I'm not convinced it's an issue with the cacert file, local test here on LE 8.2.5 using curl and openssl s_client are fine.
To me it looks more like some network issue, maybe transparent proxy etc interfering as the TLS handshake stopped rather early after "Client hello" - the "Server hello" and a lot more is missing.
This is what I get here:
Code:
le8:~ # curl -o /dev/null -v https://mirror.netcologne.de/xbmc/addons/krypton/script.trakt/script.trakt-3.2.0.zip
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 194.8.197.22...
* TCP_NODELAY set
* Connected to mirror.netcologne.de (194.8.197.22) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [104 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3023 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [589 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=mirror.netcologne.de
* start date: May 8 20:14:10 2018 GMT
* expire date: Aug 6 20:14:10 2018 GMT
* subjectAltName: host "mirror.netcologne.de" matched cert's "mirror.netcologne.de"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
} [5 bytes data]
> GET /xbmc/addons/krypton/script.trakt/script.trakt-3.2.0.zip HTTP/1.1
> Host: mirror.netcologne.de
> User-Agent: curl/7.58.0
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Server: nginx/1.13.12
< Date: Tue, 15 May 2018 09:58:23 GMT
< Content-Type: application/zip
< Content-Length: 3305997
< Last-Modified: Sat, 17 Mar 2018 22:00:59 GMT
< Connection: keep-alive
< ETag: "5aad901b-32720d"
< Accept-Ranges: bytes
<
{ [16132 bytes data]
100 3228k 100 3228k 0 0 1325k 0 0:00:02 0:00:02 --:--:-- 1325k
* Connection #0 to host mirror.netcologne.de left intact
A test with openssl s_client might give some more info
Simple test:
Code:
le8:~ # openssl s_client -quiet -CAfile /etc/ssl/cert.pem -verify_depth 32 -connect mirror.netcologne.de:443
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mirror.netcologne.de
verify return:1
Test with lots of debug info:
Code:
openssl s_client -CAfile /etc/ssl/cert.pem -verify_depth 32 -showcerts -debug -connect mirror.netcologne.de:443
so long,
Hias