Broken certificates in the ESIA?

This morning on all platforms that are integrated with ESIA (OAuth) requests for the token began to fall with the error "cURL error 60: SSL certificate problem: unable to get local issuer certificate".

Verification of a peer certificate esia.gosuslugi.ru showed that it cannot verify the certificate:

$ openssl s_client -connect esia.gosuslugi.ru:443 -CAfile cacert.pem 
CONNECTED(00000003)
depth=0 C = de, postalCode = 125375, ST = Moscow, L = Moscow, St = 7 ul. Tverskaya, O = "MINKOMSVYAZ ROSSII, FKU", OU = IT, OU = PremiumSSL Wildcard, CN = *.gosuslugi.ru
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = de, postalCode = 125375, ST = Moscow, L = Moscow, St = 7 ul. Tverskaya, O = "MINKOMSVYAZ ROSSII, FKU", OU = IT, OU = PremiumSSL Wildcard, CN = *.gosuslugi.ru
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = de, postalCode = 125375, ST = Moscow, L = Moscow, St = 7 ul. Tverskaya, O = "MINKOMSVYAZ ROSSII, FKU", OU = IT, OU = PremiumSSL Wildcard, CN = *.gosuslugi.ru
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=RU/postalCode=125375/ST=Moscow/L=Moscow/street=7 ul. Tverskaya/O=MINKOMSVYAZ ROSSII, FKU/OU=IT/OU=PremiumSSL Wildcard/CN=*.gosuslugi.ru
 i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFyzCCBLOgAwIBAgIRALuG3INBIlMDfstkj2b9ng4wdqyjkozihvcnaqelbqaw
gZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIexjhcmvhdgvyie1hbmnozxn0zxixedao
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTeunptu9etybdqsbmaw1pdgvkmtwwogyd
VQQDEzNDT01PRE8gUlNBIE9yZ2FuaXphdglvbibwywxpzgf0aw9uifnly3vyzsbt
ZXJ2ZXIgQ0EwHhcNMTcxMTI4MDAwMDAwwhcnmjewmti5mjm1otu5wjcbwdelmakg
A1UEBhMCUlUxDzANBgNVBBETBjEyNTM3ntepma0ga1uecbmgtw9zy293mq8wdqyd
VQQHEwZNb3Njb3cxGDAWBgNVBAkTDzcgdwwuifr2zxjza2f5ytegmb4ga1uechmx
TUlOS09NU1ZZQVogUk9TU0lJLCBGS1Uxczajbgnvbastaklumrwwggydvqqlexnq
cmVtaXVtU1NMIFdpbGRjYXJkMRcwFQYDvqqdda4qlmdvc3vzbhvnas5ydtccasiw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggebalc1qoikfmp2hthjfmhltoy2swyq
9K1haKqX9g7I3nIHr+E50zL3dYHmUi5XLUiOSWzlC6yehmAS1Bwy6npgosuio7zx
QcE34AhHu7QroHeWsjfFTlCR+H2LoRvh9pKhY4PdbVXQ1SiVYxLO6pYUD7wtg2on
PUJJTYsqLWEzC0UYFD2kYctf/mTmQZb5eMtY090T8tAZXNi0pJDTyizYCjo6b9qi
7zJH7jVML2Zi2Skx4Dg5NOwibP+9SLeBJmk+fYugw2dR+WznHah+pkZn/GTHnDMm
69a6ytpniu2iv1liWBNdfZbKg4GBPkSfjkhvrz6fdrmddiozbqq1oxv2jekcawea
AaOCAeYwggHiMB8GA1UdIwQYMBaAFJrzk9rpru+2L7sqSEgqErcbQsEkMB0GA1Ud
DgQWBBTUpPM2CbO+3Hrzz+jfRw4jARAM8TAOBgNVHQ8BAf8EBAMCBaawdaydvr0t
AQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDaqyikwybbquhawiwuaydvr0gbekw
RzA7BgwrBgEEAbIxAQIBAwQwKzApBggrbgefbqccarydahr0chm6ly9zzwn1cmuu
Y29tb2RvLmNvbS9DUFMwCAYGZ4EMAQICmfoga1udhwrtmfewt6bnoeugswh0dha6
Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9Et1jtqu9yz2fuaxphdglvblzhbglkyxrp
b25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYsGccsgaqufbwebbh8wftbvbggrbgefbqcw
AoZJaHR0cDovL2NydC5jb21vZG9jYS5jb20vq09nt0rpulnbt3jnyw5pemf0aw9u
VmFsaWRhdGlvblNlY3VyZVNlcnZlckNBlmnyddakbggrbgefbqcwayyyahr0cdov
L29jc3AuY29tb2RvY2EuY29tMCcGA1Udeqqgmb6cdiouz29zdxnsdwdplnj1ggxn
b3N1c2x1Z2kucnUwDQYJKoZIhvcNAQELbqadggebaj8jrnh6mtkozjq1blppocjw
NYsZaCs/rm5H2W2fhiB2Nh5CgaMS8pZUXq94yPdYsf+2LIqmH+zFI2i1G5fDXzrW
Xd3ZyE1lmVE9sM+1H9srmIJVCFwO/H4jq1z8yjHkggWdAzDEF7d8eURUM2++hYiL
LguSZa6gQ61pmjOueoas6ewC7YP1QSx/lhBltuGD922qhYGnWc+nKP4PnZHCYqMb
IBBLtkXqrnOUcdqGnLefGPkkeuvmpZbE8zi5jbggq1gustdgrgzlyjxmdus/+WS1
raiwZKD75R5pfwWzaVyUFnN81ZBhuGnPyaluuhekcs6e4edelmlygtgh4ly3+8Q=
-----END CERTIFICATE-----
subject=/C=RU/postalCode=125375/ST=Moscow/L=Moscow/street=7 ul. Tverskaya/O=MINKOMSVYAZ ROSSII, FKU/OU=IT/OU=PremiumSSL Wildcard/CN=*.gosuslugi.ru
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 1672 bytes and written 589 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
 Protocol : TLSv1.2
 Cipher : AES256-SHA
 Session-ID: DB90250B5E95AFAC7AEFF02B7EA71014A0EA42BBB266BC7764AFF2E2B0BDD218
 Session-ID-ctx: 
 Master-Key: 9197568D1B0D7136771D1788C6737F01EC9C3A194F2523C995E9C5BC0E6978C4845B85D933ADE7CFCA29CD4C091C3000
 Key-Arg : None
 Krb5 Principal: None
 PSK identity: None
 PSK identity hint: None
 Start Time: 1553665575
 Timeout : 300 (sec)
 Verify return code: 21 (unable to verify the first certificate)


As far as I understood, the solutions are two:
  1. Alcochete in curl validates ssl certificates - very bad
  2. To establish "need" certificate kajdy hosting for each site - not ideal, since some platforms are placed on sharedah


Anyone has encountered this problem how to solve?
March 19th 20 at 08:46
1 answer
March 19th 20 at 08:48
Solution
Not found root certificate of the publisher among the trusted. I really don't believe that Komodo can be a problem, and the team
openssl s_client -connect esia.gosuslugi.ru:443
problems not detected. Maybe fixed already?
Yes, indeed, it works :) how much likely that this problem could happen again? - Kenyon_Runolfsdottir6 commented on March 19th 20 at 08:51
@Kenyon_Runolfsdottir6, This is a question for Komodo :) Well, or to the administrators of ESIA - if they prosohatili update kornevina Komodo. - kraig.Gottlieb commented on March 19th 20 at 08:54

Find more questions by tags Digital certificates