1 Rookie
•
3 Posts
1
209
linux.dell.com invalid certificate
Starting with the latest certificate renewal on 2024-11-07 linux.dell.com is not accessible using apt, yum or curl due to certificate authentications issues.
yum error message:
Errors during downloading metadata for repository 'dell-system-update_independent':- Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://linux.dell.com/repo/hardware/dsu/os_independent/repodata/repomd.xml [SSL certificate problem: unable to get local issuer certificate]Error: Failed to download metadata for repo 'dell-system-update_independent': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
apt error message:
Err:7 https://linux.dell.com/repo/community/openmanage/10100/focal focal ReleaseCertificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification. [IP: 143.166.156.113 443]
curl error message:
curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above.
using openssl s_client results in this issue:
root@836a144d28a6:/# openssl s_client -connect linux.dell.com:443 < /dev/nullCONNECTED(00000003)depth=0 C = US, ST = Texas, L = Round Rock, O = Dell Technologies Inc., CN = linux.dell.comverify error:num=20:unable to get local issuer certificateverify return:1depth=0 C = US, ST = Texas, L = Round Rock, O = Dell Technologies Inc., CN = linux.dell.comverify error:num=21:unable to verify the first certificateverify return:1depth=0 C = US, ST = Texas, L = Round Rock, O = Dell Technologies Inc., CN = linux.dell.comverify return:1---Certificate chain0 s:C = US, ST = Texas, L = Round Rock, O = Dell Technologies Inc., CN = linux.dell.comi:C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256v:NotBefore: Nov 7 00:00:00 2024 GMT; NotAfter: Dec 8 23:59:59 2025 GMT---Server certificate-----BEGIN CERTIFICATE-----MIIHKjCCBhKgAwIBAgIQDfMQzpG+DuKchKmxyXWawzANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypEaWdpQ2VydCBHbG9iYWwgRzIgVExTIFJTQSBTSEEyNTYgMjAyMCBDQTEwHhcNMjQxMTA3MDAwMDAwWhcNMjUxMjA4MjM1OTU5WjBsMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVGV4YXMxEzARBgNVBAcTClJvdW5kIFJvY2sxHzAdBgNVBAoTFkRlbGwgVGVjaG5vbG9naWVzIEluYy4xFzAVBgNVBAMTDmxpbnV4LmRlbGwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk3s5M+v06ZR92rOF6OIz2LnA5wBbPU5VDZpGUdoowr+ln08kqbOn0B+xJHUzSu3Zc8UodGFwPDNm2mw8wLvZ1XMblcu1a3CszTCs1nGXPE/ZfzbbfHWqVKkeTBox2sJnOcm8K3NVEjxEPHtKa0DwLcSVCGk1VHg8m3/u5v0QB00O5pd5HzVAYESDtcg5OG/XAT6FK6Rk78Wtf71YcBxRWcNfuXJrOnwuUuf8dPBfgfnQHSn/ndNbOp13HLlkrpO4FCb/N8dhGY5PQ/qzDQfN9W7jT6SVsLkuMpok0yfRDmy6NpDFeokq2uqLZzvaBxUkYaabUtowVyzKg0xFYsLYAQIDAQABo4ID2TCCA9UwHwYDVR0jBBgwFoAUdIWAwGbH3zfez70pN6oDHb7tzRcwHQYDVR0OBBYEFJkglEf6L3HuYWPsfQLZSDPvM1e3MGkGA1UdEQRiMGCCDmxpbnV4LmRlbGwuY29tghNvcGVuc291cmNlLmRlbGwuY29tghR2bXdhcmVkZXBvdC5kZWxsLmNvbYIObGlzdHMuZGVsbC5jb22CE3Bvd2VyZWRnZWMuZGVsbC5jb20wPgYDVR0gBDcwNTAzBgZngQwBAgIwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgZ8GA1UdHwSBlzCBlDBIoEagRIZCaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsRzJUTFNSU0FTSEEyNTYyMDIwQ0ExLTEuY3JsMEigRqBEhkJodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxHMlRMU1JTQVNIQTI1NjIwMjBDQTEtMS5jcmwwgYcGCCsGAQUFBwEBBHsweTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFEGCCsGAQUFBzAChkVodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxHMlRMU1JTQVNIQTI1NjIwMjBDQTEtMS5jcnQwDAYDVR0TAQH/BAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHYAEvFONL1TckyEBhnDjz96E/jntWKHiJxtMAWE6+WGJjoAAAGTBJn+9wAABAMARzBFAiBetQhbQTOVo4ygANYEn5nv98dn19/7Nq+xIbBnHqvluQIhAMRxHzYquq7WHECC4gYu7a95Y5ucWLgdDCACrqKXVIMpAHUAfVkeEuF4KnscYWd8Xv340IdcFKBOlZ65Ay/ZDowuebgAAAGTBJn+wAAABAMARjBEAiB2bZnrfPcHEtL0rkRD7cqni66b+Qke8PyqdR3TjHb3OAIgLNub8o4cHDdlNgeKqzRxnXMCQwiyEmA0Zxzg9zuwTAcAdgDm0jFjQHeMwRBBBtdxuc7B0kD2loSG+7qHMh39HjeOUAAAAZMEmf7UAAAEAwBHMEUCIQChJpGvAjFQN/q/Zb357F5ZseOWIdtZPDWjUdX3f2aJgAIgbZBv3bzh2AOqQkelpQ2uPpYdcwPHumncFeLIFVxdlaswDQYJKoZIhvcNAQELBQADggEBAGc6jVpOMaRUOBFMlaRFhHmz9Eta+j0/tDNP72NHqG4R0jnM/0UvXsbkdv6aST8eJ19OYRuj0/bGDYrSLs+Um5E0qGfmyjiStyf9lj4huYeDATa75clpAxU1FMII/i5PWboEZ738KXYUmLqu2EOjh9xpIul90xiW59/0Ld6vFvNVRA8IATzBXvJZ4rxkbU1LOtfOOBWKzYGC0u/eb6DEi50157V7kPfroCzeOn3rh7WOY8Q5s5WucuBkvj3Pxo6JkDTfKguPQzUwKqwMyJIIebapmd/lvwZOTj5QN021TqgbB3WP1JDVRvrb8ABLLovl5Pm55uQnQb2UMreZ5lYJPlU=-----END