Although everything works properly for actual (human) users, a coworker has informed me that some of his automated tests are failing with invalid https certificate errors. I checked and, sure enough, it's not just his tests:
$ curl https://ojs.lub.lu.se curl: (60) SSL certificate problem: unable to get local issuer certificate $ wget https://ojs.lub.lu.se --2021-05-20 12:54:48-- https://ojs.lub.lu.se/ Resolving ojs.lub.lu.se (ojs.lub.lu.se)... 130.235.140.198 Connecting to ojs.lub.lu.se (ojs.lub.lu.se)|130.235.140.198|:443... connected. ERROR: The certificate of ‘ojs.lub.lu.se’ is not trusted. ERROR: The certificate of ‘ojs.lub.lu.se’ doesn't have a known issuer. links and lynx both issue similar complaints, and these results are consistent across multiple systems using Debian versions 9, 10, and (the current pre-release version of) 11. ca-certficates is up-to-date on all systems. Firefox and Chromium, however, both say the certificate is 100% valid, and I am not aware of any users having reported certificate issues with the site. The cert in question is issued by GEANT eScience SSL CA 4, which in turn is signed by USERTrust RSA Certification Authority. /usr/share/ca-certificates/mozilla does not have any GEANT certs, but there is a USERTrust_RSA_Certification_Authority.crt, so it would appear that it should work properly. We have... several... servers all with GEANT-based certificates and this behavior is consistent across all those certs. There are also a handful of machines with LetsEncrypt or TERENA certificates which are recognized by all tools; this problem seems limited to those issued by GEANT. So, the obvious practical question: What do I need to do to get the command-line tools to recognize GEANT certs? curl is the one that really matters, but a solution that fixes them all in one fell swoop would, of course, be ideal. And the broader question: Why do GUI browsers recognize the certificate, but command-line tools and text-mode browsers do not? Shouldn't they all be looking at the same certificates, as provided by the ca-certificates package? -- Dave Sherohman
