Decrypt error in TLS handshake after ServerKeyExchange - ssl

I have a WEB application deployed to Tomcat server. I connect to it with Chrome browser with HTTPS but I have decrypt error during TLS handshaking on the client side after ServerKeyExchange.
Certificates (3 levels):
Server certificate, signed by...
CA certificate, signed by...
Root certificate (self signed)
I validated certificates with openssl and they seem to be fine (chain.cer contains CA and root certificates):
$ openssl verify -verbose -CAfile chain.cer server.cer
server.cer: OK
If I test connection with OpenSSL I get error after client reads ServerKeyExchange:
openssl.exe s_client -CAfile chain.cer -showcerts -state -msg server.net:8443
output:
CONNECTED(00000004)
>>> ??? [length 0005]
16 03 01 01 4f
>>> TLS 1.3, Handshake [length 014f], ClientHello
01 00 01 4b 03 03 81 63 a4 15 45 bf 7f 9b 07 8f ...
<<< ??? [length 0005]
16 03 03 09 14
<<< TLS 1.3, Handshake [length 0055], ServerHello
02 00 00 51 03 03 60 ef d0 8b 1c d7 9a 78 2d d4 ...
<<< TLS 1.2, Handshake [length 07ee], Certificate
0b 00 07 ea 00 07 e7 00 07 e4 30 82 07 e0 30 82 ...
depth=2 O = Amadeus IT group SA, CN = amarootca2
verify return:1
depth=1 O = Amadeus IT group SA, CN = amacatech3
verify return:1
depth=0 C = FR, L = Nice, O = Amadeus Data Processing, OU = NIS, CN = nceiptapas04.nce.amadeus.net
verify return:1
<<< TLS 1.2, Handshake [length 00cd], ServerKeyExchange
0c 00 00 c9 03 00 17 41 04 82 07 58 e1 cd 42 40 ...
>>> ??? [length 0005]
15 03 03 00 02
>>> TLS 1.2, Alert [length 0002], fatal decrypt_error
02 33
34359738384:error:04091077:rsa routines:int_rsa_verify:wrong signature length:crypto/rsa/rsa_sign.c:132:
34359738384:error:1416D07B:SSL routines:tls_process_key_exchange:bad signature:ssl/statem/statem_clnt.c:2405:
---
Cannot client decrypt DH parameters sent by server? Why?
Here is Wireshark details from ServerKeyExchange:
Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
Signature Length: 128
I have another but properly working WEB application where I have the same Signature Algorithm but the Signature Length: 256. Or this length is irrelevant?

Related

Verifying SSL Certificate on Server Can sign for Website Domain

Looking at ways to verify SSL certificate in origin serve: address: 67.222.39.77 can sign for the website integrationtest.xyz. I've managed to find all the certificates info seen below. My ask is how to use this information to double check that the certificates can sign for the website? Rather new to openssl and tried many things but nothing is working.
depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.bluehost.com
verify return:1
---
Certificate chain
0 s:/CN=*.bluehost.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGMzCCBRugAwIBAgIQMh3e9KwzZtAjsRPdYdQLHTANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD
Ey5TZWN0aWdvIFJTQSBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB
MB4XDTIyMDEwMzAwMDAwMFoXDTIzMDIwMzIzNTk1OVowGTEXMBUGA1UEAwwOKi5i
bHVlaG9zdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDphMoR
