starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-13 07:10:34 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Failed to renew - Problem connecting to server [FreeBSD, curl, SSL cert problem] #596

New Issue
Closed
opened 2025-12-29 01:27:38 +01:00 by adam · 9 comments
adam commented 2025-12-29 01:27:38 +01:00
Owner
Copy Link

Originally created by @petr-fischer on GitHub (Feb 12, 2023).

In the last months, dehydrated -c on my FreeBSD failed to renew some domain certs.

Is there some problem with root certificates? (But I have them installed, see below).

Should the FreeBSD port maintainer do something?
https://www.freshports.org/security/dehydrated/

Thanks!

Details:

dehydrated -c

# INFO: Using main config file /usr/local/etc/dehydrated/config
ERROR: Problem connecting to server (get for https://acme-v02.api.letsencrypt.org/directory; curl returned with 60)
EXPECTED value GOT EOF

curl -v https://acme-v02.api.letsencrypt.org/directory

*   Trying 172.65.32.248:443...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: none
*  CApath: /etc/ssl/certs/
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

dehydrated -v

# INFO: Using main config file /usr/local/etc/dehydrated/config
Dehydrated by Lukas Schauer
https://dehydrated.io

Dehydrated version: 0.7.1
GIT-Revision: unknown

OS: FreeBSD 12.4-RELEASE
Used software:
 bash: 5.2.15(0)-release
 curl: 7.87.0
 awk, sed, mktemp, grep, diff: BSD base system versions
 openssl: OpenSSL 1.1.1q-freebsd  5 Jul 2022

uname -a

FreeBSD xxx 12.4-RELEASE FreeBSD 12.4-RELEASE r372781 GENERIC  amd64

pkg info | grep -i cert

ca_root_nss-3.86               Root certificate bundle from the Mozilla Project
Originally created by @petr-fischer on GitHub (Feb 12, 2023). In the last months, `dehydrated -c` on my FreeBSD failed to renew some domain certs. Is there some problem with root certificates? (But I have them installed, see below). Should the FreeBSD port maintainer do something? https://www.freshports.org/security/dehydrated/ Thanks! Details: `dehydrated -c` ``` # INFO: Using main config file /usr/local/etc/dehydrated/config ERROR: Problem connecting to server (get for https://acme-v02.api.letsencrypt.org/directory; curl returned with 60) EXPECTED value GOT EOF ``` `curl -v https://acme-v02.api.letsencrypt.org/directory` ``` * Trying 172.65.32.248:443... * Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0) * ALPN: offers h2 * ALPN: offers http/1.1 * CAfile: none * CApath: /etc/ssl/certs/ * [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1): * [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2): * [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11): * [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. ``` `dehydrated -v` ``` # INFO: Using main config file /usr/local/etc/dehydrated/config Dehydrated by Lukas Schauer https://dehydrated.io Dehydrated version: 0.7.1 GIT-Revision: unknown OS: FreeBSD 12.4-RELEASE Used software: bash: 5.2.15(0)-release curl: 7.87.0 awk, sed, mktemp, grep, diff: BSD base system versions openssl: OpenSSL 1.1.1q-freebsd 5 Jul 2022 ``` `uname -a` ``` FreeBSD xxx 12.4-RELEASE FreeBSD 12.4-RELEASE r372781 GENERIC amd64 ``` `pkg info | grep -i cert` ``` ca_root_nss-3.86 Root certificate bundle from the Mozilla Project ```
adam closed this issue 2025-12-29 01:27:39 +01:00
adam commented 2025-12-29 01:27:40 +01:00
Author
Owner
Copy Link

@einsiedlerkrebs commented on GitHub (Feb 13, 2023):

I experience the same!

@einsiedlerkrebs commented on GitHub (Feb 13, 2023): I experience the same!
adam commented 2025-12-29 01:27:40 +01:00
Author
Owner
Copy Link

@cristianyxen commented on GitHub (Feb 13, 2023):

"CAfile: none" indicates that curl is not using /usr/local/share/certs/ca-root-nss.crt for certificate validation and cert material in /etc is too old to verify. I'm guessing that your curl port was not compiled with the CA_BUNDLE=on option?

@cristianyxen commented on GitHub (Feb 13, 2023): "CAfile: none" indicates that curl is not using /usr/local/share/certs/ca-root-nss.crt for certificate validation and cert material in /etc is too old to verify. I'm guessing that your curl port was not compiled with the CA_BUNDLE=on option?
adam commented 2025-12-29 01:27:41 +01:00
Author
Owner
Copy Link

@cristianyxen commented on GitHub (Feb 13, 2023):

I'm also guessing /etc/ssl/certs/ is not populated in your setup, you can do that with "certctl rehash"

@cristianyxen commented on GitHub (Feb 13, 2023): I'm also guessing /etc/ssl/certs/ is not populated in your setup, you can do that with "certctl rehash"
adam commented 2025-12-29 01:27:41 +01:00
Author
Owner
Copy Link

@einsiedlerkrebs commented on GitHub (Feb 13, 2023):

Works for me. Thanks!

