Oidc_util_http_call: curl_easy_perform() failed on

Hi all,

I am building this on an Rhel 9.6 server and using Letsencrypt. I’d welcome any help to resolve this. Steps welcome too. Thx

Permissions in of the letsencrypte files used by OOD and you will see apache has access to the privatekey2.pem file.

[root@login002 login002.meerkat.mcri.edu.au]# ls -l /etc/letsencrypt/archive/login002.meerkat.mcri.edu.au/*2*

-rw-r--r--. 1 root root   1322 Jul 30 16:35 /etc/letsencrypt/archive/login002.meerkat.mcri.edu.au/cert2.pem

-rw-r--r--. 1 root root   1566 Jul 30 16:35 /etc/letsencrypt/archive/login002.meerkat.mcri.edu.au/chain2.pem

-rw-r--r--. 1 root root   2888 Jul 30 16:35 /etc/letsencrypt/archive/login002.meerkat.mcri.edu.au/fullchain2.pem

-rw-r-----. 1 root apache  227 Jul 30 16:35 /etc/letsencrypt/archive/login002.meerkat.mcri.edu.au/privkey2.pemOOD Portal config for certs:port: '443'

LetsEncrypte SSL certs in : /etc/ood/config/ood_portal.yml
ssl:

  - 'SSLCertificateFile /etc/letsencrypt/live/login002.meerkat.mcri.edu.au/fullchain.pem'

  - 'SSLCertificateKeyFile /etc/letsencrypt/live/login002.meerkat.mcri.edu.au/privkey.pem'

  - 'SSLCertificateChainFile /etc/letsencrypt/live/login002.meerkat.mcri.edu.au/chain.pem'

SSL Error Log


Web page output:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

[Tue Aug 12 12:33:56.519135 2025] [auth_openidc:error] [pid 18062:tid 18181] [client 172.16.14.13:32908] oidc_util_http_call: curl_easy_perform() failed on: https://login002.meerkat.mcri.edu.au/dex/.well-known/openid-configuration (SSL certificate problem: self-signed certificate in certificate chain)

[Tue Aug 12 12:33:56.519177 2025] [auth_openidc:error] [pid 18062:tid 18181] [client 172.16.14.13:32908] oidc_provider_static_config: could not retrieve metadata from url: https://login002.meerkat.mcri.edu.au/dex/.well-known/openid-configuration


Server log:
172.16.13.33 - - [12/Aug/2025:12:30:59 +1000] "GET /dex/.well-known/openid-configuration HTTP/1.1" 200 1332 "-" "curl/7.76.1"
172.16.14.13 - - [12/Aug/2025:12:32:45 +1000] "GET / HTTP/1.1" 302 238 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"
172.16.14.13 - - [12/Aug/2025:12:32:45 +1000] "GET /pun/sys/dashboard HTTP/1.1" 500 527 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"
172.16.14.13 - - [12/Aug/2025:12:33:05 +1000] "-" 408 - "-" "-"
172.16.14.13 - - [12/Aug/2025:12:33:53 +1000] "GET / HTTP/1.1" 302 238 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"
172.16.14.13 - - [12/Aug/2025:12:33:53 +1000] "GET /pun/sys/dashboard HTTP/1.1" 500 527 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"
172.16.14.13 - - [12/Aug/2025:12:34:14 +1000] "-" 408 - "-" "-"
172.16.13.33 - - [12/Aug/2025:12:44:01 +1000] "GET /dex/.well-known/openid-configuration HTTP/1.1" 200 1332 "-" "curl/7.76.1"

Running curl from the command line on my OOD server

[root@login002 login002.meerkat.mcri.edu.au]# curl https://login002.meerkat.mcri.edu.au/dex/.well-known/openid-configuration
{
  "issuer": "https://login002.meerkat.mcri.edu.au/dex",
  "authorization_endpoint": "https://login002.meerkat.mcri.edu.au/dex/auth",
  "token_endpoint": "https://login002.meerkat.mcri.edu.au/dex/token",
  "jwks_uri": "https://login002.meerkat.mcri.edu.au/dex/keys",
  "userinfo_endpoint": "https://login002.meerkat.mcri.edu.au/dex/userinfo",
  "device_authorization_endpoint": "https://login002.meerkat.mcri.edu.au/dex/device/code",
  "introspection_endpoint": "https://login002.meerkat.mcri.edu.au/dex/token/introspect",
  "grant_types_supported": [
    "authorization_code",
    "refresh_token",
    "urn:ietf:params:oauth:grant-type:device_code",
    "urn:ietf:params:oauth:grant-type:token-exchange"
  ],
  "response_types_supported": [
    "code"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "code_challenge_methods_supported": [
    "S256",
    "plain"
  ],
  "scopes_supported": [
    "openid",
    "email",
    "groups",
    "profile",
    "offline_access"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "claims_supported": [
    "iss",
    "sub",
    "aud",
    "iat",
    "exp",
    "email",
    "email_verified",
    "locale",
    "name",
    "preferred_username",
    "at_hash"
  ]