K69yH+/kHtq7Cct4KBYj8S69aaSzUQH64cgH4QgcAKGkmUINOhD5IDGYe0D1Fky2
S5bj8R7V76wmSJBWhmcxbH7H16g8yi2Nn/TtLlmkJHBwsCwcnpai6JCQTMCAVoew
9HQfBEUlvKRH02ALGH/WI0wtENxiXpddk/A/BKe2jRDqvee07RPjUD1ZRRnWq4Cw
31DI9u2bRyUjyidacmAPsngV47neIu7xGSzq6hTcpRb0Y6FKO/ubG/6BTLyGX9RP
eUrlsQzSp2+9l1QdJG3q0PnpF4K1kHiDTi9pbOR8iztqh1RMvmQg5mlOJ2DyYlBJ
+eI5LHnYY8nFU0rTAgMBAAGjggL+MIIC+jAfBgNVHSMEGDAWgBSNjF7EVK2K4Xfp
m/mbBeG4AY1h4TAdBgNVHQ4EFgQUopmtVKvQJwiXthk/SB1zQOQsDskwDgYDVR0P
AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAgcwJTAjBggrBgEFBQcCARYX
aHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIBMIGEBggrBgEFBQcBAQR4
MHYwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb1JT
QURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwIwYIKwYBBQUHMAGG
F2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMCcGA1UdEQQgMB6CDiouYmx1ZWhvc3Qu
Y29tggxibHVlaG9zdC5jb20wggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB1AK33
vvp8/xDIi509nB4+GGq0Zyldz7EMJMqFhjTr3IKKAAABfiE5oTQAAAQDAEYwRAIg
L5YEn1rHGv/WMAQO2mKPxVlK+dcuN/x+PPXJ3CcKb+ECID9rNf0T/zrRV8QssUjf
6ay/8HbNKDXy9sm+ufQZCbZ6AHcAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6
V6NS61IAAAF+ITmhAgAABAMASDBGAiEAke3VHS0eOXysK7Ads7UW/SwIk+IvjUOv
SypJiiCFiC0CIQDzcQbdINmE9zI11F1mXSl0dT6n61yh8llp7H9VOTBQ2wB2AOg+
0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1uAAABfiE5oNUAAAQDAEcwRQIg
PHYT6pYo7CUnANGfHSPXzZAQBhDrjniI52/RnVJLnSsCIQDHyMbdR+V02lEDKTBj
BM0z9stx3GaY24aiMXcQOJlm5TANBgkqhkiG9w0BAQsFAAOCAQEAF7w723Jmvjvn
tF0G2NQP0XWtJKZep4fsnWaNHyavqJfcdJTzvqpGNcLuQRMRhmKOmY6h64b68HT5
FeRrlrqvg7hv9RvLz7B2Z7JPB9OrLBQaCSac4FgSmscw0vWAFlMA1dhxfLiEIjvk
uQsGBiRle60NCH15pwgRJlAgNX+kHQ+FDb1FcQy0z6pBKvIxK0tj/MEBeJUKXQGu
EVLovgcMBWXNHMrzan0IKlDFIBAMVqxGCi0oQ3f/wm7sWpzXOZvVauMh17wnFInj
XCtR+VG/2RU5xw4knH5hRL9YqUwm5SzFShhtgTv6+f+XEwMaZz0jXJKQrF/2EP9R
yHZNZVt2jA==
-----END CERTIFICATE-----
subject=/CN=*.bluehost.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 5222 bytes and written 289 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: A3256BB84988464859E05545361E30BFF1AD56794454EFD31CB2A527D7AF6249
Session-ID-ctx:
Master-Key: 991BBF0898D38562CB4C96A233A84CB4A2713FE14E0FCA90B9EAAB2A206B49ECE6694AFE24C603B7D5A52FCB92C51F4A
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 12 50 26 1e 49 3b d8 e8-af 97 6a 10 e3 ac c2 97 .P&.I;....j.....
0010 - bf 45 ed 55 a3 bb 87 c2-21 7e 48 20 87 9c bd e8 .E.U....!~H ....
0020 - 9a 2a bc 57 95 e3 38 75-61 88 35 a2 55 7f 29 77 .*.W..8ua.5.U.)w
0030 - c7 5c 65 cc 07 bc da 67-c4 c1 0b 69 d5 68 9c af .\e....g...i.h..
0040 - 93 ab 7d 92 23 04 06 55-85 63 36 df 08 12 6f 91 ..}.#..U.c6...o.
0050 - 59 d2 9c 4d 41 c5 a0 aa-96 31 07 92 73 67 b4 00 Y..MA....1..sg..
0060 - 9e 2a c9 bc 9e 4b 1f 75-82 b1 a3 9e c8 ff 0c ff .*...K.u........
0070 - 1a 88 a4 25 7c 8f 46 2b-c1 70 3b 24 63 53 8b 5b ...%|.F+.p;$cS.[
0080 - 33 8f 62 0d 71 95 5a 61-a1 af ab d9 1a 51 0a c0 3.b.q.Za.....Q..
0090 - 1e a9 47 70 47 1d ca 2b-f5 af d0 3a be c9 02 96 ..GpG..+...:....
00a0 - 0c 13 3e ee bc f4 db c4-a1 6d 10 a9 42 af 87 3a ..>......m..B..:
00b0 - 0c 3d 28 e1 a1 94 d2 f0-d3 8f 1e e5 4e 01 73 fb .=(.........N.s.
