[gnutls-devel] GnuTLS | certificate issuer unknown on duplicate certificates in chain (#1131)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon Dec 7 12:28:19 CET 2020 


Tomas Krizek created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1131



## Description of problem:
When a root certificate appears twice in the certificate chain, it is marked as untrusted. I suppose there's no reason why duplicate certificates should be in the chain, but these do appear in the wild, e.g. `gitlab.nic.cz` (as of 2020-12-07).

## Version of gnutls used:
3.7.0 (the same certificate chain works fine with 3.6.15)

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Archlinux

## How reproducible: 100%

Steps to Reproduce:

```
$ gnutls-cli gitlab.nic.cz
Processed 149 CA certificate(s).
Resolving 'gitlab.nic.cz:443'...
Connecting to '217.31.192.133:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=gitlab.labs.nic.cz', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x043d7d8a63166e0368df867d4c584791ae65, RSA key 4096 bits, signed using RSA-SHA256, activated `2020-11-16 08:03:24 UTC', expires `2021-02-14 08:03:24 UTC', pin-sha256="7NBmA2/dDjJ3o6SHLLbhoP6nTu95BhIMlOQG/FGTTMs="
	Public Key ID:
		sha1:1bb89b72e0dfd583e5cc970030310e38f7740ffa
		sha256:ecd066036fdd0e3277a3a4872cb6e1a0fea74eef7906120c94e406fc51934ccb
	Public Key PIN:
		pin-sha256:7NBmA2/dDjJ3o6SHLLbhoP6nTu95BhIMlOQG/FGTTMs=

- Certificate[1] info:
 - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Certificate[2] info:
 - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
```

In case the service cert gets fixed in the mean time, I'm also attaching a copy of the certificate. [gitlab.nic.cz.pem](/uploads/ae1a7cd5362b07fcba7210c2b2247503/gitlab.nic.cz.pem)

## Actual results:
certificate verification fails

## Expected results:
certificate verification succeeds

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1131
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20201207/9a48b189/attachment.html>

More information about the Gnutls-devel mailing list