Re: Random failures: "unable to get local issuer certificate"

From: <patpro_at_patpro.net>
Date: Wed, 12 Jan 2022 11:05:43 UTC
Hi,

Is that possible that the destination is the culprit?

$ host sh.rustup.rs
sh.rustup.rs is an alias for dks7yomi95k2d.cloudfront.net.
dks7yomi95k2d.cloudfront.net has address 54.192.66.29
dks7yomi95k2d.cloudfront.net has address 54.192.66.52
dks7yomi95k2d.cloudfront.net has address 54.192.66.99
dks7yomi95k2d.cloudfront.net has address 54.192.66.5
dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:b200:0:9a61:7540:93a1
dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:5400:0:9a61:7540:93a1
dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:5e00:0:9a61:7540:93a1
dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:ee00:0:9a61:7540:93a1
dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:f600:0:9a61:7540:93a1
dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:1200:0:9a61:7540:93a1
dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:a400:0:9a61:7540:93a1
dks7yomi95k2d.cloudfront.net has IPv6 address 2600:9000:2022:2600:0:9a61:7540:93a1

may be (I have not tested) the result is different depending on DNS reply.

patpro

January 12, 2022 11:56 AM, "Axel Rau" <Axel.Rau@chaos1.de> wrote:

> Hi all,
> 
> I’m running the download
> curl https://sh.rustup.rs -sSf | sh
> this works fine, but the rust installer it calls fails on random hosts
> and jails with
> 
> error sending request \
> for url (https://static.rust-lang.org/dist/channel-rust-stable.toml.sha256): \
> error trying to connect: error:1416F086:SSL \
> routines:tls_process_server_certificate:certificate \
> verify failed:ssl/statem/statem_clnt.c:1915: \
> (unable to get local issuer certificate)
> 
> All tested systems/jails are running 12.2p7 and habe identical cert stores,
> kept up-to-date with freebsd-update.
> OpenSSL 1.1.1h-freebsd from base.
> 
> Which knobs are influencing local issuer list?
> Where can I dig to resolve this issue?
> 
> Any help appreciated,
> Axel
> ---
> PGP-Key: CDE74120 ☀ computing @ chaos claudius