Start Time: 1647887577
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---------------CERTIFICATE IN TEXT---------------------------------------------------
echo | openssl s_client -servername 67.222.39.77 -connect 67.222.39.77:443 2>/dev/null | openssl x509 -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
32:1d:de:f4:ac:33:66:d0:23:b1:13:dd:61:d4:0b:1d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
Validity
Not Before: Jan 3 00:00:00 2022 GMT
Not After : Feb 3 23:59:59 2023 GMT
Subject: CN=*.bluehost.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e9:84:ca:11:2b:af:72:1f:ef:e4:1e:da:bb:09:
cb:78:28:16:23:f1:2e:bd:69:a4:b3:51:01:fa:e1:
c8:07:e1:08:1c:00:a1:a4:99:42:0d:3a:10:f9:20:
31:98:7b:40:f5:16:4c:b6:4b:96:e3:f1:1e:d5:ef:
ac:26:48:90:56:86:67:31:6c:7e:c7:d7:a8:3c:ca:
2d:8d:9f:f4:ed:2e:59:a4:24:70:70:b0:2c:1c:9e:
96:a2:e8:90:90:4c:c0:80:56:87:b0:f4:74:1f:04:
45:25:bc:a4:47:d3:60:0b:18:7f:d6:23:4c:2d:10:
dc:62:5e:97:5d:93:f0:3f:04:a7:b6:8d:10:ea:bd:
e7:b4:ed:13:e3:50:3d:59:45:19:d6:ab:80:b0:df:
50:c8:f6:ed:9b:47:25:23:ca:27:5a:72:60:0f:b2:
78:15:e3:b9:de:22:ee:f1:19:2c:ea:ea:14:dc:a5:
16:f4:63:a1:4a:3b:fb:9b:1b:fe:81:4c:bc:86:5f:
d4:4f:79:4a:e5:b1:0c:d2:a7:6f:bd:97:54:1d:24:
6d:ea:d0:f9:e9:17:82:b5:90:78:83:4e:2f:69:6c:
e4:7c:8b:3b:6a:87:54:4c:be:64:20:e6:69:4e:27:
60:f2:62:50:49:f9:e2:39:2c:79:d8:63:c9:c5:53:
4a:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1
X509v3 Subject Key Identifier:
A2:99:AD:54:AB:D0:27:08:97:B6:19:3F:48:1D:73:40:E4:2C:0E:C9
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://sectigo.com/CPS
Policy: 2.23.140.1.2.1
Authority Information Access:
CA Issuers - URI:http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.sectigo.com
X509v3 Subject Alternative Name:
DNS:*.bluehost.com, DNS:bluehost.com
1.3.6.1.4.1.11129.2.4.2:
...j.h.u.....|.....=..>.j.g)]...$...4.......~!9.4.....F0D. /...Z....0...b..YJ...7.~<...'
o.. ?k5...:.W.,.H.....v.(5.........z.w.z2.T..-. .8.R....p2..M;.+.:W.R.R...~!9.......H0F.!.....-.9|.+......,.../.C.K*I. ..-.!..q.. ...25.]f])tu>..\..Yi..U90P..v..>..>..52.W(..k......k..i.w}m..n...~!9.......G0E. <v...(.%'....#........x..o..RK.+.!.....G.t.Q.)0c..3..q.f....1w.8.f.
Signature Algorithm: sha256WithRSAEncryption
17:bc:3b:db:72:66:be:3b:e7:b4:5d:06:d8:d4:0f:d1:75:ad:
24:a6:5e:a7:87:ec:9d:66:8d:1f:26:af:a8:97:dc:74:94:f3:
be:aa:46:35:c2:ee:41:13:11:86:62:8e:99:8e:a1:eb:86:fa:
f0:74:f9:15:e4:6b:96:ba:af:83:b8:6f:f5:1b:cb:cf:b0:76:
67:b2:4f:07:d3:ab:2c:14:1a:09:26:9c:e0:58:12:9a:c7:30:
d2:f5:80:16:53:00:d5:d8:71:7c:b8:84:22:3b:e4:b9:0b:06:
06:24:65:7b:ad:0d:08:7d:79:a7:08:11:26:50:20:35:7f:a4:
1d:0f:85:0d:bd:45:71:0c:b4:cf:aa:41:2a:f2:31:2b:4b:63:
fc:c1:01:78:95:0a:5d:01:ae:11:52:e8:be:07:0c:05:65:cd:
1c:ca:f3:6a:7d:08:2a:50:c5:20:10:0c:56:ac:46:0a:2d:28:
43:77:ff:c2:6e:ec:5a:9c:d7:39:9b:d5:6a:e3:21:d7:bc:27:
14:89:e3:5c:2b:51:f9:51:bf:d9:15:39:c7:0e:24:9c:7e:61:
44:bf:58:a9:4c:26:e5:2c:c5:4a:18:6d:81:3b:fa:f9:ff:97:
13:03:1a:67:3d:23:5c:92:90:ac:5f:f6:10:ff:51:c8:76:4d:
65:5b:76:8c

Letsencrypt: alert certificate expired / alert SSL alert number 45 [closed]

Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 days ago.
Improve this question
I've got some trouble with one of my clients (docker container based on Alpine) connecting a mail server with a Letsencrypt SSL certificate:
Nov 2 14:39:50 mail postfix/smtpd[878799]: warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:../ssl/record/rec_layer_s3.c:1543:SSL alert number 45:
I know that Letsencrypt uses the new ISRG Root X1 since 1st Oct 2021. After Downloading the CA pem file from here https://letsencrypt.org/de/certificates/ I checked that the certificate is available.
