SSL certificate problem (curl or python3)

Sergeileduc

Hi guys !

Little question about a problem with SSL, etc...

I'm not even sure it's Solus related, maybe it's the website. I'm not sure where to ask, so...

Question :

I used to have some scripts (bash and python) to work with a website (https://www.casimages.com). I have no problem going to the website with Chrome or Firefox.

But lately, my scripts don't work on Solus anymore. I tried in Ubuntu 20 VM, and it works.

I don't know if the problem comes from the website (deprecated certificate ?) or from Solus repo ?

Chrome tells me the certificate is valid (expires in 2021) :

Here is some details :

Solus

~  eopkg info ca-certs
Paquets installés :
Nom                 : ca-certs, version : 20200513, release : 39
Résumé              : Certificate Authority Files

~  curl https://www.casimages.com
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

~  curl -vvI https://www.casimages.com
*   Trying 176.31.122.186:443...
* Connected to www.casimages.com (176.31.122.186) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, certificate expired (557):
* SSL certificate problem: certificate has expired
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

with python :

~  python3 -m pip list | grep certifi
certifi                  2019.9.11

~  python3
Python 3.7.7 (default, May 15 2020, 23:04:36) 
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> r = requests.get("https://www.casimages.com")
Traceback (most recent call last):
  File "/home/serge/.local/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py", line 488, in wrap_socket
    cnx.do_handshake()
  File "/usr/lib/python3.7/site-packages/OpenSSL/SSL.py", line 1915, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3.7/site-packages/OpenSSL/SSL.py", line 1647, in _raise_ssl_error
    _raise_current_error()
  File "/usr/lib/python3.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:
...

Ubuntu

ca-certificates version :

apt show ca-certificates
Package: ca-certificates
Version: 20190110ubuntu1.1

curl https://www.casimages.com

-> works

 ~  curl -vvI https://www.casimages.com
*   Trying 176.31.122.186:443...
* TCP_NODELAY set
* Connected to www.casimages.com (176.31.122.186) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / DHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: OU=Domain Control Validated; OU=COMODO SSL Wildcard; CN=*.casimages.com
*  start date: Feb 12 00:00:00 2019 GMT
*  expire date: Apr 12 23:59:59 2021 GMT
*  subjectAltName: host "www.casimages.com" matched cert's "*.casimages.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
> HEAD / HTTP/1.1
> Host: www.casimages.com
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Mon, 22 Jun 2020 09:58:01 GMT
Date: Mon, 22 Jun 2020 09:58:01 GMT
< Server: Apache
Server: Apache
< X-Powered-By: PHP/5.3.3
X-Powered-By: PHP/5.3.3
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
Pragma: no-cache
< Set-Cookie: PHPSESSID=ejfsa08cll4cverj258t7s0jb2; path=/
Set-Cookie: PHPSESSID=ejfsa08cll4cverj258t7s0jb2; path=/
< Strict-Transport-Security: max-age=31556926
Strict-Transport-Security: max-age=31556926
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Content-Type: text/html; charset=iso-8859-1
Content-Type: text/html; charset=iso-8859-1

< 
* Connection #0 to host www.casimages.com left intact

~  python3 -m pip list | grep certifi
certifi                2019.11.28

 ~  python3
Python 3.8.2 (default, Apr 27 2020, 15:53:34) 
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> r = requests.get("https://www.casimages.com")
>>> print(r.status_code)
200

Conclusion

So, again, not sure if it's Solus fault, or if I bother you for nothing, because it's the website fault, and his certificate is not good. I don't know.

Thanks !

DataDrake

I can't seem to reproduce this on a fully up-to-date system. If you are up-to-date, please run:

sudo usysconf run -f ssl-certs

Sergeileduc

DataDrake

thanks for your help

No luck :

 serge  ~  sudo eopkg upgrade
Mise à jour des dépôts
Mise à jour du dépôt : Solus
eopkg-index.xml.xz.sha1sum     (40.0  B)100%    910.22 KB/s [00:00:00] [fini]
les informations concernant le dépôt Solus sont à jour.
Pas de paquet à mettre à jour.
 serge  ~  sudo usysconf run -f ssl-certs
 [✓] Syncing filesystems                                                success
 [✓] Updating SSL certificates                                          success
 serge  ~  curl https://www.casimages.com
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

palto42

Maybe related to the issue described on StackExchange, it's about some issue with changes of intermediate signing authority "Sectigo RSA Domain Validation Secure Server CA" also used on your site.

Sergeileduc

Certificate is indeed Sectigo RSA Domain Validation Secure Server CA.