CERTIFICATE-----subject=C = US, ST = Texas, L = Round Rock, O = Dell Technologies Inc., CN = linux.dell.comissuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1---No client certificate CA names sentPeer signing digest: SHA512Peer signature type: RSAServer Temp Key: ECDH, prime256v1, 256 bits---SSL handshake has read 2544 bytes and written 442 bytesVerification error: unable to verify the first certificate---New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384Server public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session:Protocol : TLSv1.2Cipher : ECDHE-RSA-AES256-GCM-SHA384Session-ID: FE940F8EB47281EF17D89A2269584A2A31C3CE3375E43BED1333A40E7AC9F1F7Session-ID-ctx:Master-Key: 01F77129C6D568CD3EAEE3958F9C45EB6B18C75AAAAEEABF851DA1C0AA07A9B6FDB66D51621EA9ECD904EEBA0F37CFA0PSK identity: NonePSK identity hint: NoneSRP username: NoneTLS session ticket lifetime hint: 7200 (seconds)TLS session ticket:0000 - d2 54 7a 97 e1 c9 5c 17-a9 bb f8 56 91 95 2a ee .Tz...\....V..*.0010 - 36 58 5e b6 9e 5a ec 67-1c 1c c2 ec 2f 47 46 80 6X^..Z.g..../GF.0020 - 6c 83 fb cc ca ac 02 11-6b 3f a9 cb 02 a8 1c 9e l.......k?......0030 - c4 8d 7d fe bd 12 a5 f4-f5 21 78 9f 24 47 d7 5d ..}......!x.$G.]0040 - d9 a3 f2 3f cf 7f 3d 04-07 bf 0b 68 8b 0e b6 c4 ...?..=....h....0050 - 55 bd 0d 60 3e 46 7a dc-be 81 c7 9d f2 92 36 4e U..`>Fz.......6N0060 - f6 41 9b b5 a1 a0 ae cd-b1 48 0d 28 eb fb ff 4e .A.......H.(...N0070 - ed ed e8 53 b3 6e 08 a1-6f 36 ef f3 36 da a2 05 ...S.n..o6..6...0080 - bd 67 31 e2 a9 f9 47 87-06 d3 72 5c 02 e0 21 3e .g1...G...r\..!>0090 - c7 ed 24 f5 48 1c bf 84-9a 0e 68 77 cf 29 80 fd ..$.H.....hw.)..00a0 - 01 2c ed ff f1 b4 cc b8-c8 cd 46 fa ad de ab 70 .,........F....p00b0 - 3b 57 62 be f7 50 57 0a-df a8 a7 6e c0 3c 9e 56 ;Wb..PW....n.<.V00c0 - 66 1e 1b a4 af 19 53 e7-af 15 63 96 d9 5a dd 3f f.....S...c..Z.?Start Time: 1731234398Timeout : 7200 (sec)Verify return code: 21 (unable to verify the first certificate)Extended master secret: no---DONE
I have checked and in all my tests DigiCert Global Root G2 is found in my root CAs and ca-certificates package is up to date.
I suspect there's an issue with the certificate installation on the server and the server is missing the issuer chain files.
It is somehow securely accessible using Chrome browser.
I think chrome uses its builtin copy of digicert global root G2 and the normal linux tools which rely on openssl expect the certificate to be available as the server response and only then corroborate the CA to certificates in `/etc/ssl/certs`
DELL-Joey C
Moderator
Moderator
•
3.5K Posts
1
November 11th, 2024 07:37
Hi,
Thanks for letting us know of the issue, I had my co-worker to check with the issue, and he is having an issue with the certificate also. I have already emailed the server admin to check on the issue. I don't have an ETA on the fix.
DELL-Marco B
Moderator
Moderator
•
3.6K Posts
1
November 11th, 2024 21:00
Hello,
i confirm it is solved now.
Thanks
Elad Soffer
1 Rookie
1 Rookie
•
3 Posts
1
November 11th, 2024 08:20
@DELL-Joey C Thank you for escalating. I'll keep monitoring.
odenbach
1 Rookie
1 Rookie
•
2 Posts
0
November 11th, 2024 10:02
@DELL-Joey C It has become worse - now the webserver at https://linux.dell.com does not deliver any content at all. The intermediate certificate is also still missing.
odenbach
1 Rookie
1 Rookie
•
2 Posts
1
November 11th, 2024 14:35
Looks good now. The server certificate has been replaced once again and now the server also delivers the whole chain.
Elad Soffer
1 Rookie
1 Rookie
•
3 Posts
0
November 11th, 2024 15:58
@DELL-Joey C Can you please confirm handling of the issue is complete?