Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1007138: libgnutls30: fails on Let's Encrypt chains due to blacklisted expired root certificate
65 views
Skip to first unread message
Paul Gevers
Mar 11, 2022, 4:10:03 PM3/11/22
to
Package: libgnutls30
Version: 3.7.3-4+b1
Severity: normal
Dear maintainers,
Recently ca-certificates 20211016 migrated to testing which included
the following change:
* Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
As can be read here [1] Let's Encrypt certificates are signed by a
certificate (1) that's signed by that blacklisted certificate. By now
that intermediate certificate is wide spread as a trusted CA and
indeed it's avaliable in Debian. However, since ca-certificates
migrated, liferea, which uses libsoup which uses libgnutls30 fails to
collect my rss feeds from ci.debian.net. This seems to only be a
problem with libgnutls30, as firefox-esr and curl work just
fine. (wget also uses libgnutls30 and fails). It seems that until
ca-certificates migrated libgnutls30 just fell back to the expired
certificate.
Paul
paul@mulciber ~ $ openssl x509 -in /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Validity
Not Before: Jun 4 11:04:38 2015 GMT
Not After : Jun 4 11:04:38 2035 GMT
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
<cut here>
paul@mulciber ~ $ gnutls-cli ci.debian.net
Processed 127 CA certificate(s).
Resolving 'ci.debian.net:443'...
Connecting to '52.34.117.196:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
- subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o="
Public Key ID:
sha1:344bd3eb5105d3b830dd87f6f5e4435e8aacdf6d
sha256:ad60bf96ef3f8a50d84279e45abf4950fdd3852ae9e4f8b4f211575afde1effa
Public Key PIN:
pin-sha256:rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o=
- Certificate[1] info:
- subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o="
- Certificate[2] info:
- subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[3] info:
- subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (990, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.16.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libgnutls30 depends on:
ii libc6 2.33-7
ii libgmp10 2:6.2.1+dfsg-3
ii libhogweed6 3.7.3-1
ii libidn2-0 2.3.2-2
ii libnettle8 3.7.3-1
ii libp11-kit0 0.24.0-6
ii libtasn1-6 4.18.0-4
ii libunistring2 1.0-1
libgnutls30 recommends no packages.
Versions of packages libgnutls30 suggests:
ii gnutls-bin 3.7.3-4+b1
-- no debconf information
Version: 3.7.3-4+b1
Severity: normal
Dear maintainers,
Recently ca-certificates 20211016 migrated to testing which included
the following change:
* Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
As can be read here [1] Let's Encrypt certificates are signed by a
certificate (1) that's signed by that blacklisted certificate. By now
that intermediate certificate is wide spread as a trusted CA and
indeed it's avaliable in Debian. However, since ca-certificates
migrated, liferea, which uses libsoup which uses libgnutls30 fails to
collect my rss feeds from ci.debian.net. This seems to only be a
problem with libgnutls30, as firefox-esr and curl work just
fine. (wget also uses libgnutls30 and fails). It seems that until
ca-certificates migrated libgnutls30 just fell back to the expired
certificate.
Paul
paul@mulciber ~ $ openssl x509 -in /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Validity
Not Before: Jun 4 11:04:38 2015 GMT
Not After : Jun 4 11:04:38 2035 GMT
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
<cut here>
paul@mulciber ~ $ gnutls-cli ci.debian.net
Processed 127 CA certificate(s).
Resolving 'ci.debian.net:443'...
Connecting to '52.34.117.196:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
- subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o="
Public Key ID:
sha1:344bd3eb5105d3b830dd87f6f5e4435e8aacdf6d
sha256:ad60bf96ef3f8a50d84279e45abf4950fdd3852ae9e4f8b4f211575afde1effa
Public Key PIN:
pin-sha256:rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o=
- Certificate[1] info:
- subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o="
- Certificate[2] info:
- subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[3] info:
- subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (990, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.16.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libgnutls30 depends on:
ii libc6 2.33-7
ii libgmp10 2:6.2.1+dfsg-3
ii libhogweed6 3.7.3-1
ii libidn2-0 2.3.2-2
ii libnettle8 3.7.3-1
ii libp11-kit0 0.24.0-6
ii libtasn1-6 4.18.0-4
ii libunistring2 1.0-1
libgnutls30 recommends no packages.
