One replica of software.virtualmin.com has incomplete cert chain [#58627]

Submitted by bdabelow on Sun, 09/02/2018 - 15:57

Hi all,

the 149.28.242.101 replica of software.virtualmin.com seems to have an invalid/incomplete cert chain.

This intermittently (not always) manifests itself as:

$ apt-get update
Hit:1 ftp://ftp.someinternalhost.net/pub/linux/ubuntu bionic InRelease             
Hit:2 ftp://ftp.someinternalhost.net/pub/linux/ubuntu bionic-updates InRelease     
Get:3 ftp://ftp.someinternalhost.net/pub/linux/ubuntu bionic-security InRelease [83.2 kB]        
Ign:4 https://software.virtualmin.com/vm/6/apt virtualmin-bionic InRelease                                        
Ign:5 https://software.virtualmin.com/vm/6/apt virtualmin-universal InRelease        
Err:6 https://software.virtualmin.com/vm/6/apt virtualmin-bionic Release             
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 149.28.242.101 443]
Err:7 https://software.virtualmin.com/vm/6/apt virtualmin-universal Release
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 149.28.242.101 443]
Reading package lists... Done                                                                                                                            
E: The repository 'https://software.virtualmin.com/vm/6/apt virtualmin-bionic Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://software.virtualmin.com/vm/6/apt virtualmin-universal Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Looking closer somethings seems rotten on 149.28.242.101:

$ openssl s_client -servername software.virtualmin.com -connect 149.28.242.101:443 
CONNECTED(00000003)
depth=0 CN = software2.virtualmin.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = software2.virtualmin.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=software2.virtualmin.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

Whereas 163.172.162.254 is fine:

$ openssl s_client -servername software.virtualmin.com -connect 163.172.162.254:443 
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = software2.virtualmin.com
verify return:1
---
Certificate chain
 0 s:/CN=software2.virtualmin.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Thanks

Status:

Closed (fixed)

Comments

Submitted by andreychek on Sun, 09/02/2018 - 16:19 Comment #1

Howdy -- thanks for pointing this out!

I've shared this with Joe, he will take a closer look.

Submitted by Joe on Sun, 09/02/2018 - 16:51 Pro Licensee Comment #2

Thanks for the heads up. I'm digging into it now.

Weirdly, both hosts work for me in all of my browsers and with wget from my machine...but, enough people have reported it that I guess there must be something wrong. So I'm looking deeper.

Submitted by Joe on Sun, 09/02/2018 - 17:11 Pro Licensee Comment #3

Argh! I'm an idiot. I left out the SSLCACertificateFile setting on the new server. Should be fixed now.

Thanks again for the heads up.

Submitted by IssueBot on Sun, 09/16/2018 - 17:30 Comment #4

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.