OpenSSL is not working with local root certificate
The OpenSSL version shipped by Freedesktop SDK is not able to use a Root CA from the System inside the Flatpak Sandbox. I'm using Arch Linux on my host Systenm. p11-kit is installed. GnuTLS is working inside the Flatpak Sandbox, so the error is on OpenSSL.
The test setup:
- Create a new Root CA
- Create a new Certificate for localhost and signed it with the Root CA
- Add the Root CA with
sudo trust anchor --store - Set up Nginx with the Certificate for localhost.
Terminal output
[jakob@Jakobs-PC ~]$ curl -v https://localhost
* Host localhost:443 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:443...
* connect to ::1 port 443 from ::1 port 43320 failed: Verbindungsaufbau abgelehnt
* Trying 127.0.0.1:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
* subject: C=DE; ST=Some-State; O=JakobDev; CN=localhost; emailAddress=jakobdev@gmx.de
* start date: Sep 6 09:13:37 2025 GMT
* expire date: Jan 19 09:13:37 2027 GMT
* common name: localhost (matched)
* issuer: C=DE; ST=Some-State; O=JakobDev; CN=JakobDev; emailAddress=jakobdev@gmx.de
* SSL certificate verify ok.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 1: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to localhost (127.0.0.1) port 443
* using HTTP/1.x
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/8.15.0
> Accept: */*
>
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
< Server: nginx/1.28.0
< Date: Thu, 18 Sep 2025 15:20:23 GMT
< Content-Type: text/html
< Content-Length: 615
< Last-Modified: Sun, 13 Jul 2025 18:15:46 GMT
< Connection: keep-alive
< ETag: "6873f7d2-267"
< Accept-Ranges: bytes
<
Welcome to nginx!
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.
For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.
Thank you for using nginx.
* Connection #0 to host localhost left intact
[jakob@Jakobs-PC ~]$ flatpak run --share=network --command=bash org.freedesktop.Sdk//25.08
[📦 org.freedesktop.Sdk ~]$ curl -v https://localhost
* Host localhost:443 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:443...
* connect to ::1 port 443 from ::1 port 51012 failed: Verbindungsaufbau abgelehnt
* Trying 127.0.0.1:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
[📦 org.freedesktop.Sdk ~]$ openssl s_client -connect localhost:443
Connecting to 127.0.0.1
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C=DE, ST=Some-State, O=JakobDev, CN=localhost, emailAddress=jakobdev@gmx.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C=DE, ST=Some-State, O=JakobDev, CN=localhost, emailAddress=jakobdev@gmx.de
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C=DE, ST=Some-State, O=JakobDev, CN=localhost, emailAddress=jakobdev@gmx.de
verify return:1
Certificate chain
^C
0 s:C=DE, ST=Some-State, O=JakobDev, CN=localhost, emailAddress=jakobdev@gmx.de
i:C=DE, ST=Some-State, O=JakobDev, CN=JakobDev, emailAddress=jakobdev@gmx.de
a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption
v:NotBefore: Sep 6 09:13:37 2025 GMT; NotAfter: Jan 19 09:13:37 2027 GMT
Server certificate
-----BEGIN CERTIFICATE-----
MIIEoTCCAomgAwIBAgIUHsdxDAme6ISjFVLhFysBWOCe454wDQYJKoZIhvcNAQEL
