Bug#976836: libgnutls30: 3.7.0-3 fails to connect on debian.ethz.ch

Andreas Metzler ametzler at bebt.de
Tue Dec 8 13:55:54 GMT 2020 

On 2020-12-08 Jonathan Ballet <jon at multani.info> wrote:
> Package: libgnutls30
> Version: 3.7.0-3
> Severity: critical
> Justification: breaks unrelated software

> Dear Maintainer,

> I updated gnutls to 3.7.0-3 this morning, then apt was unable to connect to
> the Debian mirror https://debian.ethz.ch/debian/:

> $ sudo apt update
> Ign:1 https://debian.ethz.ch/debian sid InRelease
> Err:2 https://debian.ethz.ch/debian sid Release
>   Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 129.132.53.171 443]
> Reading package lists... Done
[...]

Hello Jonathan,

afaict the server is misconfigured:

---------------------
(sid)ametzler at argenau:$ gnutls-cli debian.ethz.ch < /dev/null 2>&1 | grep -A1 '^- Certificate'
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=plattenberg.ethz.ch', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x03303e4ec324a9667915ae5fb3383255b202, RSA key 4096 bits, signed using RSA-SHA256, activated `2020-11-17 13:03:43 UTC', expires `2021-02-15 13:03:43 UTC', pin-sha256="7qwNrAIqODvrEwByZ0mAMpm2PROcvYK/BNpYTBzSzfA="
--
- Certificate[1] info:
 - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Certificate[2] info:
 - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
---------------------

The certificate chain sent by the server consists of 3 certificates but
not each following certificate directly certifies the one preceding it.
- Certificate[1] and Certificate[2] are identical.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-gnutls-maint mailing list