Seems to be okay for me:
/etc/ssl/certs # grep -ri "emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=" .
./4042bcee.1:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./ca-certificates.crt:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./ca-certificates.crt:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./ca-cert-isrgrootx1.pem.pem:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./4042bcee.0:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./ca-cert-ISRG_Root_X1.pem:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
Additionally I installed the Certificate by hand (snippet of the Dockerfile):
COPY etc/ssl/isrgrootx1.pem /usr/local/share/ca-certificates/
RUN apk update && apk add --no-cache ca-certificates && update-ca-certificates
No luck. The SSL chain seems to be strange (domain is masked with xxx):
/etc/ssl/certs # openssl s_client -starttls smtp -connect mail.xxx.de:587
CONNECTED(00000003)
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
---
Certificate chain
0 s:/CN=mail.xxx.de
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/CN=mail.xxx.de
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 4895 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: D0DA2252D5091779AA2CDF832A856F846A2AFD4C4C73CEDA24D64647FD998CB4
Session-ID-ctx:
Master-Key: BA703221FC54ADE822079229A36672AADFF4621EBEFDDA338D3E5F8025DC9668BBAFA152A1708C569B72AFF09F80AC5D
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 18 80 2d 38 6c e0 da 60-77 43 b1 62 d7 80 84 3f ..-8l..`wC.b...?
0010 - 1e 28 23 23 f7 34 ef 30-21 09 a2 34 92 b7 bf 10 .(##.4.0!..4....
0020 - ae c1 b7 50 ea 85 11 32-1c 28 f9 09 9f ff 20 7a ...P...2.(.... z
0030 - 7b e2 61 8d 8d 06 e3 66-6e 7c 93 31 95 29 e9 2d {.a....fn|.1.).-
0040 - 6a 93 bc 06 1d e2 26 58-00 32 48 67 aa f5 45 ed j.....&X.2Hg..E.
0050 - b8 5a 0d 93 84 7e c4 36-cf 06 39 4f d3 6a 45 e1 .Z...~.6..9O.jE.
0060 - a6 fc 49 31 3a 1c c4 32-d3 ae d2 2c 2e 34 e9 c2 ..I1:..2...,.4..
0070 - 8c 58 ee 98 08 48 56 d9-58 c3 3a 2c 21 6e a8 3b .X...HV.X.:,!n.;
0080 - 85 22 9b 90 6c 21 06 79-f2 e6 6c b0 dd c9 1e 2c ."..l!.y..l....,
0090 - c1 62 11 4b 7b 19 5d ac-d9 ba 69 6a 17 fb 7b ab .b.K{.]...ij..{.
Start Time: 1636139076
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
---
250 CHUNKING
Here one of my Alpine Containers with a successfully connection:
/var/www/html # openssl s_client -starttls smtp -connect mail.xxx.de:587
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.xxx.de
verify return:1
---
Certificate chain
0 s:CN = mail.xxx.de
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = mail.xxx.de
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4834 bytes and written 435 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: A60E19C667530A8C575213D7ECCA704F55D32294779DDA198D182909ACF72EC9
Session-ID-ctx:
Resumption PSK: F341E73946627D59D9AEAEDDDF23D0F9B5BBFF8CE5603550A30E0A17BC884174A8883D2BBF1D4335D6835470A9DBED6D
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 4e 14 1b 3c 6f 76 8f da-4c 91 b0 71 f0 95 f8 f6 N..<ov..L..q....
0010 - a2 bd 18 a8 75 00 a3 0c-dc 18 7a 95 2c 74 a4 62 ....u.....z.,t.b
0020 - 4e aa 8e d4 dc 75 6a 1e-1b 3b c1 87 9d ca ff ce N....uj..;......
0030 - 24 a4 7b fb 35 e8 c1 8e-ff a0 a4 38 db 52 7d fd $.{.5......8.R}.
0040 - 95 42 0d 8f 0b ba c4 5b-27 d5 94 2b bc f3 92 34 .B.....['..+...4
0050 - 41 e4 12 6e f7 c4 f0 33-81 bc 9d 07 12 8f b2 8b A..n...3........
0060 - f1 8d 59 2f ee 49 e6 c8-17 e6 66 64 b6 b8 8f a0 ..Y/.I....fd....
0070 - d0 40 bc 28 71 96 d1 a7-b9 e3 00 db ba 5b 85 43 .#.(q........[.C
0080 - e2 dc d0 42 21 8a d1 57-21 01 5e b9 5f e2 ec 16 ...B!..W!.^._...
