusted.
>>>     ERROR: The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.
> 
>> We use Let's Encrypt (https://letsencrypt.org) certificates based on the
>> domain verification. It appears that your system CA certificate package
>> is missing the current CA key:
>>
>> issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>>
>> You can find this CA certificate here:
>>
>> https://letsencrypt.org/certificates/
>>
>> The browsers are using own CA certificate database, and the Let's
>> Encrypt CA certificate is regularly updated there.
> 
> I believe, you need to add that certificate to the chain. The online
> SSL test also fails and complains about incomplete certificate
> chain [1].
> 
>> This server's certificate chain is incomplete. Grade capped to B.
> 
> Here is what the test with `openssl` shows.
> 
> ```
> $ openssl s_client -connect www.alsa-project.org:443
> CONNECTED(00000003)
> depth=0 CN = alsa-project.org
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = alsa-project.org
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:CN = alsa-project.org
>    i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> ---
> […]
> ```
> 
> Does that work on your system?

It does not work for me with the certificates downloaded from [2],
which should use the Mozilla database, and with Debian Stretch/stable.


Kind regards,

Paul


> [1]: https://www.ssllabs.com/ssltest/analyze.html?d=www.alsa-project.org


[-- Attachment #1.2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 5174 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Console downloaders give *The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.*

[Jaroslav Kysela]

Dne 19.12.2018 v 16:01 Paul Menzel napsal(a):
> Dear Jaroslav,
> 
> 
> On 12/18/18 19:18, Jaroslav Kysela wrote:
>> Dne 18.12.2018 v 18:30 Paul Menzel napsal(a):
>>> [Please CC, as I am not subscribed.]
> 
>>> Despite working in the browser (Mozilla Firefox), GNU Wget and curl give
>>> the error below trying to download the script `alsa-info.sh`.
>>>
>>>     $ wget https://www.alsa-project.org/alsa-info.sh
>>>     --2018-12-18 17:27:57--  https://www.alsa-project.org/alsa-info.sh
>>>     Resolving www.alsa-project.org (www.alsa-project.org)... 77.48.224.243
>>>     Connecting to www.alsa-project.org (www.alsa-project.org)|77.48.224.243|:443... connected.
>>>     ERROR: The certificate of ‘www.alsa-project.org’ is not trusted.
>>>     ERROR: The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.
> 
>> We use Let's Encrypt (https://letsencrypt.org) certificates based on the
>> domain verification. It appears that your system CA certificate package
>> is missing the current CA key:
>>
>> issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>>
>> You can find this CA certificate here:
>>
>> https://letsencrypt.org/certificates/
>>
>> The browsers are using own CA certificate database, and the Let's
>> Encrypt CA certificate is regularly updated there.
> 
> I believe, you need to add that certificate to the chain. The online
> SSL test also fails and complains about incomplete certificate
> chain [1].
> 
>> This server's certificate chain is incomplete. Grade capped to B.
> 
> Here is what the test with `openssl` shows.
> 
> ```
> $ openssl s_client -connect www.alsa-project.org:443
> CONNECTED(00000003)
> depth=0 CN = alsa-project.org
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = alsa-project.org
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:CN = alsa-project.org
>    i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> ---
> […]
> ```
> 
> Does that work on your system?

You're right. It should be fixed now. Thank you for your notice.

				Jaroslav
-- 
Jaroslav Kysela <perex@perex.cz>
Linux Sound Maintainer; ALSA Project; Red Hat, Inc.
_______________________________________________
Alsa-devel mailing list
Alsa-devel@alsa-project.org
http://mailman.alsa-project.org/mailman/listinfo/alsa-devel

Re: [solved] Console downloaders give *The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.*

[Paul Menzel]

[-- Attachment #1.1: Type: text/plain, Size: 1468 bytes --]

Dear Jaroslav,


On 12/19/18 17:33, Jaroslav Kysela wrote:
> Dne 19.12.2018 v 16:01 Paul Menzel napsal(a):

>> On 12/18/18 19:18, Jaroslav Kysela wrote:
>>> Dne 18.12.2018 v 18:30 Paul Menzel napsal(a):
>>>> [Please CC, as I am not subscribed.]
>>
>>>> Despite working in the browser (Mozilla Firefox), GNU Wget and curl give
>>>> the error below trying to download the script `alsa-info.sh`.
>>>>
>>>>     $ wget https://www.alsa-project.org/alsa-info.sh
>>>>     --2018-12-18 17:27:57--  https://www.alsa-project.org/alsa-info.sh
>>>>     Resolving www.alsa-project.org (www.alsa-project.org)... 77.48.224.243
>>>>     Connecting to www.alsa-project.org (www.alsa-project.org)|77.48.224.243|:443... connected.
>>>>     ERROR: The certificate of ‘www.alsa-project.org’ is not trusted.
>>>>     ERROR: The certificate of ‘www.alsa-project.org’ hasn't got a known issuer.

[…]

> You're right. It should be fixed now. Thank you for your notice.

Thank you for improving the situation so quickly.


Kind regards,

Paul


PS: As a side note, it looks like browsers (at least Chromium) are
going to start deprecating old TLS versions soon. The Web server
probably also needs to be updated to support at least TLS 1.2.
Currently TLS 1.0 seems to be the highest supported version.

    $ curl -I --tlsv1.2 https://www.alsa-project.org/
    curl: (35) error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol


[-- Attachment #1.2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 5174 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]