1

I have a gitlab community edition hosted on a server, and when using curl on this server to fetch this local gitlab website, I get an expired certificate error even if the dates are valid:

curl --insecure -vvI https://gitlab.mysite.com 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
* Server certificate:
*  subject: CN=gitlab.mysite.com
*  start date: Nov 12 14:36:12 2021 GMT
*  expire date: Feb 10 14:36:11 2022 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify result: certificate has expired (10), continuing anyway.

But I don't get this expired certificate error when loading the site from a browser, or when using curl on another server. The error only appears when using curl locally, on the server hosting the gitlab ce instance.

This is the result when using curl on another server:

* Server certificate:
*  subject: CN=gitlab.mysite.com
*  start date: Nov 12 14:36:12 2021 GMT
*  expire date: Feb 10 14:36:11 2022 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.

Is it possible that there is an issue because the curl is resolving to a local website (resolved ip = 127.0.1.1)?

tio oit
  • 13
  • 1
  • 4
  • 2
    The problem might be with an old Let's encrypt root certificate, rather than the actual server certificate. https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ – Bob Nov 15 '21 at 11:58
  • I used OpenSSL to get more info, and this is what I get : openssl s_client -showcerts -connect gitlab.mysite.com:443 – tio oit Nov 15 '21 at 13:03
  • @tiooit what OS and version are you using ? What version of curl ? What version of SSL is curl using (if you are running Linux, you can find out by doing "sh$ readelf -d `which curl`" and look for entry containing libssl ] ? – Raul Benet Nov 15 '21 at 13:21
  • Sorry, formatting mangled the `readelf` command in the comment above - lets see if I get it right this time ```sh$ readelf -d `which curl` ``` – Raul Benet Nov 15 '21 at 13:28
  • The server is running a `Debian 9.13`, with `curl 7.52.1`, but the `readelf` command does not show any libssl data – tio oit Nov 15 '21 at 15:58
  • It turns out that in Debian 9.3 (and possibly many others) `curl` first depends on `libcurl`, which in turn depends on `libssl`. Hence why you got no libssl data when issuing readelf. Checking on the Debian 9.3 repository, it shows that `curl` it is ultimately ussing OpenSSL 1.0.2d (this can be independent of your `openssl` package installation). And hence, you are very likely affected by the issue mentioned in my answer. – Raul Benet Nov 15 '21 at 16:44
  • In fact your question is probably a duplicate of https://serverfault.com/q/1079199/473319 and I would first try following answer: https://serverfault.com/a/1080278/473319 – Raul Benet Nov 15 '21 at 16:48
  • You are absolutely right! Applying the mentioned answer's fix did resolve the issue, thank you :) – tio oit Nov 15 '21 at 17:11

1 Answers1

3

I had those symptoms (works on browser, fails on Curl) on my Ubuntu 16.04 machine, curl 7.47.0.

In my case, the issue was indeed triggered by the Let's Encrypt expired certificate (as mentioned by Bob), but actually created by a bug on OpenSSL handling of multi-path certificate trees.

Ubuntu 16.04

This issue on OpenSSL has been patched on version 1.0.2g-1ubuntu4.20 (latest as of today) of the package for Ubuntu 16.04 (see changelog here).

If you are on Ubuntu 16.04 try updating OpenSSL to latest. If you are on other system check your version of OpenSSL. Versions prior to 1.1.x have the issue and require "patching" (as done for Ubuntu distro mentioned above). If you cannot move to use an OpenSSL version with a fix, then you can resort to disabling the certificate causing the issue. How to disable the certificate will vary depending on your OS/Distribution.

Debian 9.3

(updated answer - once OP identified the OS as Debian 9.3)
It seems that for Debian 9.3 this would be a duplicate question (I don't have enough privileges to mark it as such).
Client on Debian 9 erroneously reports expired certificate for letsencrypt-issued domain
And OP had success applying this answer (which is equivalent to my suggestion above for Ubuntu 16.04):
https://serverfault.com/a/1080278/473319

More information

Following page can provide more background information and pointers to understand better the issue. https://scotthelme.co.uk/lets-encrypt-old-root-expiration/

Raul Benet
  • 98
  • 5
  • Thank you for your suggestions. I checked OpenSSL version and it is 1.1.0l, so it should not be impacted by the bug you are reffering to. I also recently renewed the certificate but it still not working when calling the website from the server hosting it. – tio oit Nov 15 '21 at 13:12
  • 1
    Ubuntu 16.04 is EOL. Please upgrade your server to a maintained version. – Paul Nov 15 '21 at 14:17
  • For everyone looking for the solution, Raul Benet gave the solution in a comment in my question – tio oit Nov 15 '21 at 17:13
  • To make it more clear, I have enhanced the answer. @tiooit please accept it again, so it is marked as answered. Thx. – Raul Benet Nov 15 '21 at 17:41