Not sure why Datadrake can't reproduce, though.

palto42

Sergeileduc I could reproduce the issue on my up-to-date Solus.
After reading this post on StackExchange, I fixed the issue by

Delete (or move to backup folder) /etc/ssl/certs/AddTrust_External_Root.pem
sudo usysconf run -f ssl-certs

The second step didn't re-install the AddTrust_External_Root.pem and afterwards curl worked for your website.
I haven't don't further testing if the removal of this CA may cause any negative side effects on other web pages.

Sergeileduc

palto42

Hey mate !

Thanks, cuz it totally worked !

serge  ~  sudo rm /etc/ssl/certs/AddTrust_External_Root.pem
 serge  ~  sudo usysconf run -f ssl-certs
 [✓] Syncing filesystems                                                success
 [✓] Updating SSL certificates                                          success
 serge  ~  curl https://www.casimages.com


<!DOCTYPE html>
<html lang="fr">
	<head lang="fr">

		<!-- Basic -->
		<meta charset="ISO-8859-1">
		<meta http-equiv="X-UA-Compatible" content="IE=edge">	

		<title>H�bergeur d'images professionnel depuis 2005 - Upload image s�curis� </title>

I'll look deeper intoo Pyton certifi before closing it.

But thanks ! Definitly big help.

brent

on my lunch, usa, firefox, budgie, updated:

Can't reproduce.
It's kosher here, with no revoke: https://crt.sh/?id=1197323430&opt=ocsp
Firefox says "Secured, verified by Sectigo,"

palto42 is on to something I think. Uninstall cert then reinstall? Or simple as clear cookies/personal data? And actually there are few solutions at that website that palto linked in his post.

edit: posted after OP solved his/her problem. Congrats, OP!

ender

the previous stackexchange link could be an explanation, they mention that openssl < 1.1.x can't handle that kind of chain validation, and the current version on Solus is 1.0.2u whereas it's on 1.1.1 on Ubuntu > 18. Maybe Datadrake tried it on a solus using unstable, as it seems openssl 1.1.1 is currently being tested ? (https://dev.getsol.us/source/openssl-11/repository/master/)
Can also confirm the same issue on my system.

Sergeileduc

Ok, I will restart my Solus.

curl is fixed, big thanks for that.

Python3 isn't :

 serge  ~  python3
Python 3.7.7 (default, May 15 2020, 23:04:36) 
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> r = requests.get("https;//www.casimages.com")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.7/site-packages/requests/api.py", line 75, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python3.7/site-packages/requests/api.py", line 60, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python3.7/site-packages/requests/sessions.py", line 519, in request
    prep = self.prepare_request(req)
  File "/usr/lib/python3.7/site-packages/requests/sessions.py", line 462, in prepare_request
    hooks=merge_hooks(request.hooks, self.hooks),
  File "/usr/lib/python3.7/site-packages/requests/models.py", line 313, in prepare
    self.prepare_url(url, params)
  File "/usr/lib/python3.7/site-packages/requests/models.py", line 387, in prepare_url
    raise MissingSchema(error)
requests.exceptions.MissingSchema: Invalid URL 'https;//www.casimages.com': No schema supplied. Perhaps you meant http://https;//www.casimages.com?

I'll reboot and give you some updates.

ender

(Sergeileduc i think there's a typo in your last script, semi colon instead of colon in url)

Sergeileduc

ender
yeah, sorry about the typo (indeed)

ython3
Python 3.7.7 (default, May 15 2020, 23:04:36) 
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> r = requests.get("https://www.casimages.com")
Traceback (most recent call last):
  File "/home/serge/.local/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py", line 488, in wrap_socket
    cnx.do_handshake()
  File "/usr/lib/python3.7/site-packages/OpenSSL/SSL.py", line 1915, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3.7/site-packages/OpenSSL/SSL.py", line 1647, in _raise_ssl_error
    _raise_current_error()
  File "/usr/lib/python3.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

ender

still thinking the problem is the current version of openssl on Solus that should be upgraded, and that any other fix would be quite hacky. The curl command run fine when issued building a dummy package against unstable, which uses openssl 1.1.1

Sergeileduc

OK, after today's update (3 july 2020), everything works.

serge  ~  eopkg info ca-certs | grep Nom
Nom                 : ca-certs, version : 20200627, release : 40
Nom                 : ca-certs, version : 20200627, release : 40
 serge  ~  python3 -m pip list --disable-pip-version-check | grep certifi
certifi                  2019.9.11

And the tests :

 serge  ~  curl -sI https://www.casimages.com
HTTP/1.1 200 OK
Date: Fri, 03 Jul 2020 13:40:27 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=v9n84gqraae03gjimk3qgpomo5; path=/
Strict-Transport-Security: max-age=31556926
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1

 serge  ~  python3
Python 3.7.7 (default, Jun 20 2020, 16:26:55) 
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> r = requests.get("https://www.casimages.com")
>>> r.status_code
200

Problem solved !