And the Cert creation Steps I took:

Steps I took to install the cert:
dnf install certbot python3-certbot-dns-cloudflare
 mkdir /root/.secrets/certbot
 chmod -R 0700 /root/.secrets/
 touch /root/.secrets/certbot/cloudflare.ini
 chmod 0400 /root/.secrets/certbot/cloudflare.ini
 cd /root/.secrets/certbot
 certbot certonly --no-eff-email --agree-tos --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/certbot/cloudflare.ini -m net.support@mcri.edu.au -d login002.meerkat.mcri.edu.au

Result:

# renew_before_expiry = 30 days
version = 3.1.0
archive_dir = /etc/letsencrypt/archive/login002.meerkat.mcri.edu.au
cert = /etc/letsencrypt/live/login002.meerkat.mcri.edu.au/cert.pem
privkey = /etc/letsencrypt/live/login002.meerkat.mcri.edu.au/privkey.pem
chain = /etc/letsencrypt/live/login002.meerkat.mcri.edu.au/chain.pem
fullchain = /etc/letsencrypt/live/login002.meerkat.mcri.edu.au/fullchain.pem

So I guess If a CA issued the certificate, that CA’s root certificate is not present or trusted in the client’s system’s certificate store.

What are the redhat steps to get the CARoot certificate and make it trusted? Or is the issue something else?

That’s right. I think you can use update-ca-certificates, though it’s odd that curl works when apache doesn’t. @tdockendorf may know more.

What does your Dex config look like? I believe that’s in /etc/ood/dex. It looks like Dex may not be using the correct CA setup in terms of exposing the full chain in a response. Adding the LetsEncrypt CAs (full chain minus your cert) to trusted CA store might be enough to resolve the issue but it might still require changes to Dex config to force the full chain to be part of the SSL response.

Thx for responding,

Here is my Dex config file. Can you advise the exact steps?

issuer: https://login001.mcri.edu.au/dex
storage:
  type: sqlite3
  config:
    file: "/etc/ood/dex/dex.db"
web:
  http: localhost:5556
telemetry:
  http: 0.0.0.0:5558
staticClients:
- id: login001.mcri.edu.au
  redirectURIs:
  - https://login001.mcri.edu.au/oidc
  name: OnDemand
  secret: 23.......hidden
connectors:
- type: ldap
  id: ldap
  name: LDAP
  config:
    host: pkmp..hidden.mcri.edu.au:636
    tlsConfig:caCert: "/etc/ssl/certs/ldap-ca.crt"
    insecureSkipVerify: false
    bindDN: CN=svc...hidden,OU=Service,OU=Accounts,OU=MCRI,DC=mcri,DC=edu,DC=au
    bindPW: m.....hidden
    userSearch:
      baseDN: OU=USERS,OU=HEADQUARTERS,DC=mcri,DC=edu,DC=au
      filter: "(objectClass=user)"
      username: ..hidden
      idAttr: sAMAccountName
      emailAttr: mail
      nameAttr: name
      preferredUsernameAttr: sAMAccountName 
    groupSearch:
      baseDN: OU=Groups,OU=MCRI,DC=mcri,DC=edu,DC=au
      filter: "(objectClass=posixGroup)"
      userMatchers:
      - userAttr: DN
        groupAttr: member
      nameAttr: cn
oauth2:
  skipApprovalScreen: true
enablePasswordDB: false
frontend:
  dir: "/usr/share/ondemand-dex/web"
  theme: ondemand

Hi Jeff,

Is the command you mention available on Redhat 9.x ? Note, I did run “update-ca-trust extract” as part of the install. Do I still need to run “update-ca-certificates"

Jeff, I also ran “update-ca-trust” without the extract option. No joy. Thoughts?

Also ran:

trust list --filter=ca-anchors

And it does not list LetsEncrypt. Any steps to get the LetsEncript ca and add it are most welcome. Note sure if this will fix it? Thoughts, steps? Thx

I checked our host, which also uses LetsEncrypt, and we have this:

  SSLCertificateFile /etc/letsencrypt/live/ondemand.osc.edu/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/ondemand.osc.edu/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/ondemand.osc.edu/chain.pem

Notice we use cert.pem for SSLCertificateFile. I don’t think this is a Dex issue because Apache is the SSL frontend for Dex, I forgot that till I saw your configs.