BQAwaDELMAkGA1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxETAPBgNVBAoM
CEpha29iRGV2MREwDwYDVQQDDAhKYWtvYkRldjEeMBwGCSqGSIb3DQEJARYPamFr
b2JkZXZAZ214LmRlMB4XDTI1MDkwNjA5MTMzN1oXDTI3MDExOTA5MTMzN1owaTEL
MAkGA1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxETAPBgNVBAoMCEpha29i
RGV2MRIwEAYDVQQDDAlsb2NhbGhvc3QxHjAcBgkqhkiG9w0BCQEWD2pha29iZGV2
QGdteC5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALZT1iUCVHIi
LrNUosKf4Bg+lQGlQY689AfDWYuw6jsWJWPqrUqzr1owfKRTveMkGUsRc0mccpb1
uv8EM/shicY4PWEc+PHx71G4HwKuz60FrX+PkItvvnaf7VPQVsAk4FezZ02WCm+K
hPygvkInVdWvR9gCxkAx/qJJ3aJLSkYGl9WePoGgYwHK1Dkm8K2ElOavu5cfJfsU
XUOp4Zjxie1LO2c6J
^CwdMqxZNFCFlTfVOoKeJc+CEHmexDaS5CQDgSXPtPPeh04Sg
XuOxeClNx4nsNfEkF9J9QRGAMrLo/gfQP59yca+wLlQPHrOM71WJEFYaGNS2BDu/
YrysNkk+0mECAwEAAaNCMEAwHQYDVR0OBBYEFP8VG6NiG4mvEQhikeuCPkf/nsF+
MB8GA1UdIwQYMBaAFKvcRxiOFrDTwa8fGRg8IL7eSyr4MA0GCSqGSIb3DQEBCwUA
A4ICAQBrEYkx4eGFQ8HiyhppNJ8DDy5NpCmwFpi6Q5WLlfLTv4PX1NLYflzApsjm
ED0zplrdVTczTr3iwI2JftbDAsaRGzR9ArzXNd3PkppEEWqHfQqv/CGrcpNEjY23
Jt+Y0SrbL7N4d3dYwLExbXUcnY4sdCbBBYCJbDryQBAVcTpS03lGuNwjU3Qm8xz/
UQWeN6E/bklbHJQzN4MzwvcGA0BZrUrRHidGKGtRikZZxv9VFFfSh0unHJnD8dBV
etoiwX8dFtq/sVSKHBghC6kOCoqx40LpJr5Qwd72nOp8L8hDv+RCfIWR6vQOS0if
WjdAOeHwWfnXfCjN/9rvlZiWJaJA8V8iZAloh7W/t8/IOZne90MCq1L+VGs5vRyy
YvyKwaLsNNwOkpxOmrvxu1ewfJbSba8whb0wsntzjPfZzSAkMrm9UBOa642oDt4B
T3Opwbltd+wlvZ8h+pqyDaEC+TCmF39Cs0h79sF0xU9rsH07e4jSeRYxtu7mSQsp
J6SfHeL16jbfzz18Sp2gpYwpbHVbLZJkqODQJwL3t2pNay1OVbRtKymLKpQtvjYK
fXyl3EaekQYhKJvHBW6aqdSdGn2VJhbhrlr/vRceT3ofHr0pg3LEzzfFR3wAYwS5
1YgrNgFWmKk/3lJjhMquSVYTHb5Dpq5LCgSAGZcEQHYUw1oZDg==
-----END CERTIFICATE-----
subject=C=DE, ST=Some-State, O=JakobDev, CN=localhost, emailAddress=jakobdev@gmx.de
issuer=C=DE, ST=Some-State, O=JakobDev, CN=JakobDev, emailAddress=jakobdev@gmx.de
^C
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pss_rsae_sha256
Negotiated TLS1.3 group: X25519MLKEM768
SSL handshake has read 2833 bytes and written 1604 bytes
Verification error: unable to verify the first certificate
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: C732F2B28521E839CF90206DBCFFEDC914B5F3807B03C97C2B2C58EBFBAABE72
Session-ID-ctx:
Resumption PSK: F6B0D3A73BD05E8C6D13A573A6CCFA7B689AF46A76511C6BDDA3DCCB11508A0C42856B29212931AFFB196070C335FF7A
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 40 19 9b 76 17 d7 dc 33-57 cc 70 21 28 68 89 a6 @..v...3W.p!(h..
0010 - 86 e0 7c 5f e7 1a d2 8e-1c 67 62 3e 83 f1 74 1d ..|_.....gb>..t.
0020 - fb cc 07 50 4e 45 6b 0e-84 f3 eb 95 ec a5 23 65 ...PNEk.......#e
0030 - 31 39 57 4e 70 3b c3 a6-24 10 52 95 b0 b4 5e fa 19WNp;...R...^. 0040 - e6 b8 7a 19 3e 14 ba 8c-59 c6 5d 37 48 6b f6 35 ..z.>...Y.]7Hk.5 0050 - cb bb 1d 31 dc 0b 44 41-40 b8 f3 ef fd 2d a3 a9 ...1..DA@....-.. 0060 - 6f 1c f0 7e 5a eb 9e f3-24 8b 58 25 21 2e 0d 7e o..~Z....X%!..~
0070 - c2 21 40 8e 42 51 92 c4-f3 85 e9 0c 87 2d 50 1b .!@.BQ.......-P.
0080 - b6 2f a1 df c0 fd e6 f2-0a 7c d2 e9 9a ad 51 af ./.......|....Q.
0090 - aa e5 02 bd 33 9a dd cf-66 40 64 81 e1 12 f0 69 ....3...f@d....i
00a0 - 25 2d e8 ca 2f 48 1a 89-9f 75 05 d2 1c 5d 6c be %-../H...u...]l.
