Submitted by bdabelow on Sun, 09/02/2018 - 15:57
Hi all,
the 149.28.242.101 replica of software.virtualmin.com seems to have an invalid/incomplete cert chain.
This intermittently (not always) manifests itself as:
$ apt-get update
Hit:1 ftp://ftp.someinternalhost.net/pub/linux/ubuntu bionic InRelease
Hit:2 ftp://ftp.someinternalhost.net/pub/linux/ubuntu bionic-updates InRelease
Get:3 ftp://ftp.someinternalhost.net/pub/linux/ubuntu bionic-security InRelease [83.2 kB]
Ign:4 https://software.virtualmin.com/vm/6/apt virtualmin-bionic InRelease
Ign:5 https://software.virtualmin.com/vm/6/apt virtualmin-universal InRelease
Err:6 https://software.virtualmin.com/vm/6/apt virtualmin-bionic Release
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 149.28.242.101 443]
Err:7 https://software.virtualmin.com/vm/6/apt virtualmin-universal Release
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 149.28.242.101 443]
Reading package lists... Done
E: The repository 'https://software.virtualmin.com/vm/6/apt virtualmin-bionic Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://software.virtualmin.com/vm/6/apt virtualmin-universal Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Looking closer somethings seems rotten on 149.28.242.101:
$ openssl s_client -servername software.virtualmin.com -connect 149.28.242.101:443
CONNECTED(00000003)
depth=0 CN = software2.virtualmin.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = software2.virtualmin.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=software2.virtualmin.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Whereas 163.172.162.254 is fine:
$ openssl s_client -servername software.virtualmin.com -connect 163.172.162.254:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = software2.virtualmin.com
verify return:1
---
Certificate chain
0 s:/CN=software2.virtualmin.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Thanks
Status:
Closed (fixed)
Comments
Submitted by andreychek on Sun, 09/02/2018 - 16:19 Comment #1
Howdy -- thanks for pointing this out!
I've shared this with Joe, he will take a closer look.
Thanks for the heads up. I'm digging into it now.
Weirdly, both hosts work for me in all of my browsers and with wget from my machine...but, enough people have reported it that I guess there must be something wrong. So I'm looking deeper.
Argh! I'm an idiot. I left out the SSLCACertificateFile setting on the new server. Should be fixed now.
Thanks again for the heads up.
Submitted by IssueBot on Sun, 09/16/2018 - 17:30 Comment #4
Automatically closed - issue fixed for 2 weeks with no activity.