Versions of packages libgnutls30 suggests:
ii gnutls-bin 3.7.3-4+b1
-- no debconf information
Andreas Metzler
Mar 12, 2022, 1:50:03 AM3/12/22
to
Control: tags -1 confirmed
On 2022-03-11 Paul Gevers <elb...@debian.org> wrote:
> Package: libgnutls30
> Version: 3.7.3-4+b1
> Severity: normal
> Dear maintainers,
> Recently ca-certificates 20211016 migrated to testing which included
> the following change:
> * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
[...]
Hello Paul,
thanks for the report. I think the DST Root CA X3 thingy is unrelated, I
rather suspect ci.debian.net changed.
ci.debian.net seems to be configured less than optimal, its cert-chain
contains junk (0=server cert, 1=server cert *again*, etc.). Removing the
duplicate server cert from the chain lets at least certtool --verify
succeed. I expect gnutls-cli would also succeed if ci.debian.net was
"improved".
And OTOH adding DSTRootCAX3.crt to the trusted set does not let
gnutls-cli succeed:
| gnutls-cli --x509cafile=/tmp/DSTRootCAX3.crt ci.debian.net
[...]
| - Status: The certificate is NOT trusted. The certificate chain uses expired certificate.
I am not claiming this is not a gnutls bug since iirc nowadays the
respective RFCs allow sending junk certificates in the chain and the
client is supposed to handle this.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
On 2022-03-11 Paul Gevers <elb...@debian.org> wrote:
> Package: libgnutls30
> Version: 3.7.3-4+b1
> Severity: normal
> Dear maintainers,
> Recently ca-certificates 20211016 migrated to testing which included
> the following change:
> * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
> paul@mulciber ~ $ gnutls-cli ci.debian.net
> Processed 127 CA certificate(s).
> Resolving 'ci.debian.net:443'...
> Connecting to '52.34.117.196:443'...
> - Certificate type: X.509
> - Got a certificate list of 4 certificates.
> - Certificate[0] info:
> - subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o="
[...]
> Processed 127 CA certificate(s).
> Resolving 'ci.debian.net:443'...
> Connecting to '52.34.117.196:443'...
> - Certificate type: X.509
> - Got a certificate list of 4 certificates.
> - Certificate[0] info:
> - subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o="
> - Certificate[1] info:
> - subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o="
[...]
> - subject `CN=ci.debian.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04568ce008fea2f0063e06ef52b45111a3ec, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2022-01-16 23:00:15 UTC', expires `2022-04-16 23:00:14 UTC', pin-sha256="rWC/lu8/ilDYQnnkWr9JUP3ThSrp5Pi08hFXWv3h7/o="
Hello Paul,
thanks for the report. I think the DST Root CA X3 thingy is unrelated, I
rather suspect ci.debian.net changed.
ci.debian.net seems to be configured less than optimal, its cert-chain
contains junk (0=server cert, 1=server cert *again*, etc.). Removing the
duplicate server cert from the chain lets at least certtool --verify
succeed. I expect gnutls-cli would also succeed if ci.debian.net was
"improved".
And OTOH adding DSTRootCAX3.crt to the trusted set does not let
gnutls-cli succeed:
| gnutls-cli --x509cafile=/tmp/DSTRootCAX3.crt ci.debian.net
[...]
| - Status: The certificate is NOT trusted. The certificate chain uses expired certificate.
I am not claiming this is not a gnutls bug since iirc nowadays the
respective RFCs allow sending junk certificates in the chain and the
client is supposed to handle this.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
Paul Wise
Jul 16, 2022, 9:50:04 PM7/16/22
to
Control: severity -1 important
Control: retitle -1 libgnutls30: fails to validate when the server cert is duplicated in the cert chain
On Sat, 12 Mar 2022 07:43:28 +0100 Andreas Metzler wrote:
> ci.debian.net seems to be configured less than optimal, its cert-chain
> contains junk (0=server cert, 1=server cert *again*, etc.).
I have seen this issue (duplicate server cert) on several other sites.
For some of them I was able to convince the server operator to fix the
issue but for others I wouldn't even know who to contact. So I think
that this issue needs to be fixed in GnuTLS and that this bug should be
fixed before the release of Debian bookworm, because it makes programs
using GnuTLS somewhat unusable now. Please bump severity if you agree.
