Unable to install Pi-Hole (curl: (60) SSL certificate problem)

yalpski · August 15, 2018, 6:09pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

Attempting to install pi-hole with the provided curl command

Actual Behaviour:

Receive the error:

curl -sSL https://install.pi-hole.net | bash

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I have visited the page linked in the error, but it does not seem applicable to my setup. I'm running a pretty simple Ubuntu 18 server, not behind any sort of proxy.

Debug Token:

I have no debug token as the install will not progress.

deHakkelaar · August 15, 2018, 6:15pm

Add the -k option to ignore cert errors (normally not recommended):

curl -sSLk https://install.pi-hole.net | bash

But it sounds like your root CA certs needs an update:

pi@noads:~ $ apt-cache policy ca-certificates
ca-certificates:
  Installed: 20141019+deb8u3
  Candidate: 20141019+deb8u4
  Version table:
     20141019+deb8u4 0
        500 http://mirrordirector.raspbian.org/raspbian/ jessie/main armhf Packages
 *** 20141019+deb8u3 0
        100 /var/lib/dpkg/status

yalpski · August 15, 2018, 6:27pm

Thanks for the quick reply. I had tried the -k option with no success before but decided to give it another shot. First though, the output from your cert suggestion:

Server:~$ apt-cache policy ca-certificates
ca-certificates:
  Installed: 20180409
  Candidate: 20180409
  Version table:
 *** 20180409 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu bionic/main i386 Packages
        100 /var/lib/dpkg/status

Server:~$ curl -sSLk https://install.pi-hole.net | bash
bash: line 1: timestamp:1534357370329: command not found

Any thoughts?

deHakkelaar · August 15, 2018, 6:33pm

Nope.
But try these two and post results:

pi@noads:~ $ host install.pi-hole.net
install.pi-hole.net is an alias for guinan.pi-hole.io.
guinan.pi-hole.io has address 78.46.180.80
guinan.pi-hole.io has IPv6 address 2a01:4f8:1c17:4605::1

pi@noads:~ $ echo | openssl s_client -connect install.pi-hole.net:443 2>/dev/null | openssl x509 -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f9:0a:f7:ef:4a:29:0f:f8:7e:90:cd:57:86:1c:47:e7
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=TRAEFIK DEFAULT CERT
        Validity
            Not Before: Aug  8 17:13:19 2018 GMT
            Not After : Aug  8 17:13:19 2019 GMT
        Subject: CN=TRAEFIK DEFAULT CERT
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b4:1d:58:c6:ba:15:69:8c:29:bb:cf:f0:76:7b:
                    8f:d6:31:55:08:4d:ad:41:de:1a:95:52:8b:d0:b3:
                    11:a6:b5:18:7b:46:35:0b:6e:3a:2d:8e:50:39:a1:
                    47:9f:69:c9:ba:a0:59:39:1e:7d:ab:ae:87:42:9c:
                    8c:7f:3a:12:cf:19:6e:0b:a6:a8:ee:a2:27:7c:ea:
                    42:c4:8e:25:de:de:01:5c:a8:6e:b9:96:56:4c:ad:
                    fa:9b:50:79:48:f5:da:4a:dd:77:74:9a:81:4c:59:
                    03:1c:6d:8c:00:aa:8c:87:46:51:a1:9c:e8:d5:d1:
                    16:e9:a2:ca:a7:a7:85:9f:4b:5d:0c:64:14:39:23:
                    b9:78:70:2e:64:80:7d:a3:d4:44:38:c7:b3:30:ce:
                    a3:dd:7f:2c:8c:58:53:40:0c:34:d1:97:48:c6:de:
                    ac:69:98:ba:bb:27:9c:60:c5:3b:52:7a:cb:77:85:
                    1c:11:61:38:8a:19:62:9b:fd:20:4b:64:fc:1a:11:
                    4e:ca:fa:b7:55:8e:9e:18:eb:6c:95:df:b2:29:18:
                    13:3d:d6:83:3d:2a:39:3f:90:43:27:0d:ef:df:ed:
                    a1:32:52:46:48:81:5f:e5:74:7b:3a:2a:b8:80:9c:
                    31:a2:97:21:5b:f4:07:66:64:f7:03:d4:b8:a1:0b:
                    09:81
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Alternative Name:
                DNS:9ecda337e2464963c87784c9ad37a652.5b75f887e8fa87300afdc7905c1fd723.traefik.default
    Signature Algorithm: sha256WithRSAEncryption
         64:39:b8:62:6b:04:d3:42:4a:b2:66:c2:df:18:b2:c2:73:61:
         68:86:f5:e1:a3:ed:ef:82:ff:2c:93:e7:0b:b8:2c:86:bf:f4:
         23:37:6d:83:f3:c9:08:06:29:b3:e5:89:2c:2f:29:a5:d8:27:
         14:5b:1d:a3:d0:3f:ed:fb:27:6f:d5:77:cb:46:c4:05:3d:b5:
         1c:51:5f:32:e9:a1:68:31:12:56:0b:4b:dd:2a:32:18:b5:8a:
         1d:e2:74:b0:8c:fb:08:ce:0b:ee:56:a4:cb:53:0f:f5:ca:91:
         79:33:63:24:6d:5e:17:9b:a4:52:c1:85:0d:19:c9:a9:46:09:
         0d:f4:dc:0c:52:db:c1:0a:ac:52:17:f8:a5:5d:c6:99:e0:bf:
         37:4b:d3:3b:76:04:fd:f0:51:04:34:58:6e:74:58:1d:15:88:
         e9:4b:01:ff:68:a9:0b:76:37:ea:6f:07:83:65:b5:28:5a:7b:
         71:4d:89:73:d7:43:fb:19:76:f1:e8:a8:5c:18:63:4c:b2:b4:
         f2:b7:de:ca:50:2a:99:86:70:90:49:c1:34:d2:b2:87:ab:83:
         37:6b:44:4d:d9:89:8d:64:e6:46:e2:19:78:96:95:c2:48:2d:
         c2:6b:0f:47:d3:36:51:dd:cd:03:26:b9:ac:ff:46:4f:d6:d1:
         20:2f:ba:f2