0090 - fb 00 d6 5b ae b6 2b d1-42 c8 2c ae f6 2d 21 48 ...[..+.B.,..-!H
00a0 - dc d2 a9 c3 5c 75 33 21-a8 c2 ca d3 7b 86 ec 65 ....\u3!....{..e
00b0 - d2 1b 1f e5 c7 b2 45 94-96 56 48 74 e5 d5 22 18 ......E..VHt..".
00c0 - bf c4 5d f4 9e 1c 37 e2-b7 9a cc 3a e1 0e 9b ee ..]...7....:....
Start Time: 1636139616
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Any idea? Thank you very much!

gevent SSL with godaddy error: ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1051)

I've got Webhosting on GoDaddy with their SSL certificate installed.
I'm trying to send the https POST request to my Python backend on my own server (with static IP) which is running gevent WSGIServer like this:
https_server = WSGIServer(('<backend ip>', 3000),
appFlask,
keyfile='server.key',
certfile='server.crt',
)
The server.key and server.crt I created by copy/paste from goddady->cPanelAdmin-> Manage SSL Hosts -> Autofill by Domain.
The Certificate: (CRT) -> server.crt. The Private Key (KEY) -> server.key.
The CRT:
-----BEGIN CERTIFICATE-----
MIIGQzCCBSugAwIBAgIJANvQSPtAlkYyMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE5MTEzMDEzNTAyM1oX
DTIwMTEzMDA4MTAzN1owPTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMRgwFgYDVQQDEw9hcXRzNjU1Mzc5ay5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC/sQsu+SEMu3TbaaCx96hw8A8YLjQehtm16t9cx5KOKOld
chA1rUVZXZq5LLbgXJ/11Ws4z+oqg8T7xmhUPB/sBbP0wd0/wyqAKzkCEfZndV52
Y4oc7+P0NVC5YSTyoMQ1/bx12+PcpkG0LTUbz0F91Z2ZuO/Cr9l3NaR07v35zhKC
aTDJVd1sSwJkRQ9StUXEpQD8M107vhRuBsPqR49qC0vbwXByzK1pC7DTrz2Z0HFR
l8u0d86M+HHZmn3n/vRfXA0PIW16enjLkdZIKMmidvCJmRCUUA6KSljhJz5nZuOF
G2IrsWUqW3AX7Dt8BL2WX/blToikbC5oiaezFoR5AgMBAAGjggLMMIICyDAMBgNV
HRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8B
Af8EBAMCBaAwOAYDVR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5nb2RhZGR5LmNv
bS9nZGlnMnMxLTE1NDcuY3JsMF0GA1UdIARWMFQwSAYLYIZIAYb9bQEHFwEwOTA3
BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBv
c2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhho
dHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jZXJ0
aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZGlnMi5jcnQwHwYDVR0j
BBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4wLwYDVR0RBCgwJoIPYXF0czY1NTM3
OWsuY29tghN3d3cuYXF0czY1NTM3OWsuY29tMB0GA1UdDgQWBBTCriFH/fyxral7
BYLxnzTLClIEIDCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AKS5CZC0GFgUh7sT
osxncAo8NZgE+RvfuON3zQ7IDdwQAAABbryTxeMAAAQDAEgwRgIhAJ2E4BRwFSUd
kxChyaNNt9rW8yUovUzHMJBGEm48FgKXAiEAxgo7kNBGm0wmQEUX7gxY6xG4pRLv
5T0JoUf31mCvEuYAdgBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAA
AW68k8a8AAAEAwBHMEUCIQC661NrwQ+pn9vG9F1Aw9rJrrlHldzPXmCOoeih8cQI
PwIgQaMQ1KAyVz8zI8wGoJ3S+snGHQq88N+oivNeeSggIQwwDQYJKoZIhvcNAQEL
BQADggEBALZuZ9oXPf8zazPGqiIZrok/zVi7DrimGKQfgVnbR3bE0IhYUFlbO/GN
eH/AcDgHnR8Rdb3t4sjD7pTe1jaD/Jrj0Pz3zhRXKh4l47ERQcRTUKqoNnHW/yxv
+pVHJ/wU/h+DVfAvKkMiIyPV/EbjZg5Vys09tzIDSSjA0n+l2BYq6JY7Z/SWf6QX
CZNsDocBW05Vf0Ot8LDswxgIf1hpw0x/icQj/wlgMdCRIlS46ai293r2A+TcFj5a
aSpcpIT7Yf6NJPOlMNhPiTABAkzb34iA47Ox4S0pFImLuBVqYDIw0kM+tM0pdKuB
nd0IIfQhBswJgpAr++R57vuggExKtxw=
-----END CERTIFICATE-----
The Certificate Authority Bundle:
-----BEGIN CERTIFICATE-----
MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT
B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMu
MTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTEx
MDUwMzA3MDAwMFoXDTMxMDUwMzA3MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsG
A1UECxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBE
YWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzDBNliF44v/z5lz4/OYuY8UhzaFkVLVat4
a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOvK/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7Q
jL7wMDge87Am+GZHY23ecSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1g
O7GyQ5HYpDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7neTOv
DCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMBAAGjggEaMIIBFjAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUQMK9J47MNIMwojPX+2yz
8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0
cDovL2NybC5nb2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMA0GCSqGSIb3
DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz91cxG7685C/b+LrTW+C05+Z5
Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSn
E3ANkR/0yBOtg2DZ2HKocyQetawiDsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z
2Czqrpv1KrKQ0U11GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeK
M+2xLXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
-----END CERTIFICATE-----
The client code is React app with hash router where on the button click the following is called:
let res = await axios
.create({ baseURL: "https://<backend ip>:3000" })
.post("/server_auth_user", data_obj)
.then(result => {
if (result.status === 200 && result.data.response) {
console.log(result);
Auth.login(() => {
this.props.history.push("/screens");
...