00b0 - 3b 49 c9 58 ab af 48 5a-b7 4e ed af 20 66 41 a9 ;I.X..HZ.N.. fA.
00c0 - f5 64 ed c9 38 03 74 c1-f8 d3 fa d3 26 ff 53 1c .d..8.t.....&.S.
00d0 - 9c 67 c1 6c 21 59 eb a6-59 c7 99 be 0c 3d 6f df .g.l!Y..Y....=o.
Start Time: 1758208869
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
read R BLOCK
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 3CD4366F50663DC2928809CB328FD96F7275C28ADC7A84FE0751244903DE41BE
Session-ID-ctx:
Resumption PSK: DE20A6C44A99BDB7388079ADD73DD3642E9C198FC95F4E97CCCEC0361467A81128CCF63679B01D7E91E638A58B8F2C98
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 40 19 9b 76 17 d7 dc 33-57 cc 70 21 28 68 89 a6 @..v...3W.p!(h..
0010 - a1 c5 80 b8 08 30 1b 4d-17 cc 32 13 86 96 ca d1 .....0.M..2.....
0020 - 23 42 10 3f d8 48 5f b9-3b fc da 10 0f 05 81 7a #B.?.H_.;......z
0030 - 1d 3b 75 53 49 b8 c3 12-2a a5 b1 85 ad e1 d6 c2 .;uSI...*.......
0040 - f1 8b de 08 e4 28 96 f3-bb 00 a2 6f 28 a6 30 4e .....(.....o(.0N
0050 - 1c 67 cb dd 33 b2 62 86-6d f9 43 bc 3c 9a e7 5d .g..3.b.m.C.<..]
0060 - d2 1b 69 30 86 f2 96 a8-dd a4 94 3a 70 9b 59 aa ..i0.......:p.Y.
0070 - 31 9e 56 46 30 da c1 e2-b7 41 ee b3 9e 44 d2 2c 1.VF0....A...D.,
0080 - 97 42 d3 62 7d 7b 42 0e-c7 8c d7 b7 32 6f 66 ad .B.b}{B.....2of.
0090 - d2 66 bb df 2d fe 4a fb-61 03 1d 7a 07 1f 54 7e .f..-.J.a..z..T~
00a0 - 4e f0 df 55 47 cf c7 b6-62 ae fe a4 86 26 24 de N..UG...b....&$.
00b0 - 01 e0 3e ad 29 e1 25 58-33 cf 68 d2 71 62 bd 06 ..>.).%X3.h.qb..
00c0 - 0b c7 fc 35 8f 14 b5 98-6e 85 90 a7 81 68 bd 50 ...5....n....h.P
00d0 - 54 bc f3 c9 8b 15 2e 1b-c4 aa 9b 33 bf e5 dd 10 T..........3....
Start Time: 1758208869
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
read R BLOCK
^C
[📦 org.freedesktop.Sdk ~]$ gnutls-cli localhost:443
Processed 179 CA certificate(s).
Resolving 'localhost:443'...
Connecting to '::1:443'...
Connecting to '127.0.0.1:443'...
Certificate type: X.509
Got a certificate list of 1 certificates.
Certificate[0] info:
subject EMAIL=jakobdev@gmx.de,CN=localhost,O=JakobDev,ST=Some-State,C=DE', issuer EMAIL=jakobdev@gmx.de,CN=JakobDev,O=JakobDev,ST=Some-State,C=DE', serial 0x1ec7710c099ee884a31552e1172b0158e09ee39e, RSA key 2048 bits, signed using RSA-SHA256, activated 2025-09-06 09:13:37 UTC', expires 2027-01-19 09:13:37 UTC', pin-sha256="++baMrGHhfcTpI5UVn+P9G2wGcz5KkS2IQABpsw0wLs="
Public Key ID:
sha1:2b9ece2a7e2a0da4c25ad3148ba2a776ddd51c0b
sha256:fbe6da32b18785f713a48e54567f8ff46db019ccf92a44b6210001a6cc34c0bb
Public Key PIN:
pin-sha256:++baMrGHhfcTpI5UVn+P9G2wGcz5KkS2IQABpsw0wLs=
Status: The certificate is trusted.
Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Session ID: 4E:28:36:17:4D:C0:1D:2D:ED:83:81:B8:DC:0B:10:3C:C5:9A:69:27:7C:9C:18:40:25:C2:A9:F8:7B:55:27:35
Options:
Handshake was completed
Simple Client Mode:
^C
[📦 org.freedesktop.Sdk ~]$