[SOLVED] SSL: unable to verify the first certificate

[aChris]

While trying to setup a Checkmk special agent i found that i cannot open a ssl connection to my proxmox hosts via openssl.
This always throws an Error : 'unable to get local issuer certificate' and 'unable to verify the first certificate'.

Please correct me if i am wrong, but from what i read this might be because some websites do not send the entire certificate chain, but some CLI Programms do require it.
What can i do with the certificates, either within Proxmox or the checkmk system to resolve this?

The following output is from one PVE Node to another using openssl.

root@pve2:~# openssl s_client -connect <IPAddress of pve3>
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = pve3.prox.mox
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = pve3.prox.mox
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = pve3.prox.mox
verify return:1
---
Certificate chain
0 s:OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = pve3.prox.mox
i:CN = Proxmox Virtual Environment, OU = eaa201c6-d2e6-41c4-829b-bc7913366acd, O = PVE Cluster Manager CA
aKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 30 10:07:21 2023 GMT; NotAfter: Aug 29 10:07:21 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE9zCCAt+gAwIBAgIBBDANBgkqhkiG9w0BAQsFADB2MSQwIgYDVQQDDBtQcm94
bW94IFZpcnR1YWwgRW52aXJvbm1lbnQxLTArBgNVBAsMJGVhYTIwMWM2LWQyZTYt
NDFjNC04MjliLWJjNzkxMzM2NmFjZDEfMB0GA1UECgwWUFZFIENsdXN0ZXIgTWFu
YWdlciBDQTAeFw0yMzA4MzAxMDA3MjFaFw0yNTA4MjkxMDA3MjFaMFkxGTAXBgNV
BAsTEFBWRSBDbHVzdGVyIE5vZGUxJDAiBgNVBAoTG1Byb3htb3ggVmlydHVhbCBF
bnZpcm9ubWVudDEWMBQGA1UEAxMNcHZlMy5wcm94Lm1veDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALRN3v/+coCcvpTU1TiABudk3MaeqBEffKCillNC
eEnmHRNN+vjNR4Ue+ws0xgjOIF+Xpd+WQ8/ZgOvinu/ESOnOTpxW3uG7fZzIpx+6
SXKj7BSjjjSvFStC2beEamf3LEUDKsdYRGzQ9Bl1qYuhcb08cSwc7vMj1tjvmq1Q
e0igABz5ohXFtJXas+rkTfdtwzUqueUMXDqCB16XpyXum8kaBZvQEgLJwwVnPGpq
f8imOpXo+iuyW6+/KHQVco/fXnt89Pi8Q3LmzYtqUBszzHrRdqLOxc5IC4tpFuVk
uhEh78WtsP8SEBLDmaYETib01mtEefvZHTcIAd6I7kEtiQMCAwEAAaOBrDCBqTAJ
BgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEcGA1UdEQRAMD6HBH8AAAGH
EAAAAAAAAAAAAAAAAAAAAAGCCWxvY2FsaG9zdIcEwKgE5oIEcHZlM4INcHZlMy5w
cm94Lm1veDAdBgNVHQ4EFgQU467FC0q6X2Effn0UWeB2Yo17YNswHwYDVR0jBBgw
FoAUqUnOlzvt24iPQTDmoamoFpr5KjUwDQYJKoZIhvcNAQELBQADggIBAFGNXUvA
E4qvp+HOLml/8lue9iPnCo4GwRdIrxCi49LXiFaW2Yr/KVru1QdYbQGc74a6X4rr
uc0aNCtE/147PI+LvbfcI4KvrOWvB2DgeV0N8MIMDcmG9yRQQ+HCNIUJSjTEL01k
ASAXPSb1RxJitZhPUJYrIgkVoslEVArkLLy/jboyrMOyYxIaL4zmE4qb4EUBVyP2
7/fstSOuXM1HEiZ7XTfIBE4xoJljqVK8R4fpaBJNEh+mDQ+eCR2UUd2pNJD8nXeg
fE7CuD/LyVR7bBSozR9IRZkITk1LSfON3R6JYaC4m/xLcBqtsBUQc4R4BY3iIE+c
aMkHmvZ3U9tXQH03r7xCQRkE3ES1GZvI/2YxIfBDvXLLLQI2H0rE5eFYPj8480iP
Z0CuEm6dUFgwoIcE1LyRtl09mlo21qNJDTsaL17H2TBgWJlGTpj2bo4vJmwn2htI
a3OvtBzG205n9BXZC+j15CQ4CZm79Dq0uORDL4rP1+WH3R+Sp0cMC3GbxnwMzNwT
N1VfS7MJujIEhSt5MbUH3XYWqf4xBw6OTBYQe+Mmj/QsNV+ZgKnGjxn/qWTwQft0
CBRNyUlbZGltJ0sUKMgy8GTOFZ2zjBbLt+fAK2NpWXLKv6iG42CenFPDKRfgtmTj
dW+XIFo99PMqQORdGr4hsntIIeVMTgymLMkA
-----END CERTIFICATE-----
subject=OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = pve3.prox.mox
issuer=CN = Proxmox Virtual Environment, OU = eaa201c6-d2e6-41c4-829b-bc7913366acd, O = PVE Cluster Manager CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1831 bytes and written 377 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: AF7F13C6AC6876970C0F512A81C6673DA8B5CAD4D569055345044328B76D19AA
Session-ID-ctx:
Resumption PSK: 1CC155BAC75C1CC646999E38702E01136D02392A4B304C3C88457542871F6AE58B913C36788BCECADECD7F1CF9CA1C73
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 07 73 01 43 3b 14 26 a8-2b c6 c4 23 13 84 8b 10 .s.C;.&.+..#....
0010 - 00 fa 2c ca f3 06 d9 01-3a d4 b8 cb 20 82 9d a1 ..,.....:... ...
0020 - cc 7e 35 2e 37 97 d7 82-59 25 dc f9 c3 a5 d6 91 .~5.7...Y%......
0030 - 56 ab dc 5d 53 58 e5 de-51 7e 02 ec af 51 aa 62 V..]SX..Q~...Q.b
0040 - 4b 50 04 23 87 94 88 71-8a 3b 03 e8 77 cb 9d ff KP.#...q.;..w...
0050 - d6 39 5b 85 c1 85 a5 98-09 62 ce 13 81 eb c0 59 .9[......b.....Y
0060 - 60 30 ce 15 13 97 dc f5-82 d9 92 f3 dc 67 93 62 `0...........g.b
0070 - da 06 f1 6a 38 2b 2e d2-48 30 01 91 4f be cc 1b ...j8+..H0..O...
0080 - 75 c0 bf d8 87 ad 06 ce-9c e8 f1 f8 a3 63 b3 ab u............c..
0090 - 9b 66 5a b7 d4 95 fb 86-62 dd 84 75 55 41 57 51 .fZ.....b..uUAWQ
00a0 - 8c fd 77 b8 20 3c fc b0-58 48 1e e6 c7 8d 45 29 ..w. <..XH....E)
00b0 - 78 03 88 8b e2 f7 37 8d-ea 3d 26 91 48 39 84 8e x.....7..=&.H9..
00c0 - 57 e7 e9 e3 6a 71 f3 e5-6f dd f9 ac 3f 2a 44 ee W...jq..o...?*D.