--
bye,
pabs
https://wiki.debian.org/PaulWise
Control: retitle -1 libgnutls30: fails to validate when the server cert is duplicated in the cert chain
On Sat, 12 Mar 2022 07:43:28 +0100 Andreas Metzler wrote:
> ci.debian.net seems to be configured less than optimal, its cert-chain
> contains junk (0=server cert, 1=server cert *again*, etc.).
For some of them I was able to convince the server operator to fix the
issue but for others I wouldn't even know who to contact. So I think
that this issue needs to be fixed in GnuTLS and that this bug should be
fixed before the release of Debian bookworm, because it makes programs
using GnuTLS somewhat unusable now. Please bump severity if you agree.
--
bye,
pabs
https://wiki.debian.org/PaulWise
Paul Wise
Jul 16, 2022, 10:00:03 PM7/16/22
to
Control: retitle -1 libgnutls30: fails to validate when there is junk in the cert chain, including duplicated server certs
On Sun, 17 Jul 2022 09:40:09 +0800 Paul Wise wrote:
> I have seen this issue (duplicate server cert) on several other
> sites.
Seems this issue is broader than just duplicate server certs, I just
found a site that has a Thawte CA cert as its first cert in the cert
chain instead of the LE/ISRG CA certs. This site works just fine with
OpenSSL and NSS but not with GnuTLS.
$ gnutls-cli neo900.org < /dev/null
Processed 127 CA certificate(s).
Resolving 'neo900.org:443'...
Connecting to '207.154.223.212:443'...
Public Key ID:
sha1:6613298f366b86c7f160c573fa2cd2a9207fe0bd
sha256:3f0961bd7bcfaa602524a9714a71009264a68e4838b0085e6e5894f80ce75759
Public Key PIN:
pin-sha256:PwlhvXvPqmAlJKlxSnEAkmSmjkg4sAhebliU+AznV1k=
- Certificate[1] info:
- subject `CN=Thawte TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x090ee8c5de5bfa62d2ae2ff7097c4857, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-11-02 12:24:25 UTC', expires `2027-11-02 12:24:25 UTC', pin-sha256="42b9RNOnyb3tlC0KYtNPA3KKpJluskyU6aG+CipUmaM="
On Sun, 17 Jul 2022 09:40:09 +0800 Paul Wise wrote:
> I have seen this issue (duplicate server cert) on several other
> sites.
found a site that has a Thawte CA cert as its first cert in the cert
chain instead of the LE/ISRG CA certs. This site works just fine with
OpenSSL and NSS but not with GnuTLS.
$ gnutls-cli neo900.org < /dev/null
Processed 127 CA certificate(s).
Resolving 'neo900.org:443'...
Connecting to '207.154.223.212:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
- subject `CN=neo900.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x047b33482e681f3a1ac7d3c5ccfd88ec782a, RSA key 2048 bits, signed using RSA-SHA256, activated `2022-06-28 06:54:18 UTC', expires `2022-09-26 06:54:17 UTC', pin-sha256="PwlhvXvPqmAlJKlxSnEAkmSmjkg4sAhebliU+AznV1k="
- Got a certificate list of 4 certificates.
- Certificate[0] info:
Public Key ID:
sha1:6613298f366b86c7f160c573fa2cd2a9207fe0bd
sha256:3f0961bd7bcfaa602524a9714a71009264a68e4838b0085e6e5894f80ce75759
Public Key PIN:
pin-sha256:PwlhvXvPqmAlJKlxSnEAkmSmjkg4sAhebliU+AznV1k=
- Certificate[1] info:
- subject `CN=Thawte TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x090ee8c5de5bfa62d2ae2ff7097c4857, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-11-02 12:24:25 UTC', expires `2027-11-02 12:24:25 UTC', pin-sha256="42b9RNOnyb3tlC0KYtNPA3KKpJluskyU6aG+CipUmaM="
- Certificate[2] info:
- subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[3] info:
- subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
- subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[3] info:
- subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
Andreas Metzler
Jul 17, 2022, 5:50:03 AM7/17/22
to
Control: severity -1 serious
On 2022-07-17 Paul Wise <pa...@debian.org> wrote:
[...]
cu Andreas
On 2022-07-17 Paul Wise <pa...@debian.org> wrote:
[...]
