Bug#1007138: libgnutls30: fails on Let's Encrypt chains due to blacklisted expired root certificate

Paul Gevers elbrus at debian.org
Fri Mar 11 21:00:48 GMT 2022 

Package: libgnutls30
Version: 3.7.3-4+b1
Severity: normal

Dear maintainers,

Recently ca-certificates 20211016 migrated to testing which included
the following change:

* Blacklist expired root certificate "DST Root CA X3" (closes: #995432)

As can be read here [1] Let's Encrypt certificates are signed by a
certificate (1) that's signed by that blacklisted certificate. By now
that intermediate certificate is wide spread as a trusted CA and
indeed it's avaliable in Debian. However, since ca-certificates
migrated, liferea, which uses libsoup which uses libgnutls30 fails to
collect my rss feeds from ci.debian.net. This seems to only be a
problem with libgnutls30, as firefox-esr and curl work just
fine. (wget also uses libgnutls30 and fails). It seems that until
ca-certificates migrated libgnutls30 just fell back to the expired
certificate.

Paul

paul at mulciber ~ $ openssl x509 -in /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Validity
            Not Before: Jun  4 11:04:38 2015 GMT
            Not After : Jun  4 11:04:38 2035 GMT
        Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
<cut here>

paul at mulciber ~ $ gnutls-cli ci.debian.net
Processed 127 CA certificate(s).
Resolving 'ci.debian.net:443'...
Connecting to '52.34.117.196:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
 - subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o="
        Public Key ID:
                sha1:344bd3eb5105d3b830dd87f6f5e4435e8aacdf6d
                sha256:ad60bf96ef3f8a50d84279e45abf4950fdd3852ae9e4f8b4f211575afde1effa
        Public Key PIN:
                pin-sha256:rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o=

- Certificate[1] info:
 - subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o="
- Certificate[2] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[3] info:
 - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.



-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.16.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libgnutls30 depends on:
ii  libc6          2.33-7
ii  libgmp10       2:6.2.1+dfsg-3
ii  libhogweed6    3.7.3-1
ii  libidn2-0      2.3.2-2
ii  libnettle8     3.7.3-1
ii  libp11-kit0    0.24.0-6
ii  libtasn1-6     4.18.0-4
ii  libunistring2  1.0-1

libgnutls30 recommends no packages.

Versions of packages libgnutls30 suggests:
ii  gnutls-bin  3.7.3-4+b1

-- no debconf information

More information about the Pkg-gnutls-maint mailing list