[gnutls-devel] GnuTLS | Older Let's Encrypt certificates are not recognized (#1139)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Sun Dec 27 18:08:53 CET 2020



Darshit Shah created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1139



## Description of problem:

It seems like certificates signed by the old Let's Encrypt CA certificate "Let's Encrypt Authority X3", are not being recognized as valid by gnutls.
The same certificate is recorded as valid when I use OpenSSL.

## Version of gnutls used:
3.7.0

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Arch Linux Official repository package

## How reproducible:
Always

Steps to Reproduce:

 * `gnutls-cli translatationproject.org`

## Actual results:

```
Processed 139 CA certificate(s).
Resolving 'translationproject.org:443'...
Connecting to '2a01:7c8:c037:6::20:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=stats.vrijschrift.org', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x04f78efb758d89606ce87baa6471c832d949, RSA key 4096 bits, signed using RSA-SHA256, activated `2020-11-01 10:34:36 UTC', expires `2021-01-30 10:34:36 UTC', pin-sha256="g+cvDmsK+CiS5TfMiasFm7RqsMly8J+yamG+VbKehIM="
        Public Key ID:
                sha1:3a6a632ee02dacea20b66789fbfc9bf58dc46b27
                sha256:83e72f0e6b0af82892e537cc89ab059bb46ab0c972f09fb26a61be55b29e8483
        Public Key PIN:
                pin-sha256:g+cvDmsK+CiS5TfMiasFm7RqsMly8J+yamG+VbKehIM=

- Certificate[1] info:
 - subject `CN=stats.vrijschrift.org', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x04f78efb758d89606ce87baa6471c832d949, RSA key 4096 bits, signed using RSA-SHA256, activated `2020-11-01 10:34:36 UTC', expires `2021-01-30 10:34:36 UTC', pin-sha256="g+cvDmsK+CiS5TfMiasFm7RqsMly8J+yamG+VbKehIM="
- Certificate[2] info:
 - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
```

## Expected results:

The certificate is recognized as valid. On Firefox I don't see any problems as it recognizes it just fine. As does `openssl s_client`.
Other websites using Let's Encrypt, but with the newer signing certificate have no problems.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1139
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20201227/bd51899c/attachment.html>


More information about the Gnutls-devel mailing list