This knowledge was brought to you by Guru.
What does one do, when API website does not provide full SSL certificate chain?
This info is for default docker installed XIBO on Debian 10.
When trying to create new Data Set obtained from some https API, I have stumbled upon this error:
Unable to reach Forecast API: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)
The fun part was that all modern browsers had no problems with connection, as they contained missing chain elements.
Trying with curl from varius machines yield:
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
A quick duckduckgo search pointed me to the official proposed solution, that was of no help.
So we needed a little bit of shell fu to complete the chain.
On the host machine, obtain the missing parts of the certificate chain, in my case it was GoDaddy certificate, so I used those.
Everything in this folder with crt suffix will be included in system when we run update-ca-certificates.
cd /usr/local/share/ca-certificates
Download stuff:
wget https://ssl-ccp.godaddy.com/repository/gdroot-g2.crt
wget https://ssl-ccp.godaddy.com/repository/gdig2.crt.pem
Rename all files to use *.crt:
mv gdig2.crt.pem gdig2.crt
Update the system certificates (basically this updates /etc/ssl):
update-ca-certificates
Unfortunatly, fixing the hosts certificate chain is not enough, we need to do the same thing inside docker container.
Copy the same files to the docker container:
docker cp gdroot-g2.crt xibo_cms-web_1:/usr/local/share/ca-certificates/
docker cp gdig2.crt xibo_cms-web_1:/usr/local/share/ca-certificates/
Drop to docker container shell:
docker exec -it xibo_cms-web_1 bash
Update certificates of docker container:
update-ca-certificates
Exit docker container:
exit
Finally restart the container:
docker restart xibo_cms-web_1