> So I think
> that this issue needs to be fixed in GnuTLS and that this bug should be
> fixed before the release of Debian bookworm, because it makes programs
> using GnuTLS somewhat unusable now. Please bump severity if you agree.
I do agree.
> that this issue needs to be fixed in GnuTLS and that this bug should be
> fixed before the release of Debian bookworm, because it makes programs
> using GnuTLS somewhat unusable now. Please bump severity if you agree.
cu Andreas
Jean Parpaillon
Aug 26, 2022, 8:10:04 AM8/26/22
to
I think this issue also affects communicating with netfilter.org:
$ gnutls-cli netfilter.org
Processed 127 CA certificate(s).
Resolving 'netfilter.org:443'...
Connecting to '92.243.18.11:443'...
serial 0x0330e74e9bb6f125ade3afb49b7c8d47d0ee, RSA key 2048 bits,
signed using RSA-SHA256, activated `2022-07-10 21:33:49 UTC', expires
`2022-10-08 21:33:48 UTC', pin-
sha256="1E+Rv29dI0tS3XaAhXc8qjGHah4UCYzzBpTpG1Mar28="
Public Key ID:
sha1:ac3fc835851d492debd58a41df39d1adfcb12292
sha256:d44f91bf6f5d234b52dd768085773caa31876a1e14098cf
30694e91b531aaf6f
Public Key PIN:
pin-
sha256:1E+Rv29dI0tS3XaAhXc8qjGHah4UCYzzBpTpG1Mar28=
- Certificate[1] info:
- subject `CN=iptables.org', issuer `CN=R3,O=Let's Encrypt,C=US',
serial 0x0330e74e9bb6f125ade3afb49b7c8d47d0ee, RSA key 2048 bits,
signed using RSA-SHA256, activated `2022-07-10 21:33:49 UTC', expires
`2022-10-08 21:33:48 UTC', pin-
sha256="1E+Rv29dI0tS3XaAhXc8qjGHah4UCYzzBpTpG1Mar28="
$ gnutls-cli netfilter.org
Processed 127 CA certificate(s).
Resolving 'netfilter.org:443'...
Connecting to '92.243.18.11:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
- subject `CN=iptables.org', issuer `CN=R3,O=Let's Encrypt,C=US',
- Got a certificate list of 4 certificates.
- Certificate[0] info:
serial 0x0330e74e9bb6f125ade3afb49b7c8d47d0ee, RSA key 2048 bits,
signed using RSA-SHA256, activated `2022-07-10 21:33:49 UTC', expires
`2022-10-08 21:33:48 UTC', pin-
sha256="1E+Rv29dI0tS3XaAhXc8qjGHah4UCYzzBpTpG1Mar28="
Public Key ID:
sha1:ac3fc835851d492debd58a41df39d1adfcb12292
sha256:d44f91bf6f5d234b52dd768085773caa31876a1e14098cf
30694e91b531aaf6f
Public Key PIN:
pin-
sha256:1E+Rv29dI0tS3XaAhXc8qjGHah4UCYzzBpTpG1Mar28=
- Certificate[1] info:
- subject `CN=iptables.org', issuer `CN=R3,O=Let's Encrypt,C=US',
serial 0x0330e74e9bb6f125ade3afb49b7c8d47d0ee, RSA key 2048 bits,
signed using RSA-SHA256, activated `2022-07-10 21:33:49 UTC', expires
`2022-10-08 21:33:48 UTC', pin-
sha256="1E+Rv29dI0tS3XaAhXc8qjGHah4UCYzzBpTpG1Mar28="
- Certificate[2] info:
- subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root
X1,O=Internet Security Research Group,C=US', serial
0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using
RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15
16:00:00 UTC', pin-
sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[3] info:
- subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US',
issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial
0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using
RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30
18:14:03 UTC', pin-
sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is NOT trusted. The certificate issuer is
unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
--
Jean Parpaillon
- subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root
X1,O=Internet Security Research Group,C=US', serial
0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using
RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15
16:00:00 UTC', pin-
sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[3] info:
- subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US',
issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial
0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using
RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30
18:14:03 UTC', pin-
sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is NOT trusted. The certificate issuer is
unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
--
0 new messages