@einsiedlerkrebs commented on GitHub (Feb 13, 2023): Works for me. Thanks!
adam commented 2025-12-29 01:27:41 +01:00
Author
Owner
Copy Link

@sadok commented on GitHub (Feb 13, 2023):

portupugrade security/ca_root_nss
-- or --
pkg upgrade security/ca_root_nss

Well, or whatever. Root certificates need to be renewed. Current version - 3.88.1

@sadok commented on GitHub (Feb 13, 2023): `portupugrade security/ca_root_nss` -- or -- `pkg upgrade security/ca_root_nss` Well, or whatever. Root certificates need to be renewed. Current version - 3.88.1
adam commented 2025-12-29 01:27:41 +01:00
Author
Owner
Copy Link

@petr-fischer commented on GitHub (Feb 14, 2023):

certctl rehash is the solution! Thanks to all!

But IMHO the FreeBSD ca_cert package postinstall section or something should be responsible for rehashing certificates.
Is it appropriate to do something about it (freebsd forums, freebsd bugzilla)? Or is it ok?

@petr-fischer commented on GitHub (Feb 14, 2023): `certctl rehash` is the solution! Thanks to all! But IMHO the FreeBSD ca_cert package postinstall section or something should be responsible for rehashing certificates. Is it appropriate to do something about it (freebsd forums, freebsd bugzilla)? Or is it ok?
adam commented 2025-12-29 01:27:42 +01:00
Author
Owner
Copy Link

@sadok commented on GitHub (Feb 14, 2023):

Or is it ok?

No. That should be enough.

@sadok commented on GitHub (Feb 14, 2023): > Or is it ok? No. [That](https://github.com/dehydrated-io/dehydrated/issues/902#issuecomment-1427898101) should be enough.
adam commented 2025-12-29 01:27:42 +01:00
Author
Owner
Copy Link

@cristianyxen commented on GitHub (Feb 14, 2023):

But IMHO the FreeBSD ca_cert package postinstall section or something should be responsible for rehashing certificates. Is it appropriate to do something about it (freebsd forums, freebsd bugzilla)? Or is it ok?

No it shouldn't. Software in the ports either uses the ca_root_nss certificate bundle (/usr/local/share/certs/ca-root-nss.crt) directly or it relies on the trustststore of openssl (/etc/ssl/certs) being managed by the admin. For example the curl port has the CA_BUNDLE option for exactly this purpose, deactivate it and rely on the truststore, activate it and rely on ca_root_nss.

certctl is triggered by freebsd-update, so in case of updates to the CA certificates that are provided by FreeBSD itself it is taken care to have an up to date truststore.

So the question, while having nothing to do with dehydrated, is more.. why wasn't your /etc/ssl/certs updated by the tools in place and why isn't your curl port using the ca_root_nss without you knowing.

@cristianyxen commented on GitHub (Feb 14, 2023): > But IMHO the FreeBSD ca_cert package postinstall section or something should be responsible for rehashing certificates. Is it appropriate to do something about it (freebsd forums, freebsd bugzilla)? Or is it ok? No it shouldn't. Software in the ports either uses the ca_root_nss certificate bundle (/usr/local/share/certs/ca-root-nss.crt) directly or it relies on the trustststore of openssl (/etc/ssl/certs) being managed by the admin. For example the curl port has the CA_BUNDLE option for exactly this purpose, deactivate it and rely on the truststore, activate it and rely on ca_root_nss. certctl is triggered by freebsd-update, so in case of updates to the CA certificates that are provided by FreeBSD itself it is taken care to have an up to date truststore. So the question, while having nothing to do with dehydrated, is more.. why wasn't your /etc/ssl/certs updated by the tools in place and why isn't your curl port using the ca_root_nss without you knowing.
adam commented 2025-12-29 01:27:42 +01:00
Author
Owner
Copy Link

@kulmosen commented on GitHub (Jan 19, 2024):

Just to chime in for others trying to find a solution for
ERROR: Problem connecting to server (get for https://acme-v02.api.letsencrypt.org/directory; curl returned with 60)
If your host has the wrong time, it will do this also. So check with date to see if your time has drifted or changed completely. In my case, my host had reset its time to "Sat Dec 21 00:26:16 CET 2013" when the correct time is "Fri Jan 19 12:07:07 CET 2024".

@kulmosen commented on GitHub (Jan 19, 2024): Just to chime in for others trying to find a solution for `ERROR: Problem connecting to server (get for https://acme-v02.api.letsencrypt.org/directory; curl returned with 60)` If your host has the wrong time, it will do this also. So check with date to see if your time has drifted or changed completely. In my case, my host had reset its time to "Sat Dec 21 00:26:16 CET 2013" when the correct time is "Fri Jan 19 12:07:07 CET 2024".
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#596
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?