And check date time with:

date

yalpski · August 15, 2018, 6:37pm

Here is what i get:

Server:~$ date
Wed Aug 15 14:34:45 EDT 2018

Server:~$ host install.pi-hole.net
install.pi-hole.net is an alias for guinan.pi-hole.io.
guinan.pi-hole.io has address 78.46.180.80
guinan.pi-hole.io has IPv6 address 2a01:4f8:1c17:4605::1

Server:~$ echo | openssl s_client -connect install.pi-hole.net:443 2>/dev/null | openssl x509 -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f9:0a:f7:ef:4a:29:0f:f8:7e:90:cd:57:86:1c:47:e7
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = TRAEFIK DEFAULT CERT
        Validity
            Not Before: Aug  8 17:13:19 2018 GMT
            Not After : Aug  8 17:13:19 2019 GMT
        Subject: CN = TRAEFIK DEFAULT CERT
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b4:1d:58:c6:ba:15:69:8c:29:bb:cf:f0:76:7b:
                    8f:d6:31:55:08:4d:ad:41:de:1a:95:52:8b:d0:b3:
                    11:a6:b5:18:7b:46:35:0b:6e:3a:2d:8e:50:39:a1:
                    47:9f:69:c9:ba:a0:59:39:1e:7d:ab:ae:87:42:9c:
                    8c:7f:3a:12:cf:19:6e:0b:a6:a8:ee:a2:27:7c:ea:
                    42:c4:8e:25:de:de:01:5c:a8:6e:b9:96:56:4c:ad:
                    fa:9b:50:79:48:f5:da:4a:dd:77:74:9a:81:4c:59:
                    03:1c:6d:8c:00:aa:8c:87:46:51:a1:9c:e8:d5:d1:
                    16:e9:a2:ca:a7:a7:85:9f:4b:5d:0c:64:14:39:23:
                    b9:78:70:2e:64:80:7d:a3:d4:44:38:c7:b3:30:ce:
                    a3:dd:7f:2c:8c:58:53:40:0c:34:d1:97:48:c6:de:
                    ac:69:98:ba:bb:27:9c:60:c5:3b:52:7a:cb:77:85:
                    1c:11:61:38:8a:19:62:9b:fd:20:4b:64:fc:1a:11:
                    4e:ca:fa:b7:55:8e:9e:18:eb:6c:95:df:b2:29:18:
                    13:3d:d6:83:3d:2a:39:3f:90:43:27:0d:ef:df:ed:
                    a1:32:52:46:48:81:5f:e5:74:7b:3a:2a:b8:80:9c:
                    31:a2:97:21:5b:f4:07:66:64:f7:03:d4:b8:a1:0b:
                    09:81
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Alternative Name: 
                DNS:9ecda337e2464963c87784c9ad37a652.5b75f887e8fa87300afdc7905c1fd723.traefik.default
    Signature Algorithm: sha256WithRSAEncryption
         64:39:b8:62:6b:04:d3:42:4a:b2:66:c2:df:18:b2:c2:73:61:
         68:86:f5:e1:a3:ed:ef:82:ff:2c:93:e7:0b:b8:2c:86:bf:f4:
         23:37:6d:83:f3:c9:08:06:29:b3:e5:89:2c:2f:29:a5:d8:27:
         14:5b:1d:a3:d0:3f:ed:fb:27:6f:d5:77:cb:46:c4:05:3d:b5:
         1c:51:5f:32:e9:a1:68:31:12:56:0b:4b:dd:2a:32:18:b5:8a:
         1d:e2:74:b0:8c:fb:08:ce:0b:ee:56:a4:cb:53:0f:f5:ca:91:
         79:33:63:24:6d:5e:17:9b:a4:52:c1:85:0d:19:c9:a9:46:09:
         0d:f4:dc:0c:52:db:c1:0a:ac:52:17:f8:a5:5d:c6:99:e0:bf:
         37:4b:d3:3b:76:04:fd:f0:51:04:34:58:6e:74:58:1d:15:88:
         e9:4b:01:ff:68:a9:0b:76:37:ea:6f:07:83:65:b5:28:5a:7b:
         71:4d:89:73:d7:43:fb:19:76:f1:e8:a8:5c:18:63:4c:b2:b4:
         f2:b7:de:ca:50:2a:99:86:70:90:49:c1:34:d2:b2:87:ab:83:
         37:6b:44:4d:d9:89:8d:64:e6:46:e2:19:78:96:95:c2:48:2d:
         c2:6b:0f:47:d3:36:51:dd:cd:03:26:b9:ac:ff:46:4f:d6:d1:
         20:2f:ba:f2

deHakkelaar · August 15, 2018, 6:40pm

That looks all good.
But I have no idea why the SSL error

EDIT: hold on, this bit is weird and could mean a cert error on the Pi-hole web end ????
Validity
Not Before: Aug 8 17:13:19 2018 GMT
Not After : Aug 8 17:13:19 2019 GMT

~~Maybe a @webmaster can have a looksee ???~~

EDIT2: I was wrong and missed out on the year (expecting letsencrypt validity period) ... oops

yalpski · August 15, 2018, 6:52pm

Yea, given that I'm getting the same results you are I can't figure out why I'm seeing an SSL error, and why disabling the certificate check leads to an issue with the downloaded file. It's very strange!

system · September 5, 2018, 7:01pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.