If updating SSLCertificateFile doesn’t solve the issue, you can download these CAs to /usr/share/pki/ca-trust-source/anchors/ then run update-ca-trust

• https://letsencrypt.org/certs/isrgrootx1.pem
• https://letsencrypt.org/certs/isrg-root-x2.pem
• https://letsencrypt.org/certs/2024/e5.pem
• https://letsencrypt.org/certs/2024/e6.pem
• https://letsencrypt.org/certs/2024/r10.pem
• https://letsencrypt.org/certs/2024/r11.pem

I’m not convinced the CA trust update should be necessary as we (OSC) use LetsEncrypt for everything and rarely have to update the CA trust, and don’t have to update it for OnDemand or our IDP that is Keycloak.

Thanks T,

So this:

SSLCertificateFile /etc/letsencrypt/live/ondemand.osc.edu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ondemand.osc.edu/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/ondemand.osc.edu/chain.pem

You set this in the old_portal.yml file not the Dex config file as the portal should take care of it?

Regards,

Christopher Welsh
Scientific Computing (Cluster/HPC)

Data Enablement team
Technology Office

Murdoch Children’s Research Institute
The Royal Children’s Hospital, 50 Flemington Road
Parkville, Victoria 3052 Australia

No Joy See below - https log with debug on. No joy.