Start Time: 1697202335
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 1848C875D61BDE640F2E68556C7F5439BFF652F4CD880C60A381A1192C113C6D
Session-ID-ctx:
Resumption PSK: A5F57377C13104A87930199CBDC22E38114AD35D1CFF0C6600AF9B0ADB6825020C62A09F4535BE58D62636285D463C93
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 07 73 01 43 3b 14 26 a8-2b c6 c4 23 13 84 8b 10 .s.C;.&.+..#....
0010 - 88 b9 a5 a2 9b 5e 74 80-b2 6a c8 cf 0f 84 c4 f3 .....^t..j......
0020 - 1a b2 c7 0a c8 5f d3 c9-99 f4 f6 96 a0 3c c1 b4 ....._.......<..
0030 - 40 8a c4 e4 e7 8e dd 71-cb c6 b1 0b 8c 86 95 5e @......q.......^
0040 - 67 bf 47 73 b9 cc 21 4c-40 2f 10 ab ad 57 cb 7b g.Gs..!L@/...W.{
0050 - 3a 8a be 1f 6e 19 00 4c-9d 96 d8 3d ff 41 d2 b0 :...n..L...=.A..
0060 - 10 1e 9c 4e 4b 1e d3 50-a4 ae 0b e7 39 92 d8 f5 ...NK..P....9...
0070 - e0 19 7b d8 33 eb ec 01-d0 b8 47 41 80 7c 15 a7 ..{.3.....GA.|..
0080 - 7b c4 0d c8 63 c5 9b c6-34 76 25 63 d2 e2 9b fa {...c...4v%c....
0090 - 81 df 1a 5e 61 43 aa 0f-0a b3 b4 6a da 09 dc de ...^aC.....j....
00a0 - 31 22 11 dd c2 b3 78 f8-0e d9 41 8e 03 7c 6c b3 1"....x...A..|l.
00b0 - 8d a2 26 0f d0 91 94 52-c3 f0 6b 8d 22 49 a9 8c ..&....R..k."I..
00c0 - b9 7d da 4b 94 c6 35 b0-d0 95 32 d5 e2 2a 85 6b .}.K..5...2..*.k

Start Time: 1697202335
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
40E76ED0547F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:303:

 

[aChris]

Added the pve root certificate to the store of trusted certificates of my checkmk site.