You are not logged in.
Pages: 1
indeed,
curl -4 -s https://32.arlm.tyzoid.com/lastsync
and
curl -6 -s https://32.arlm.tyzoid.com/lastsync
return certificate errors. Why does curl use different certs than browsers?
Offline
openssl s_client -connect 32.arlm.tyzoid.com:443
gives:
depth=0 CN = 32.arlm.tyzoid.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = 32.arlm.tyzoid.com
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:CN = 32.arlm.tyzoid.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGKzCCBROgAwIBAgISBJAugDXjLxZI0rjXAtyXJR+yMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMDEyMTIyMzE5NDFaFw0yMTAzMTIyMzE5NDFaMB0xGzAZBgNVBAMT
EjMyLmFybG0udHl6b2lkLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
ggIBANMAgx4VnWFqbpVLCa//iLHB03EYuVGVS7QFmmPgbXh6yKr+qL13sJO62DO0
fYxDMUC1zvzEW2MWPXKvtdu4Ezf+z2r+oW7Is9k6V9QuiHsANWt1KfW6EZYG/5zl
VzFbyIyg1lYY8C0qJEMcbnlVGuAnEXcyzYB5OkU8Ut0q6aNByXJaeKl/5ywyEysG
sPjAe+2rQSRVs+iOIsJO/3BzkzJA1/gkln4lFod+9cSJ2G26LqadJGvQro3lMc1I
Dbw0df0f/nRQZkxZ/Gos5sX4hE+ewM4KyE6UxM17RoHg8HYANPMisC7kUjH2Fi/x
ocy0QN+NhSMBxaMUVCy7pW75Olf2KxxY7tDFLF6ucJXp/mVUMPzcOl/NUyRDbLsi
K2rejKO4Y8DUUdEkIk6Tk5n9YVcsMd7WhGx0Xop7Ax0rCtc2CLzjz1wdx5FMnr2Y
gAaxNSu21RPan+Uwpdo4X/3hWGxcPompmAGH4ILsMQF0DpWJCcY8iKBKN7q0vL9g
/qLC7yTdE8h+EuxslzGm928sptOemV+DoeQP1O8WYyRKDu6F3Gzpm3Ci/eU2yIhC
dgKDyzk7dxBx1onCjNHtdNoavLC1U2lGjnqz60KSbDMc0Pvn8+lV0QSHHOiXBPf4
fOn/WeimX8h1Qhgm4pavz70GMlk3QjpZeWXH4BAUjRWYQIHfAgMBAAGjggJOMIIC
SjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGUs3BNmZiNTH6lyVxCU17bbhrv2MB8G
A1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAh
BggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZo
dHRwOi8vcjMuaS5sZW5jci5vcmcvMB0GA1UdEQQWMBSCEjMyLmFybG0udHl6b2lk
LmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsG
AQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkC
BAIEgfYEgfMA8QB2AESUZS6w7s6vxEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAAB
dll3pJ4AAAQDAEcwRQIhAKps/M/xqt+8G3A36DXrR1/8W2LmZ0fE227CgFt3V/YW
AiBHNsd3DdoMLQGBTGdY5OFKiHwMwU84XKfufS5x4OhotwB3AH0+8viP/4hVaCTC
wMqeUol5K8UOeAl/LmqXaJl+IvDXAAABdll3pMAAAAQDAEgwRgIhAMJKX4MOQFvK
0aQolWtJWepn/S3V/0XjP4/aNLSwmu5pAiEA/Qe0GbvH7jAdR2C0gov2AbM3KyFl
zIsXb5mXiHd8bOUwDQYJKoZIhvcNAQELBQADggEBALemIT5LZw9IKvis4yFFtbiO
NSAN/PdLuJdu2ExhlzMIig1qVJm1eeGKhlzp5426d/H8ywGZCw4YL12hZramgVF/
a+6JN0DGcvGAndyW1gCYlxgCFIxD83oexNuf/OvVJR6qb6YC5fNceT7PBDDoYxR7
hmGYnj7rOkLiVOSBv95c2OM5oemqzY2VNcgUIUhkUy3q3bqO1FtAmFV4spCbbHJD
LJxJ2L1Y4qNlK5q1vvLzO9J86TnQXMXgxIJRjz4Beb/rbO0rFDpWezJHiSUKfuab
FtompWqbgTGZhBpTU06IZo+FwUswxWq4MLBhtrp1Nywh5M5F94azYaEnUrVYvl4=
-----END CERTIFICATE-----
subject=CN = 32.arlm.tyzoid.comissuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3722 bytes and written 446 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 69C063560555B2D03DB334AF9321B1C1501AD945A9A80F6F2D00A1B1D448EB2A
Session-ID-ctx:
Master-Key: 2C5F8D96D9CCA5064C2BB7E9B1E76C51162382974FD6BFF56E721C3A53708EE723C3BA964E11ECBA35E1CDAAB104C564
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e2 88 40 68 2b 17 10 58-95 2e 27 d6 02 fb a5 ab ..@h+..X..'.....
0010 - d5 fa 5b 08 93 e8 18 05-ee f4 07 55 68 df 0d 53 ..[........Uh..S
0020 - dc 02 16 63 bb b2 65 93-9d 1a d4 5a d0 1a 43 fd ...c..e....Z..C.
0030 - f6 91 89 ff fe 42 2f 5e-d9 42 0e 2d 87 8a ee a9 .....B/^.B.-....
0040 - 5a bf 2c 8c 76 e0 29 d1-d8 81 20 f8 52 c6 67 6d Z.,.v.)... .R.gm
0050 - d3 44 ac 07 61 da 40 16-3d bb 34 cf 71 7a fa 0f .D..a.@.=.4.qz..
0060 - f4 8a 76 e4 9e 32 26 40-d1 27 2d 0f 47 b4 07 8e ..v..2&@.'-.G...
0070 - 71 63 32 42 32 79 2e 1f-eb 02 e8 1b 61 88 52 a8 qc2B2y......a.R.
0080 - 1c 24 7f 18 e0 82 3e d7-c6 4e 77 e9 13 80 56 26 .$....>..Nw...V&
0090 - 5e df 18 8f 06 9b 90 00-44 0c e0 1f da e8 e7 61 ^.......D......a
00a0 - b9 88 b2 bd 23 ba b5 31-34 e7 b4 1c 60 7c e7 37 ....#..14...`|.7
00b0 - 1c a1 ba 64 d9 e1 cc d5-17 d7 a1 14 aa 18 29 d6 ...d..........).
00c0 - 05 e8 54 8c 6b 84 32 86-17 f4 89 c4 24 31 4a 72 ..T.k.2.....$1JrStart Time: 1608447083
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
This sounds like intermediate certs missing? Sometimes browser already have
them built in while other CA chains not yet. I think, this is the case here.
See also:
https://www.sslshopper.com/ssl-checker. … tyzoid.com
Offline
You can at the very least run curl with the -k option to disable cert checks.
Architecture: pentium4, Testing repos: Yes, Hardware: EeePC 901+2GB RAM+OS half on the SD card.
Offline
You can at the very least run curl with the -k option to disable cert checks.
This is not, what we want: IIRC, pacman also uses curl to download stuff - and the status page should not assume, the mirror is ok, if there is actually something wrong with its certificate.
We should notify tyzoid of his broken mirror
Offline
Pages: 1