This is what happens when I run:
openssl s_client -connect <godaddy host>:443 -key 'server.key' -cert 'server.crt'
CONNECTED(00000005)
---
Certificate chain
0 s:OU = Domain Control Validated, CN = aqts655379k.com
i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
---
Server certificate
Server certificate
-----BEGIN CERTIFICATE-----
MIIGQzCCBSugAwIBAgIJANvQSPtAlkYyMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE5MTEzMDEzNTAyM1oX
DTIwMTEzMDA4MTAzN1owPTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMRgwFgYDVQQDEw9hcXRzNjU1Mzc5ay5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC/sQsu+SEMu3TbaaCx96hw8A8YLjQehtm16t9cx5KOKOld
chA1rUVZXZq5LLbgXJ/11Ws4z+oqg8T7xmhUPB/sBbP0wd0/wyqAKzkCEfZndV52
Y4oc7+P0NVC5YSTyoMQ1/bx12+PcpkG0LTUbz0F91Z2ZuO/Cr9l3NaR07v35zhKC
aTDJVd1sSwJkRQ9StUXEpQD8M107vhRuBsPqR49qC0vbwXByzK1pC7DTrz2Z0HFR
l8u0d86M+HHZmn3n/vRfXA0PIW16enjLkdZIKMmidvCJmRCUUA6KSljhJz5nZuOF
G2IrsWUqW3AX7Dt8BL2WX/blToikbC5oiaezFoR5AgMBAAGjggLMMIICyDAMBgNV
HRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8B
Af8EBAMCBaAwOAYDVR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5nb2RhZGR5LmNv
bS9nZGlnMnMxLTE1NDcuY3JsMF0GA1UdIARWMFQwSAYLYIZIAYb9bQEHFwEwOTA3
BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBv
c2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhho
dHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jZXJ0
aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZGlnMi5jcnQwHwYDVR0j
BBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4wLwYDVR0RBCgwJoIPYXF0czY1NTM3
OWsuY29tghN3d3cuYXF0czY1NTM3OWsuY29tMB0GA1UdDgQWBBTCriFH/fyxral7
BYLxnzTLClIEIDCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AKS5CZC0GFgUh7sT
osxncAo8NZgE+RvfuON3zQ7IDdwQAAABbryTxeMAAAQDAEgwRgIhAJ2E4BRwFSUd
kxChyaNNt9rW8yUovUzHMJBGEm48FgKXAiEAxgo7kNBGm0wmQEUX7gxY6xG4pRLv
5T0JoUf31mCvEuYAdgBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAA
AW68k8a8AAAEAwBHMEUCIQC661NrwQ+pn9vG9F1Aw9rJrrlHldzPXmCOoeih8cQI
PwIgQaMQ1KAyVz8zI8wGoJ3S+snGHQq88N+oivNeeSggIQwwDQYJKoZIhvcNAQEL
BQADggEBALZuZ9oXPf8zazPGqiIZrok/zVi7DrimGKQfgVnbR3bE0IhYUFlbO/GN
eH/AcDgHnR8Rdb3t4sjD7pTe1jaD/Jrj0Pz3zhRXKh4l47ERQcRTUKqoNnHW/yxv
+pVHJ/wU/h+DVfAvKkMiIyPV/EbjZg5Vys09tzIDSSjA0n+l2BYq6JY7Z/SWf6QX
CZNsDocBW05Vf0Ot8LDswxgIf1hpw0x/icQj/wlgMdCRIlS46ai293r2A+TcFj5a
aSpcpIT7Yf6NJPOlMNhPiTABAkzb34iA47Ox4S0pFImLuBVqYDIw0kM+tM0pdKuB
nd0IIfQhBswJgpAr++R57vuggExKtxw=
-----END CERTIFICATE-----
subject=OU = Domain Control Validated, CN = <godaddy.host>
issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3552 bytes and written 443 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: A1A0E86F59695161F06029EADB6F26C491F01A511A417CCCF07948F095139E3B
Session-ID-ctx:
Master-Key: DAA60D38F7D74D553478FB3B74DE8F7BE315D003FBF3F6847F812CF25693CFC3EDDADB3F4A2A2D278F7239330E156D92
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - da 97 5d f6 a9 8a 2d 9b-a0 dd 6f 3c 65 58 11 55 ..]...-...o<eX.U
0010 - c4 5d 24 c0 f3 03 6d 2e-16 75 9a 6f 9f 29 2d 4e .]$...m..u.o.)-N
0020 - 92 98 92 24 27 ab 92 2e-31 7d 83 26 70 ba c8 36 ...$'...1}.&p..6
0030 - e6 86 62 58 2a e1 8a be-1c 08 d0 a2 30 e6 36 8c ..bX*.......0.6.
