Bug#1007138: libgnutls30: fails on Let's Encrypt chains due to blacklisted expired root certificate
Paul Gevers
elbrus at debian.org
Fri Mar 11 21:00:48 GMT 2022
Package: libgnutls30
Version: 3.7.3-4+b1
Severity: normal
Dear maintainers,
Recently ca-certificates 20211016 migrated to testing which included
the following change:
* Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
As can be read here [1] Let's Encrypt certificates are signed by a
certificate (1) that's signed by that blacklisted certificate. By now
that intermediate certificate is wide spread as a trusted CA and
indeed it's avaliable in Debian. However, since ca-certificates
migrated, liferea, which uses libsoup which uses libgnutls30 fails to
collect my rss feeds from ci.debian.net. This seems to only be a
problem with libgnutls30, as firefox-esr and curl work just
fine. (wget also uses libgnutls30 and fails). It seems that until
ca-certificates migrated libgnutls30 just fell back to the expired
certificate.
Paul
paul at mulciber ~ $ openssl x509 -in /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Validity
Not Before: Jun 4 11:04:38 2015 GMT
Not After : Jun 4 11:04:38 2035 GMT
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
<cut here>
paul at mulciber ~ $ gnutls-cli ci.debian.net
Processed 127 CA certificate(s).
Resolving 'ci.debian.net:443'...
Connecting to '52.34.117.196:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
- subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o="
Public Key ID:
sha1:344bd3eb5105d3b830dd87f6f5e4435e8aacdf6d
sha256:ad60bf96ef3f8a50d84279e45abf4950fdd3852ae9e4f8b4f211575afde1effa
Public Key PIN:
pin-sha256:rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o=
- Certificate[1] info:
- subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o="
- Certificate[2] info:
- subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[3] info:
- subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (990, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.16.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libgnutls30 depends on:
ii libc6 2.33-7
ii libgmp10 2:6.2.1+dfsg-3
ii libhogweed6 3.7.3-1
ii libidn2-0 2.3.2-2
ii libnettle8 3.7.3-1
ii libp11-kit0 0.24.0-6
ii libtasn1-6 4.18.0-4
ii libunistring2 1.0-1
libgnutls30 recommends no packages.
Versions of packages libgnutls30 suggests:
ii gnutls-bin 3.7.3-4+b1
-- no debconf information
More information about the Pkg-gnutls-maint
mailing list