id-configuration (section=p, decrypt=0, type=shm)
[Wed Aug 13 11:18:48.412408 2025] [auth_openidc:debug] [pid 132513:tid 132543] src/cache/common.c(340): [client 172.16.14.178:36856] oidc_cache_get: cache miss from shm cache backend for key https://login002.meerkat.mcri.edu.au/dex/.well-known/openid-configuration
[Wed Aug 13 11:18:48.412412 2025] [auth_openidc:debug] [pid 132513:tid 132543] src/util.c(764): [client 172.16.14.178:36856] oidc_util_http_query_encoded_url: url=https://login002.meerkat.mcri.edu.au/dex/.well-known/openid-configuration
[Wed Aug 13 11:18:48.412417 2025] [auth_openidc:debug] [pid 132513:tid 132543] src/util.c(803): [client 172.16.14.178:36856] oidc_util_http_call: url=https://login002.meerkat.mcri.edu.au/dex/.well-known/openid-configuration, data=(null), content_type=(null), basic_auth=null, bearer_token=(null), ssl_validate_server=1, timeout=5, outgoing_proxy=(null), pass_cookies=0, ssl_cert=(null), ssl_key=(null), ssl_key_pwd=(null)
[Wed Aug 13 11:18:48.434995 2025] [auth_openidc:error] [pid 132513:tid 132543] [client 172.16.14.178:36856] oidc_util_http_call: curl_easy_perform() failed on: https://login002.meerkat.mcri.edu.au/dex/.well-known/openid-configuration (SSL certificate problem: self-signed certificate in certificate chain)
[Wed Aug 13 11:18:48.435030 2025] [auth_openidc:error] [pid 132513:tid 132543] [client 172.16.14.178:36856] oidc_provider_static_config: could not retrieve metadata from url: https://login002.meerkat.mcri.edu.au/dex/.well-known/openid-configuration
[Wed Aug 13 11:18:48.435532 2025] [lua:debug] [pid 132513:tid 132543] lua_request.c(1883): [client 172.16.14.178:36856] AH01486: request_rec->dispatching subprocess_env -> apr table
[Wed Aug 13 11:18:48.435541 2025] [lua:debug] [pid 132513:tid 132543] lua_request.c(1883): [client 172.16.14.178:36856] AH01486: request_rec->dispatching subprocess_env -> apr table
[Wed Aug 13 11:18:48.435544 2025] [lua:debug] [pid 132513:tid 132543] lua_request.c(1883): [client 172.16.14.178:36856] AH01486: request_rec->dispatching subprocess_env -> apr table
[Wed Aug 13 11:18:48.435547 2025] [lua:debug] [pid 132513:tid 132543] lua_request.c(1883): [client 172.16.14.178:36856] AH01486: request_rec->dispatching subprocess_env -> apr table
[Wed Aug 13 11:18:48.789711 2025] [authz_core:debug] [pid 132513:tid 132546] mod_authz_core.c(815): [client 172.16.14.178:36864] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Aug 13 11:18:48.789727 2025] [authz_core:debug] [pid 132513:tid 132546] mod_authz_core.c(815): [client 172.16.14.178:36864] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Aug 13 11:18:48.789735 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/mod_auth_openidc.c(3942): [client 172.16.14.178:36864] oidc_check_user_id: incoming request: "/pun/sys/dashboard?(null)", ap_is_initial_req(r)=1
[Wed Aug 13 11:18:48.789741 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(2527): [client 172.16.14.178:36864] oidc_util_hdr_in_get: Host=login002.meerkat.mcri.edu.au
[Wed Aug 13 11:18:48.789746 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(2527): [client 172.16.14.178:36864] oidc_util_hdr_in_get: Host=login002.meerkat.mcri.edu.au
[Wed Aug 13 11:18:48.789751 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(652): [client 172.16.14.178:36864] oidc_get_redirect_uri: determined absolute redirect uri: https://login002.meerkat.mcri.edu.au/oidc
[Wed Aug 13 11:18:48.789757 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(2527): [client 172.16.14.178:36864] oidc_util_hdr_in_get: Cookie=cf_clearance=ClXuHtbz2zPnOOB8n9eEgqtrRG6KqV2bfnDBV.cmihU-1747120731-1.2.1.1-78mLifNDqJ9ZdlLsBkXZmeIdsaZs247tOOnw2yzSCQTMqTUipbomx3sxufp5ppkirwbSdn2QIPa7V6KBZ1VRrf5wdKqrh5XqLqquB5g.Tu3lYZr2I7trBYwX7E3VnAz9saJFHRPrr5jpkg7UFRotCrvm8PVRIzeZRIM0O0GLtPK49YLGQifnFargy3TqxQMrKb.XJmlISqtHkKkz3uGB5tJ39MWpYUcQ7H9m1M7f7vkTFQQeHBbX4eyTOvZbrMRCVfyKAsfXFPFQ7_R0bKnE5jUekUdAeXUhXx9aDYfUgXTsvSnUqqgehDNFqD15nTjCVbGCcKiIJYAPf_kTd0IfBygpM5Ds6wWv.pIlJwasNkg; nmstat=8b312979-0450-50be-e194-ace61932906d; _ga=GA1.1.371363529.1747120732; _ga_B4JHRFLLVV=GS2.1.s1747120732$o1$g1$t1747121780$j60$l0$h0
[Wed Aug 13 11:18:48.789772 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(1232): [client 172.16.14.178:36864] oidc_util_get_cookie: returning "mod_auth_openidc_session" = <null>
[Wed Aug 13 11:18:48.789777 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(2527): [client 172.16.14.178:36864] oidc_util_hdr_in_get: Host=login002.meerkat.mcri.edu.au
[Wed Aug 13 11:18:48.789781 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(2527): [client 172.16.14.178:36864] oidc_util_hdr_in_get: Host=login002.meerkat.mcri.edu.au
[Wed Aug 13 11:18:48.789785 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(652): [client 172.16.14.178:36864] oidc_get_redirect_uri: determined absolute redirect uri: https://login002.meerkat.mcri.edu.au/oidc
[Wed Aug 13 11:18:48.789790 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(1394): [client 172.16.14.178:36864] oidc_util_request_matches_url: comparing "/pun/sys/dashboard"=="/oidc"
[Wed Aug 13 11:18:48.789795 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(2527): [client 172.16.14.178:36864] oidc_util_hdr_in_get: Sec-Fetch-Mode=navigate
[Wed Aug 13 11:18:48.789799 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(2527): [client 172.16.14.178:36864] oidc_util_hdr_in_get: Sec-Fetch-Mode=navigate
[Wed Aug 13 11:18:48.789804 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(2527): [client 172.16.14.178:36864] oidc_util_hdr_in_get: Sec-Fetch-Dest=document
[Wed Aug 13 11:18:48.789807 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(2527): [client 172.16.14.178:36864] oidc_util_hdr_in_get: Sec-Fetch-Dest=document
[Wed Aug 13 11:18:48.789812 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(2527): [client 172.16.14.178:36864] oidc_util_hdr_in_get: Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
[Wed Aug 13 11:18:48.789817 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(2527): [client 172.16.14.178:36864] oidc_util_hdr_in_get: Host=login002.meerkat.mcri.edu.au
[Wed Aug 13 11:18:48.789821 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(2527): [client 172.16.14.178:36864] oidc_util_hdr_in_get: Host=login002.meerkat.mcri.edu.au
[Wed Aug 13 11:18:48.789826 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(633): [client 172.16.14.178:36864] oidc_get_current_url: current URL 'https://login002.meerkat.mcri.edu.au/pun/sys/dashboard'
[Wed Aug 13 11:18:48.789830 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/mod_auth_openidc.c(2273): [client 172.16.14.178:36864] oidc_authenticate_user: enter
[Wed Aug 13 11:18:48.789835 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/cache/common.c(305): [client 172.16.14.178:36864] oidc_cache_get: enter: https://login002.meerkat.mcri.edu.au/dex/.well-known/openid-configuration (section=p, decrypt=0, type=shm)
[Wed Aug 13 11:18:48.789856 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/cache/common.c(340): [client 172.16.14.178:36864] oidc_cache_get: cache miss from shm cache backend for key https://login002.meerkat.mcri.edu.au/dex/.well-known/openid-configuration
[Wed Aug 13 11:18:48.789861 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(764): [client 172.16.14.178:36864] oidc_util_http_query_encoded_url: url=https://login002.meerkat.mcri.edu.au/dex/.well-known/openid-configuration
[Wed Aug 13 11:18:48.789870 2025] [auth_openidc:debug] [pid 132513:tid 132546] src/util.c(803): [client 172.16.14.178:36864] oidc_util_http_call: url=https://login002.meerkat.mcri.edu.au/dex/.well-known/openid-configuration, data=(null), content_type=(null), basic_auth=null, bearer_token=(null), ssl_validate_server=1, timeout=5, outgoing_proxy=(null), pass_cookies=0, ssl_cert=(null), ssl_key=(null), ssl_key_pwd=(null)
[Wed Aug 13 11:18:48.812077 2025] [auth_openidc:error] [pid 132513:tid 132546] [client 172.16.14.178:36864] oidc_util_http_call: curl_easy_perform() failed on: https://login002.meerkat.mcri.edu.au/dex/.well-known/openid-configuration (SSL certificate problem: self-signed certificate in certificate chain)
[Wed Aug 13 11:18:48.812098 2025] [auth_openidc:error] [pid 132513:tid 132546] [client 172.16.14.178:36864] oidc_provider_static_config: could not retrieve metadata from url: https://login002.meerkat.mcri.edu.au/dex/.well-known/openid-configuration
[Wed Aug 13 11:18:48.812485 2025] [lua:debug] [pid 132513:tid 132546] lua_request.c(1883): [client 172.16.14.178:36864] AH01486: request_rec->dispatching subprocess_env -> apr table
[Wed Aug 13 11:18:48.812490 2025] [lua:debug] [pid 132513:tid 132546] lua_request.c(1883): [client 172.16.14.178:36864] AH01486: request_rec->dispatching subprocess_env -> apr table
[Wed Aug 13 11:18:48.812493 2025] [lua:debug] [pid 132513:tid 132546] lua_request.c(1883): [client 172.16.14.178:36864] AH01486: request_rec->dispatching subprocess_env -> apr table
[Wed Aug 13 11:18:48.812496 2025] [lua:debug] [pid 132513:tid 132546] lua_request.c(1883): [client 172.16.14.178:36864] AH01486: request_rec->dispatching subprocess_env -> apr table