0040 - be b8 6d 5b 72 37 6b fd-32 f5 16 3b 0b 24 e1 10 ..m[r7k.2..;.$..
0050 - 2d 71 f5 8d 1f bf d1 5a-74 2b d1 cd 1d ec f1 f9 -q.....Zt+......
0060 - 6f b3 89 66 10 fa d3 bb-df cc cc 94 fa 61 2b 54 o..f.........a+T
0070 - 0a 85 ac 0c f5 91 c8 53-06 a4 05 bc a8 bf 18 dc .......S........
0080 - 0f cc 71 46 5f af 23 fd-62 48 32 c8 95 20 8f bb ..qF_.#.bH2.. ..
0090 - f3 80 aa ca b0 cf 2e 5c-58 84 d9 65 e5 7e 57 a3 .......\X..e.~W.
00a0 - 09 99 98 72 91 77 21 a1-b9 3e a1 4e 4f 1b af 21 ...r.w!..>.NO..!
00b0 - ff 02 97 71 90 b6 42 51-04 17 c3 e8 ca 8c 35 f9 ...q..BQ......5.
00c0 - 33 07 ca 32 2f 9d c1 7e-59 52 37 db e0 c8 fa bf 3..2/..~YR7.....
Start Time: 1575195127
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
The strange things are:
on some devices/browsers I manage to go beyond the Submit button but then the redirected page /screens shows not secured, though certificate is valid
on other browsers I see in Python log - as if the godaddy now tries to validate my Python backend certificate?:
ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1076)
2019-12-01T09:59:25Z <Greenlet at 0x1a8fefe8048: _handle_and_close_when_done(<bound method StreamServer.wrap_socket_and_handle , <bound method StreamServer.do_close of <WSGIServer, (<gevent._socket3.socket [closed] object, fd=-1, )> failed with SSLError

openssl s_client -connect <godaddy_host>:80 ...
... ssl3_get_record:wrong version number
You are connecting to the HTTP port (80) not to the HTTPS port (443). No wonder it will fail with the TLS handshake. But this has nothing to do with the error you get in your Python script since I'm pretty sure you don't use port 80 there.
net::ERR_CERT_COMMON_NAME_INVALID
This happens if the subject of the server certificate does not match the hostname you use to access the server in your code. Since nothing about the server certificate and the code of your client is known I cannot be more specific where exactly the problem is.
gevent SSL with godaddy error: ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1051)
The error message you show in the title is yet another one. This suggests that the server is not accepting the client certificate you use. Note that you cannot use arbitrary certificates as client certificate but must provide the ones accepted by the server.

I suggest never, ever, ever publishing your certificates, they are private to yourself.

NGINX Reverse Proxy: 20:unable to get local issuer certificate

I am running nginx and i want to proxy another https host and to verify it's certificate.
I've created a CA cert, created a cert for the proxied host and signed it with the CA. The CA cert was added to the server's root certificates.
