Bug#1007138: libgnutls30: fails on Let's Encrypt chains due to blacklisted expired root certificate
Jean Parpaillon
jean at parpaillon.info
Fri Aug 26 12:58:30 BST 2022
I think this issue also affects communicating with netfilter.org:
$ gnutls-cli netfilter.org
Processed 127 CA certificate(s).
Resolving 'netfilter.org:443'...
Connecting to '92.243.18.11:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
- subject `CN=iptables.org', issuer `CN=R3,O=Let's Encrypt,C=US',
serial 0x0330e74e9bb6f125ade3afb49b7c8d47d0ee, RSA key 2048 bits,
signed using RSA-SHA256, activated `2022-07-10 21:33:49 UTC', expires
`2022-10-08 21:33:48 UTC', pin-
sha256="1E+Rv29dI0tS3XaAhXc8qjGHah4UCYzzBpTpG1Mar28="
Public Key ID:
sha1:ac3fc835851d492debd58a41df39d1adfcb12292
sha256:d44f91bf6f5d234b52dd768085773caa31876a1e14098cf
30694e91b531aaf6f
Public Key PIN:
pin-
sha256:1E+Rv29dI0tS3XaAhXc8qjGHah4UCYzzBpTpG1Mar28=
- Certificate[1] info:
- subject `CN=iptables.org', issuer `CN=R3,O=Let's Encrypt,C=US',
serial 0x0330e74e9bb6f125ade3afb49b7c8d47d0ee, RSA key 2048 bits,
signed using RSA-SHA256, activated `2022-07-10 21:33:49 UTC', expires
`2022-10-08 21:33:48 UTC', pin-
sha256="1E+Rv29dI0tS3XaAhXc8qjGHah4UCYzzBpTpG1Mar28="
- Certificate[2] info:
- subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root
X1,O=Internet Security Research Group,C=US', serial
0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using
RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15
16:00:00 UTC', pin-
sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[3] info:
- subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US',
issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial
0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using
RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30
18:14:03 UTC', pin-
sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is NOT trusted. The certificate issuer is
unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
--
Jean Parpaillon
More information about the Pkg-gnutls-maint
mailing list