1

I've encountered a bizarre issue where SSL certificate verification is failing on one server, but nowhere else (other servers, my local computer, etc.)

I'm using https://vpnapi.io/. Both the API endpoint and the homepage have the same issue.

Command I'm running:

curl https://vpnapi.io/

The server in question is on Digital Ocean, but I've tried the same command on another Digital Ocean server, a server on another VPS provider, and my own computer. They all work.

Why is it failing on this one server? I'm not sure where to even begin looking.

Is it a problem on the server? A problem with vpnapi.io? A problem with Digital Ocean?

Note: other APIs work from this server.

Edit: Full error message below

curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Edit: more info

  • I'm aware of the date issue as described by one answer here: Server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none (I checked the date on the system, it is correct)

  • OS is Ubuntu 16.04 (it works on my other Digital Ocean machine which runs Ubuntu 18.04, and on Mac)

  • curl version:

    curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets

Astro Boy
  • 21
  • 5
  • Please show the exact error you get and not just your interpretation of it. There are many reasons certificate validation might fail on one system but not the other, like different trust stores, different time on system, different IP addresses used to access the system ... Also provide information about the software running on the systems, i.e. which OS, which version of the OS, which version of curl. – Steffen Ullrich Jan 18 '22 at 11:42
  • That is the actual error (in the title), not an interpretation. I've edited the post to show the full error + other info. – Astro Boy Jan 19 '22 at 22:38
  • 1
    *"OS is Ubuntu 16.04"* - probably the expired Let'sEnrypt certificate then. See https://stackoverflow.com/a/69432920/3081018 on how to tackle the problem. – Steffen Ullrich Jan 19 '22 at 22:50
  • Excellent. This worked. Thank you. – Astro Boy Jan 20 '22 at 04:31

0 Answers0