think tank forum

technology » misc questions

lucas's avatar
2 months ago
link
lucas
i ❤ demo
this baffles me. any idea why it might think it's expired? maybe the CA cert on on the system is expired? how can i check this and update it?

thanks!

lucas@www:~/web/pma$ curl -vvI https://files.phpmyadmin.net/phpMyAdmin/5.2.0 … ish.tar.gz
* Hostname was NOT found in DNS cache
* Trying 89.187.187.20...
* Connected to files.phpmyadmin.net (89.187.187.20) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: certificate has expired
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):
curl: (60) SSL certificate problem: certificate has expired
More details here: http://curl.haxx.se/docs/sslcerts.html

bluet's avatar
2 months ago
link
bluet
when i connect with openssl, it uses "DST Root CA X3" for the root:

$ openssl s_client -connect files.phpmyadmin.net:443 -servername files.phpmyadmin.net </dev/null 2>/dev/null | grep -A6 chain
Certificate chain
0 s:CN = 1560827080.rsc.cdn77.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
~ $ openssl x509 -text -noout </etc/ssl/certs/DST_Root_CA_X3.pem | grep CN
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Subject: O = Digital Signature Trust Co., CN = DST Root CA X3

i have a root certificate installed for them:

$ openssl x509 -text -noout </etc/ssl/certs/DST_Root_CA_X3.pem | grep CN
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Subject: O = Digital Signature Trust Co., CN = DST Root CA X3

it came with the ca-certificates package on my debian installation:

$ ls -la /etc/ssl/certs/DST_Root_CA_X3.pem
lrwxrwxrwx 1 root root 53 Feb 2 2022 /etc/ssl/certs/DST_Root_CA_X3.pem -> /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
$ dpkg -S /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
ca-certificates: /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
bluet's avatar
2 months ago
link
bluet
it's a different host than the one you hit, though:

$ host files.phpmyadmin.net files.phpmyadmin.net is an alias for 1560827080.rsc.cdn77.org.
1560827080.rsc.cdn77.org has address 185.76.9.21
1560827080.rsc.cdn77.org has address 185.76.9.15
1560827080.rsc.cdn77.org has IPv6 address 2a02:6ea0:c500::4
1560827080.rsc.cdn77.org has IPv6 address 2a02:6ea0:c500::3
lucas's avatar
1 month ago
link
lucas
i ❤ demo

lucas@www:~$ openssl s_client -connect files.phpmyadmin.net:443 -servername file s.phpmyadmin.net </dev/null 2>/dev/null | grep -A6 chain
Certificate chain
0 s:/CN=1560827080.rsc.cdn77.org
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
lucas@www:~$ openssl x509 -text -noout </etc/ssl/certs/DST_Root_CA_X3.pem | grep CN
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
lucas@www:~$ host files.phpmyadmin.net files.phpmyadmin.net is an alias for 1560827080.rsc.cdn77.org.
1560827080.rsc.cdn77.org has address 89.187.187.19
1560827080.rsc.cdn77.org has address 89.187.187.12
1560827080.rsc.cdn77.org has address 89.187.187.14
1560827080.rsc.cdn77.org has IPv6 address 2a02:6ea0:c800::7
1560827080.rsc.cdn77.org has IPv6 address 2a02:6ea0:c800::8
1560827080.rsc.cdn77.org has IPv6 address 2a02:6ea0:c800::6



hrm i have the same certificates as you.

and if i contact the hosts that you were offered, i get the same problem:

lucas@www:~$ curl -vvI https://185.76.9.15/phpMyAdmin/5.2.0/phpMyAdm … ish.tar.gz
* Hostname was NOT found in DNS cache
* Trying 185.76.9.15...
* Connected to 185.76.9.15 (185.76.9.15) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: certificate has expired
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):
curl: (60) SSL certificate problem: certificate has expired
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
lucas@www:~$ curl -vvI https://185.76.9.21/phpMyAdmin/5.2.0/phpMyAdm … ish.tar.gz
* Hostname was NOT found in DNS cache
* Trying 185.76.9.21...
* Connected to 185.76.9.21 (185.76.9.21) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: certificate has expired
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):
curl: (60) SSL certificate problem: certificate has expired
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
lucas@www:~$



this works for you without a problem?
bluet's avatar
1 month ago
link
bluet
not exactly:

$ curl --no-progress-meter https://185.76.9.21/phpMyAdmin/5.2.0/phpMyAdm … ish.tar.gz
curl: (60) SSL: no alternative certificate subject name matches target host name '185.76.9.21'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

but this does:

$ curl -s --resolve files.phpmyadmin.net:443:185.76.9.21 https://files.phpmyadmin.net/phpMyAdmin/5.2.0 … ish.tar.gz >php.tgz
$ ls -l php.tgz
-rw------- 1 mastensg mastensg 7,731,513 Oct 4 22:39 php.tgz
$ sha1sum php.tgz
8ab812f4208c4e331ba6e7fd57c9957bc9050647 php.tgz