Okay, tcpdump revealed that we die in TLS…
echo -e "GET / HTTP/1.1\r\nHost: dokuwiki.org\r\nConnection: Close\r\n\r\n" | openssl s_client -host dokuwiki.org -port 443 -verify 5
Processing…
verify depth is 5
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=2:unable to get issuer certificate
issuer= O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
issuer= C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=0 CN = dokuwiki.org
issuer= C = US, O = Let's Encrypt, CN = R3
verify return:1
---
Certificate chain
0 s:CN = dokuwiki.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHXjCCBkagAwIBAgISA9/aAoAuTxWcKKEejzmk2+wwMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA4MjIwMzMwMzlaFw0yMzExMjAwMzMwMzhaMBcxFTATBgNVBAMT
DGRva3V3aWtpLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMTW
c/tLwKc4T2NpUfaMVzbzHSnUxc1gjPmCErkK2qv07o3YXoV8twIRDsXF3VKmzNaJ
3EMjYaAUvj9L2nuIKJysfw5j5OygViLGG9QUf3Y+Ep3yte1Ech8uflRkO9tGarnJ
OGNnFLyhHLBl2RyAiaGpfPsvuxbGBg9CIKdBj1JHbnT1rhedO78BCB+U8qdonje9
/IIp6z6vaQUUobhqo4cpwKu77JEQq4WnG9YTA5tcY5OefROXE9rpIKvKuXfz/6El
zTtXYojKlx8xAzXtMIui2FgKKsW/qdDu3JkiS/tTta0j17h/Dtip9IjRPhMwTIfq
r0h1Kawfg4hio02T5Qi+lgYaOn6nTwHP8k/lBrZnTVNLA2UBRsRYpwSzzN0qNEUr
EjX9zADJ2I0QmV2H+LCpFLw8MQcxIDGu7YMMhxGpC1qKCy/ImYRlU4F264Yx7Zhg
RTDT8R3781lpBnUvz9arR9aUAtYydWXkHbd4uVRTOQP2JVOG+UVag3AkRMsOHpvL
QdSxZgHx0nI7ESmtbmQ52IpE58CpiYf0LhkS7xYIk2a0SHEPUPJT4iNDBAC06bZW
TdxCS+9y6+axOyHruGO6S9o4J/q9dZdI35ure+aP1uX0I1pOWTXMXGa8C8jPCNbR
cNKtCKohjw+/folYcZKb/fPwLwACrdfuzMoDOb/RAgMBAAGjggOHMIIDgzAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFH3ywwBSC74OdmKcW8wcSXAiOpvbMB8GA1UdIwQY
MBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEF
BQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8v
cjMuaS5sZW5jci5vcmcvMIIBjgYDVR0RBIIBhTCCAYGCEWJ1Z3MuZG9rdXdpa2ku
b3Jnghdjb2Rlc2VhcmNoLmRva3V3aWtpLm9yZ4IJZG9rdS53aWtpggxkb2t1d2lr
aS5vcmeCE2RvbmF0ZS5kb2t1d2lraS5vcmeCFWRvd25sb2FkLmRva3V3aWtpLm9y
Z4ISZm9ydW0uZG9rdXdpa2kub3JnghBpcmMuZG9rdXdpa2kub3JnghNpcmNsb2cu
ZG9rdXdpa2kub3JnghJwaWdneS5kb2t1d2lraS5vcmeCFnBsdWdpbndpei5kb2t1
d2lraS5vcmeCGXBsdWdpbndpemFyZC5kb2t1d2lraS5vcmeCE3NlYXJjaC5kb2t1
d2lraS5vcmeCEnRyYW5zLmRva3V3aWtpLm9yZ4IWdHJhbnNsYXRlLmRva3V3aWtp
Lm9yZ4ITdXBkYXRlLmRva3V3aWtpLm9yZ4IRd2lraS5kb2t1d2lraS5vcmeCEHd3
dy5kb2t1d2lraS5vcmeCEXhyZWYuZG9rdXdpa2kub3JnMBMGA1UdIAQMMAowCAYG
Z4EMAQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAtz77JN+cTbp18jnFulj0
bF38Qs96nzXEnh0JgSXttJkAAAGKG4JP5QAABAMARjBEAiBJLX+2B446Dnqcrn0c
K1HNXN+e+FCuMeh/1TBEHu1EAAIgY7xubO5G6PuLKrtQ87ynjiJdaTK2R8qMjdbr
vdnuFksAdwB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYobglCA
AAAEAwBIMEYCIQDoHyvQafxyl92xMHHkXSYGYlLbHDrIz2nMFj6n+jgouAIhAMIo
VfbiaCn0R1Z2EOQ5Y0QlLBEHOGq7mU7M7YkU1F6wMA0GCSqGSIb3DQEBCwUAA4IB
AQB+R6Dig/2JvPAefuDI9wOTX2m4DPgZiNhluTIXlX/v/7rtqZYS5OPd1AOqv7ES
8IWHBR4epyyIoY4juoRsFwEkMwoG+yclefh/5ZOOop/0XtNpInOSFPA6aVj77665
y5r/hjmrXknecGXTEU4RkSQna0wtwfMktKE2hC2lbQZIzCQy310Szo0AeG+FkIA0
Ny0qmG1acesl7N5RLRhThuM8kYDPJp1buZfnlOj+fIZVbsEMXKDlyin7eonBex1/
dGG5X3jxrsMctCL4bZxkBvFaGpHXiVi9AFtOBO31r3t5U9ZZ5m1s4uyJEkr1cmEx
TJ398K5cDmWRDJj994RmVDJr
-----END CERTIFICATE-----
subject=CN = dokuwiki.org
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5402 bytes and written 402 bytes
Verification error: unable to get issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 2 (unable to get issuer certificate)
---
DONE
Now we need to know why, exactly.