My nginx config is the following:
proxy_ssl_verify_depth 1; # tried 0,1,2,3
proxy_ssl_trusted_certificate /etc/nginx/ca.pem;
proxy_ssl_verify on;
When a request is done, nginx log returns:
[error] 26578#26578: *2 upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream
Running openssl s_client -connect 1.1.1.1:8000 returns:
CONNECTED(00000003)
depth=1 C = CY, ST = CY, L = CY, O = TEST.TEST, CN = TEST.TEST, emailAddress = admin#test.test
verify return:1
depth=0 C = CY, ST = CY, L = CY, O = TEST.TEST, OU = TEST.TEST, CN = 1.1.1.1
verify return:1
---
Certificate chain
0 s:/C=CY/ST=CY/L=CY/O=TEST.TEST/OU=test.test/CN=1.1.1.1
i:/C=CY/ST=CY/L=CY/O=TEST.TEST/CN=test.test/emailAddress=admin#test.test
---
Server certificate
-----BEGIN CERTIFICATE-----
.... cer
-----END CERTIFICATE-----
subject=/C=CY/ST=CY/L=CY/O=TEST.TEST/OU=test.test/CN=1.1.1.1
issuer=/C=CY/ST=CY/L=CY/O=TEST.TEST/CN=test.test/emailAddress=admin#test.test
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1491 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 94195986FED8C203B09C6A3870DC8B972A6FB3C98D69868CFAF9C4BFC2B7A714
Session-ID-ctx:
Master-Key: D804526744415E7E6C3E0AFBAF4F5BB3B6315BE8785C46FCF7AA232A31E6D7C780E7A8D4B8413BE8D1F1758CF8DD8FE8
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 0a 5f b9 15 a5 78 d0 6c-32 24 77 3b 16 7a 10 75 ._...x.l2$w;.z.u
0010 - 76 ed 08 18 8b 23 a8 15-24 3f eb 83 d8 6e 56 d6 v....#..$?...nV.
0020 - 98 13 c2 36 62 35 17 42-b4 f9 e9 f7 99 50 14 77 ...6b5.B.....P.w
0030 - 8b a3 e6 b5 2f ef ca af-7d 25 7c d8 7e b8 3a 96 ..../...}%|.~.:.
0040 - 11 87 b2 e2 0a d6 de b6-60 75 c5 4a 58 57 8b 1b ........`u.JXW..
0050 - 73 6d 36 c6 9f 6a ec 31-71 2d 02 ad 50 45 8a 14 sm6..j.1q-..PE..
0060 - 01 c1 6c 4a 2f 46 9b cb-e6 4c 09 97 17 fa 46 f4 ..lJ/F...L....F.
0070 - 29 e6 a5 cb a7 37 fb 31-b3 a0 d7 55 ac cb fd 59 )....7.1...U...Y
0080 - 42 a5 7b 45 9a 53 24 90-52 8c 8e 1c eb c4 db f9 B.{E.S$.R.......
0090 - 27 04 b9 7e ba 0a 2d 9e-3b 92 67 ec 42 d6 69 78 '..~..-.;.g.B.ix
Start Time: 1527255600
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
IP/cert names replaced by dummy versions in this result.
curl https://1.1.1.1 also works without problems.
I've been reading googling and checking all similar stackoverflow questions, but none of the proposed fixes seemed to resolve this.

How to interpret the response from OpenSSL?

So in the AWS IoT tutorial I get this:
pi#raspberrypi:~/certs $ openssl s_client -connect iot.us-west-2.amazonaws.com:443 -CAfile root-CA.pem -cert certificate.pem.crt -key private.pem.key
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = "Amazon.com, Inc.", CN = iot.us-west-2.amazonaws.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=iot.us-west-2.amazonaws.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
STUFFHERE
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=iot.us-west-2.amazonaws.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
---
SSL handshake has read 3264 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: FC6ABAE41818994E5D7B6AE83DCE0F717396D7F5314CFB096CD967489A136CCA
Session-ID-ctx:
Master-Key: STUFFHERE
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 10800 (seconds)
TLS session ticket:
0000 - d5 b9 92 64 2c 92 37 2c-79 c2 68 04 28 ef f4 d7 ...d,.7,y.h.(...
0010 - e1 31 dc 7e 80 51 a8 ef-da ab 0f 60 7e 5b 1d 52 .1.~.Q.....`~[.R
0020 - b1 03 06 52 ac 8b 32 12-54 1f 86 72 f4 a7 2b f3 ...R..2.T..r..+.
0030 - ba 3b f8 91 a6 fc ce 53-d2 0c d9 96 75 a2 4c f1 .;.....S....u.L.
0040 - 31 bd f4 84 f2 c6 b8 51-06 8c 36 22 12 b3 82 99 1......Q..6"....
0050 - b6 13 b9 f8 fa 54 e4 0d-eb 01 b6 c4 82 b2 1b 88 .....T..........
0060 - c6 af 3b 54 58 83 77 4b-69 b2 b1 8c cb 0a 7c 81 ..;TX.wKi.....|.
0070 - 70 a9 d5 d2 fd f8 3b 21-e3 8e b2 e6 c4 83 f9 af p.....;!........
0080 - bc 3f 8e fa 33 ae 28 7b-be e6 8d 6b aa 96 4e 56 .?..3.({...k..NV
0090 - 12 6f b3 9d bc b5 53 fa-23 3c 79 5b 41 a1 ae 5a .o....S.#<y[A..Z
Start Time: 1457306705
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
I have the followings in the ~/certs folder:
pi#raspberrypi:~/certs $ ls
certificate.pem.crt private.pem.key public.pem.key root-CA.pem