Date: Thu, 30 Sep 2021 13:23:01 -0400 From: mike tancsa <mike@sentex.net> To: Michael Sierchio <kudzu@tenebras.com>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: expired Lets Encrypt CA and fetch Message-ID: <e117463c-fab3-7825-bf47-47d17580d47d@sentex.net> In-Reply-To: <CAHu1Y70Y08q-wYskdR5tAM9tig3SpeMUm=ibTXG8WsX5okJPFw@mail.gmail.com> References: <b5400e1d-acde-3ca4-f244-d935df9544ab@sentex.net> <YVXolrutpxGYwPc5@geeks.org> <CAHu1Y70Y08q-wYskdR5tAM9tig3SpeMUm=ibTXG8WsX5okJPFw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/30/2021 12:55 PM, Michael Sierchio wrote: > Are there unexpired certs in the chain that have DST Root CA X3 as their > root? Because that should never happen, right? I think its the intermediary cert that is given by the server and the client is not always able to figure out what to use. Chrome on Windows can hit the URL https://expired-r3-test.scotthelme.co.uk/ ok but my MAC laptop cannot. I was trying to use https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ to get fetch to work on releng12, but no luck. Its still broken despite trying to explicitly blacklist the CA as suggested. Note, with https://expired-r3-test.scotthelme.co.uk/ I can not get fetch nor curl to work on any freebsd branch. ---Mike > On Thu, Sep 30, 2021 at 9:41 AM Doug McIntyre <merlyn@geeks.org> wrote: > >> Let's Encrypt used to cross-sign with DST Root CA X3, but that >> expired, and they stopped doing that a year ago. >> >> They've been cross-signing with their own root, but there is still fallout >> from >> DST Root CA X3 expiring. I am seeing my own stuff be affected in weird >> ways too. >> >> https://community.letsencrypt.org/t/production-chain-changes/150739/4 >> >> >> >> On Thu, Sep 30, 2021 at 11:46:50AM -0400, mike tancsa wrote: >>> I noticed on RELENG_11 boxes that fetch is failing, even with an updated >>> ca bundle. >>> >>> eg. >>> >>> % fetch https://expired-r3-test.scotthelme.co.uk/ >>> Certificate verification failed for /O=Digital Signature Trust >>> Co./CN=DST Root CA X3 >>> 34374360472:error:14090086:SSL >>> routines:ssl3_get_server_certificate:certificate verify >>> failed:/crossbuilds/src/11/crypto/openssl/ssl/s3_clnt.c:1269: >>> fetch: https://expired-r3-test.scotthelme.co.uk/: Authentication error >>> >>> fails on releng11 and some RELENG_12, but not recent releng13. Does >>> anyone know whats going on and why its so inconsistent ? If I remove the >>> expired CA entry from the bundle, it works but I dont have to on all >>> clients ? Anyone know whats going on ? >>> >>> --- ca-root-nss.crt 2021-09-03 21:13:10.000000000 -0400 >>> +++ /tmp/ca-root-nss.crt 2021-09-30 10:54:36.000000000 -0400 >>> @@ -4178,88 +4178,6 @@ >>> -----END CERTIFICATE----- >>> >>> >>> - >>> -Certificate: >>> - Data: >>> - Version: 3 (0x2) >>> - Serial Number: >>> - 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b >>> - Signature Algorithm: sha1WithRSAEncryption >>> - Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 >>> - Validity >>> - Not Before: Sep 30 21:12:19 2000 GMT >>> - Not After : Sep 30 14:01:15 2021 GMT >>> - Subject: O = Digital Signature Trust Co., CN = DST Root CA X3 >>> - Subject Public Key Info: >>> - Public Key Algorithm: rsaEncryption >>> - RSA Public-Key: (2048 bit) >>> - Modulus: >>> - 00:df:af:e9:97:50:08:83:57:b4:cc:62:65:f6:90: >>> - 82:ec:c7:d3:2c:6b:30:ca:5b:ec:d9:c3:7d:c7:40: >>> - c1:18:14:8b:e0:e8:33:76:49:2a:e3:3f:21:49:93: >>> - ac:4e:0e:af:3e:48:cb:65:ee:fc:d3:21:0f:65:d2: >>> - 2a:d9:32:8f:8c:e5:f7:77:b0:12:7b:b5:95:c0:89: >>> - a3:a9:ba:ed:73:2e:7a:0c:06:32:83:a2:7e:8a:14: >>> - 30:cd:11:a0:e1:2a:38:b9:79:0a:31:fd:50:bd:80: >>> - 65:df:b7:51:63:83:c8:e2:88:61:ea:4b:61:81:ec: >>> - 52:6b:b9:a2:e2:4b:1a:28:9f:48:a3:9e:0c:da:09: >>> - 8e:3e:17:2e:1e:dd:20:df:5b:c6:2a:8a:ab:2e:bd: >>> - 70:ad:c5:0b:1a:25:90:74:72:c5:7b:6a:ab:34:d6: >>> - 30:89:ff:e5:68:13:7b:54:0b:c8:d6:ae:ec:5a:9c: >>> - 92:1e:3d:64:b3:8c:c6:df:bf:c9:41:70:ec:16:72: >>> - d5:26:ec:38:55:39:43:d0:fc:fd:18:5c:40:f1:97: >>> - eb:d5:9a:9b:8d:1d:ba:da:25:b9:c6:d8:df:c1:15: >>> - 02:3a:ab:da:6e:f1:3e:2e:f5:5c:08:9c:3c:d6:83: >>> - 69:e4:10:9b:19:2a:b6:29:57:e3:e5:3d:9b:9f:f0: >>> - 02:5d >>> - Exponent: 65537 (0x10001) >>> - X509v3 extensions: >>> - X509v3 Basic Constraints: critical >>> - CA:TRUE >>> - X509v3 Key Usage: critical >>> - Certificate Sign, CRL Sign >>> - X509v3 Subject Key Identifier: >>> - >> C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 >>> - Signature Algorithm: sha1WithRSAEncryption >>> - a3:1a:2c:9b:17:00:5c:a9:1e:ee:28:66:37:3a:bf:83:c7:3f: >>> - 4b:c3:09:a0:95:20:5d:e3:d9:59:44:d2:3e:0d:3e:bd:8a:4b: >>> - a0:74:1f:ce:10:82:9c:74:1a:1d:7e:98:1a:dd:cb:13:4b:b3: >>> - 20:44:e4:91:e9:cc:fc:7d:a5:db:6a:e5:fe:e6:fd:e0:4e:dd: >>> - b7:00:3a:b5:70:49:af:f2:e5:eb:02:f1:d1:02:8b:19:cb:94: >>> - 3a:5e:48:c4:18:1e:58:19:5f:1e:02:5a:f0:0c:f1:b1:ad:a9: >>> - dc:59:86:8b:6e:e9:91:f5:86:ca:fa:b9:66:33:aa:59:5b:ce: >>> - e2:a7:16:73:47:cb:2b:cc:99:b0:37:48:cf:e3:56:4b:f5:cf: >>> - 0f:0c:72:32:87:c6:f0:44:bb:53:72:6d:43:f5:26:48:9a:52: >>> - 67:b7:58:ab:fe:67:76:71:78:db:0d:a2:56:14:13:39:24:31: >>> - 85:a2:a8:02:5a:30:47:e1:dd:50:07:bc:02:09:90:00:eb:64: >>> - 63:60:9b:16:bc:88:c9:12:e6:d2:7d:91:8b:f9:3d:32:8d:65: >>> - b4:e9:7c:b1:57:76:ea:c5:b6:28:39:bf:15:65:1c:c8:f6:77: >>> - 96:6a:0a:8d:77:0b:d8:91:0b:04:8e:07:db:29:b6:0a:ee:9d: >>> - 82:35:35:10 >>> -SHA1 >>> Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13 >>> ------BEGIN CERTIFICATE----- >>> -MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ >>> -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT >>> -DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow >>> -PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD >>> -Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB >>> -AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O >>> -rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq >>> -OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b >>> -xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw >>> -7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD >>> -aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV >>> -HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG >>> -SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 >>> -ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr >>> -AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz >>> -R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 >>> -JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo >>> -Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ >>> ------END CERTIFICATE----- >>> - >>> - >>> - >>> Certificate: >>> Data: >>> Version: 3 (0x2) >>> >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e117463c-fab3-7825-bf47-47d17580d47d>