On 9.8.2018 17:22, Leon Meßner wrote:
Hi,
Hi! Thank you for the report. I believe the issue is fixed now. Ondrej
since lately Debian9 has problems fetching the bird repository here. I suppose this is because bird.network.cz does not send the Let's Encrypt certificate and http redirects to https now. Output of openssl is below[1]. If you run the same command against helloworld.letsencrypt.org it verifies correctly. I assume because LE's cert is also sent. Using a web browser, bird.network.cz works because of some magic.
Regards, Leon
[1]: openssl s_client -verify 5 -host bird.network.cz -port 443
CONNECTED(00000003) --- Certificate chain 0 s:/CN=trubka.network.cz i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIGHjCCBQagAwIBAgISBP4LGoUGP5l81RdhMqoieW+4MA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA2MTQyMTAwMTNaFw0x ODA5MTIyMTAwMTNaMBwxGjAYBgNVBAMTEXRydWJrYS5uZXR3b3JrLmN6MIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs167eO/VgX3zZyKtlhObqnANKpxm l+LTG1QX2KCyn3qJeNcicZ/M8PUs+69x+ZPfnIdxEwfZrzGg11yLvQnUAaoHpNve Ro/iuO8uTM2r/Z8Ezc6UcFNrQwzll6kuSfGMnM4ybXwOHit3RGSRrwEDPWFBD/UO 982tn0P1TJur3Q4kR+V4xj9Fm6S7Y4dJin/CqjYVsj4W4adzKEpTVOEH/BGQ2IKJ 3ymQczLb2ubk7RfKBU/Q3srKCxlEi1J8Ywbs+4M2sdTVP0QUToIbfimS37XU3WNE MEjaBpS1PY8vlqpvkk2wab2AYo6Ebv2CENbYEzKBAdyi3vHbfENgvnj5CQIDAQAB o4IDKjCCAyYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSgPnFxv8QSbGhLofscEjTS qCnvaTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw dC5vcmcvMC0GA1UdEQQmMCSCD2JpcmQubmV0d29yay5jeoIRdHJ1YmthLm5ldHdv cmsuY3owgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHW MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYB BQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1 cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdp dGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNl bmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2 ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABZABQNF0AAAQDAEcw RQIgVcoX61l0XSOMCvzPBTv2u8cO7oyNBDj9IWku74NwngUCIQDedkTRbe3PCvaq jM4xV3NFgawt6JIrtUzaiqaXNGegcgB2ANt0r+7LKeyx/so+cW0s5bmquzb3hHGD x12dTze2H79kAAABZABQNIcAAAQDAEcwRQIgML48N4VM1PeN6diunYt/X6NQrHj2 2avg1yyONjos8IcCIQDtSVYatJVvikyZAO1Q4sc7hCfwg5Drs2+qRLXA2rI63zAN BgkqhkiG9w0BAQsFAAOCAQEAJaWpxMV9a69QwxQEc28YMmi1ytMT0IOwBID0d5fv kTOf8eRAiIePMPcvtX2sTw5WAxX5NeRteNioS6/UWiQxSUZgRig1XqVsYZIIZmyE 8m/YfLHtAsTH9OnP4tgx7Ys02xAqiexhvA2eL3Kv6VMcPng6UPZsqwuvhUh/bxEj psPvNGkid+vsG7v7n1koY5qDhrNu2nSBsJlVSUP7VMmaZma7fE4iFJhOJWTh15v/ Z3Q2sp3tJA9an/TiNc8wLivntS9AoxsajltiSozfw67JjrVJH+bnCEQSJ9LFpPO3 jsrxaWvY/l0MnEfMxPt5riHpgyFT3nQ3KPZP6Ifrs3M7WA== -----END CERTIFICATE----- subject=/CN=trubka.network.cz issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: X25519, 253 bits --- SSL handshake has read 2227 bytes and written 269 bytes Verification error: unable to verify the first certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 48FBE690BAB54A4EF0BCF647D3EC40F771EF070B92B2ADA82BBC78495A0E28A9 Session-ID-ctx: Master-Key: 4BF3560B6E3542C49A2E40534746B31AB97C1751C195C6A453B6B3C5687AAD7B48DA17D20FA8D4765BD627095BB0AF93 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 05 e6 6b 5b d2 a0 81 8d-e0 16 45 6f 44 d8 b0 86 ..k[......EoD... 0010 - b6 d9 24 8b 5f e3 e9 24-74 3c 77 55 98 cc 1a cf ..$._..$t<wU.... 0020 - 41 6e d3 41 48 c1 dc 8a-c9 b9 5c 67 e4 bb a0 bb An.AH.....\g.... 0030 - 1f 64 10 48 14 1c 38 75-18 f7 33 2f 22 9e 3d eb .d.H..8u..3/".=. 0040 - 8d 7d aa e4 1b 7d d4 94-b1 ba d9 6c 1e d9 f5 0d .}...}.....l.... 0050 - 5e af de 8f 33 31 b2 b0-fa 62 02 5b 9b c6 a0 a7 ^...31...b.[.... 0060 - f2 0b 7f d9 2e ae 24 b6-91 e6 62 5d 8d f6 c5 02 ......$...b].... 0070 - 38 05 25 75 90 51 0a 0a-47 67 79 08 89 b1 dd 3a 8.%u.Q..Ggy....: 0080 - 92 3c d5 9d b9 1a 38 34-12 d0 09 07 30 60 d6 0e .<....84....0`.. 0090 - 5f f6 8a 04 10 11 94 29-75 99 94 2d eb 1f 7f 03 _......)u..-.... 00a0 - a9 fb 77 85 07 43 35 25-a1 de d4 d7 b3 50 b3 bb ..w..C5%.....P.. 00b0 - 06 90 9d a0 49 02 64 0a-66 47 88 ac 38 10 a1 ea ....I.d.fG..8...
Start Time: 1533827231 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: yes ---