Summary:
Why is macOS curl able to fetch my letsencrypt service, but other tools/OS aren't able to verify the certificate?
I have a tiny REST service implemented in tornado using letsencrypt certs running on a Ubuntu 18.04 box. I setup my server as such:
sslContext = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
certFile = '/etc/letsencrypt/live/my.server.com/cert.pem'
keyFile = '/etc/letsencrypt/live/my.server.com/privkey.pem'
sslContext.load_cert_chain(certFile, keyFile)
server = tornado.httpserver.HTTPServer(app, ssl_options=sslContext)
When I use curl -v on my MacBookPro, things look good:
curl -v https://my.server.com:8899/rest
* Trying aa.bb.cc.dd...
* TCP_NODELAY set
* Connected to my.server.com (aa.bb.cc.dd) port 8899 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=my.server.com
* start date: Jan 26 15:27:27 2019 GMT
* expire date: Apr 26 15:27:27 2019 GMT
* subjectAltName: host "my.server.com" matched cert's "my.server.com"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
But when I try the same on a different Ubuntu box (2 of them actually, as well as two Debian buster/testing boxes), I get errors:
curl -v https://my.server.com:8899/rest
* Trying aa.bb.cc.dd...
* TCP_NODELAY set
* Connected to my.server.com (aa.bb.cc.dd) port 8899 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
My goal was to use the python requests module to query this API, but I haven't been able to make that work anywhere, including the macOS box. Even when I copied the latest cacert.pem from the certifi sources.
The thing to pay attention is these comments in the README file:
fullchain.pem: the certificate file used in most server software.
and
cert.pem: will break many server configurations, and should not be used without reading further documentation (see link below).
Bottom line. Use fullchain.pem