OK, Today the curl command does not work. So if this is the case and I have added the LetsEncrpt certs then it has to be a systems CA thing. Anything you can suggest to try , very welcome.

[root@login002 profile.d]# curl -w %{certs} https://login002.meerkat.mcri.edu.au -vvvv
* Uses proxy env variable no_proxy == '127.0.0.1,localhost,10.40.115.100,xcat,xcat.mcri.edu.au,.mcri.edu.au,.meerkat.mcri.edu.au'
*   Trying 172.16.12.6:443...
* Connected to login002.meerkat.mcri.edu.au (172.16.12.6) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/pki/ca-trust/source/anchors/ZscalerRootCertificate-2048-SHA256.pem
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self-signed certificate in certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
curl: unknown --write-out variable: 'certs'
[root@login002 profile.d]# curl https://login002.meerkat.mcri.edu.au/dex/.well-known/openid-configuration
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

What does this show?

openssl s_client -showcerts -servername login002.meerkat.mcri.edu.au -connect login002.meerkat.mcri.edu.au:443

It almost looks like there is an issue with Apache not using the LetsEncrypt certificates.

Lets Encrypt CAs are generally part of the global trust chain, at least the root CA is and the intermediates should be exposed by Apache.

The OpenSSL for me has items like this:

depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E6
verify return:1
depth=0 CN=ondemand.osc.edu
verify return:1

That shows the chain, towards the beginning of the output.

Thanks so much , This is now resolved.

The issue was because this was a self signed LetsEncrypt Cert I needed to download the lets encrypt CA’s as mentioned above. For some reason it only started working after I rebooted the server, restarting https did not help.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.