CREATIVE CHAOS   ▋ blog

XIBO DataSet SSL Problems

PUBLISHED ON 12/09/2019 — EDITED ON 11/12/2023 — SYSOPS

This knowledge was brought to you by Guru.

Intro

What does one do, when API website does not provide full SSL certificate chain?

This info is for default docker installed XIBO on Debian 10.

The error

When trying to create new Data Set obtained from some https API, I have stumbled upon this error:

Unable to reach Forecast API: cURL error 60: SSL certificate problem: unable to get local issuer certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

The fun part was that all modern browsers had no problems with connection, as they contained missing chain elements.

Trying with curl from varius machines yield:

* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

A quick duckduckgo search pointed me to the official proposed solution, that was of no help.

So we needed a little bit of shell fu to complete the chain.

Solution

On the host machine, obtain the missing parts of the certificate chain, in my case it was GoDaddy certificate, so I used those.

Everything in this folder with crt suffix will be included in system when we run update-ca-certificates.

cd /usr/local/share/ca-certificates

Download stuff:

wget https://ssl-ccp.godaddy.com/repository/gdroot-g2.crt
wget https://ssl-ccp.godaddy.com/repository/gdig2.crt.pem

Rename all files to use *.crt:

mv gdig2.crt.pem gdig2.crt

Update the system certificates (basically this updates /etc/ssl):

update-ca-certificates

Unfortunatly, fixing the hosts certificate chain is not enough, we need to do the same thing inside docker container.

Copy the same files to the docker container:

docker cp gdroot-g2.crt xibo_cms-web_1:/usr/local/share/ca-certificates/
docker cp gdig2.crt xibo_cms-web_1:/usr/local/share/ca-certificates/

Drop to docker container shell:

docker exec -it xibo_cms-web_1 bash

Update certificates of docker container:

update-ca-certificates

Exit docker container:

exit

Finally restart the container:

docker restart xibo_cms-web_1