[gnutls-devel] GnuTLS | "The certificate is NOT trusted. The certificate issuer is unknown." for let's encrypt cert on irc.sekrit.org (#1285)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu Oct 28 12:48:14 CEST 2021



Julian Andres Klode created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1285



Trying to connect to irc.sekrit.org port 994 fails:

```
$ gnutls-cli irc.sekrit.org  -p 994                                                                                                                                                                                                                                            
Processed 128 CA certificate(s).                                                                                                                                                                                                                                                            
Resolving 'irc.sekrit.org:994'...                                                                                                                                                                                                                                                           
Connecting to '34.86.153.216:994'...                                                                                                                                                                                                                                                        
- Successfully sent 0 certificate(s) to server.                                                                                                                                                                                                                                             
- Server has requested a certificate.                                                                                                                                                                                                                                                       
- Certificate type: X.509                                                                                                                                                                                                                                                                   
- Got a certificate list of 1 certificates.                                                                                                                                                                                                                                                 
- Certificate[0] info:                                                                                                                                                                                                                                                                      
 - subject `CN=irc-new.sekrit.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x035246f14a5f17856da061c4af902569e957, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-08-31 11:04:27 UTC', expires `2021-11-29 11:04:26 UTC', pin-sha256="D4UO7EFocRJUU18myirKrVhOKtVztbnmngql
hmVeBp0="                                                                                                                                                                                                                                                                                   
        Public Key ID:
                sha1:98c0e59729d7dab6587779a831fcbc072f0e9021
                sha256:0f850eec4168711254535f26ca2acaad584e2ad573b5b9e69e0aa586655e069d
        Public Key PIN:
                pin-sha256:D4UO7EFocRJUU18myirKrVhOKtVztbnmngqlhmVeBp0= 

- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
```

openssl works fine:
```
$ openssl s_client -host irc.sekrit.org -port 994                                                                                                                                                                                                                              
CONNECTED(00000003)                                                                                                                                                                                                                                                                         
depth=0 CN = irc-new.sekrit.org                                                                                                                                                                                                                                                             
verify error:num=20:unable to get local issuer certificate                                                                                                                                                                                                                                  
verify return:1                                                                                                                                                                                                                                                                             
depth=0 CN = irc-new.sekrit.org                                                                                                                                                                                                                                                             
verify error:num=21:unable to verify the first certificate                                                                                                                                                                                                                                  
verify return:1                                                                                                                                                                                                                                                                             
---                                                                                                                                                                                                                                                                                         
Certificate chain                                                                                                                                                                                                                                                                           
 0 s:CN = irc-new.sekrit.org                                                                                                                                                                                                                                                                
   i:C = US, O = Let's Encrypt, CN = R3                                                                                                                                                                                                                                                     
---                                                                                                                                                                                                                                                                                         
Server certificate                                                                                                                                                                                                                                                                          
-----BEGIN CERTIFICATE-----                                                                                                                                                                                                                                                                 
MIIFOjCCBCKgAwIBAgISA1JG8UpfF4VtoGHEr5AlaelXMA0GCSqGSIb3DQEBCwUA                                                                                                                                                                                                                            
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD                                                                                                                                                                                                                            
EwJSMzAeFw0yMTA4MzExMTA0MjdaFw0yMTExMjkxMTA0MjZaMB0xGzAZBgNVBAMT                                                                                                                                                                                                                            
EmlyYy1uZXcuc2Vrcml0Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC                                                                                                                                                                                                                            
ggEBAKXJHa2U/7oUNjM8u5cvniV4YHBJpewsKYhsr9cMSsgOT3TYcSxs/xzQwQuR                                                                                                                                                                                                                            
rwRM20nZrNakweRhXS++sFFiVh2fbyWWl3U1i1xDDVenhORkTOZ27ZoG7rJjs/2U                                                                                                                                                                                                                            
fu8BWhMrv8hQrqbpHeLOj7UX2hYackFhxQBkYw91yTFQF/jYVrmOX8OBoBkIXhgF                                                                                                                                                                                                                            
xbe9VUcLh+8U1/Z3qQyI+logrXNz7P2IsqILSOSCd32t1QcVFm0g6ol+kZwe9X/J                                                                                                                                                                                                                            
5uC5evi1mHdOzTzWZPQM56CYSV89UsoxRF5sVRbiuoyXdEd54/d+2Q7edcgAl61G                                                                                                                                                                                                                            
TkpJDWYBpXpthl4H+uCKEGV3ogUCAwEAAaOCAl0wggJZMA4GA1UdDwEB/wQEAwIF                                                                                                                                                                                                                            
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd                                                                                                                                                                                                                            
BgNVHQ4EFgQUSPtuimutYnXbwL+im0Zmd8ZzBVAwHwYDVR0jBBgwFoAUFC6zF7dY                                                                                                                                                                                                                            
VsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRw                                                                                                                                                                                                                            
Oi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNy                                                                                                                                                                                                                            
Lm9yZy8wLQYDVR0RBCYwJIISaXJjLW5ldy5zZWtyaXQub3Jngg5pcmMuc2Vrcml0                                                                                                                                                                                                                            
Lm9yZzBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsG                                                                                                                                                                                                                            
AQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkC                                                                                                                                                                                                                            
BAIEgfUEgfIA8AB2AFzcQ5L+5qtFRLFemtRW5hA3+9X6R9yhc5SyXub2xw7KAAAB                                                                                                                                                                                                                            
e5wYq9sAAAQDAEcwRQIgCRhIKDaFx5IUOuAT2TdiZYSwunNdE+O/6XyudOBZ+nwC                                                                                                                                                                                                                            
IQC34O9yZusCePy649AmElE9ZSiHCx0gslgOgKEZXBQzmwB2APZclC/RdzAiFFQY                                                                                                                                                                                                                            
CDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABe5wYq9gAAAQDAEcwRQIgDHSdfhycsMVr                                                                                                                                                                                                                            
EPDK+WW9Bs2ctgMMuKpxgwsosTy/JGQCIQDo8thv8yS4cGarSV2KleYJkoWI7gtu                                                                                                                                                                                                                            
B8bUSt7IhZ//UTANBgkqhkiG9w0BAQsFAAOCAQEAi4nL96yScI45iSL75Rdu+DvN                                                                                                                                                                                                                            
utc4ihLMjPWsGHHJOli55FToqlyVV7zUpKjP44bL6Zinwjl5QKzST3EvZwGqIYCM                                                                                                                                                                                                                            
nN+DX/3rSewbqtCzJIQ7BhRPX0re6G+kGC9dq1MJbgZsmK/Kbve08lzme5r2eUBR                                                                                                                                                                                                                            
poBAPRA/pQbmdSJNReWxZAknOeG4bSE4SORP9T9IThTJHblcOYdpZrlSiR86gXYa                                                                                                                                                                                                                            
4sotBNzEsGGLPuuSaGcfEy4w11jd7jxqwaBc7kL/wDy7SLd+heqx+yoJOocdYH6C                                                                                                                                                                                                                            
ik8B9VaAAv9GSaTAElXqG98ieWYYBESmk4qkWKck6wtfEmoNrEvFpW/2/WDA0w==                                                                                                                                                                                                                            
-----END CERTIFICATE-----                                                                                                                                                                                                                                                                   
subject=CN = irc-new.sekrit.org                                                                                                                                                                                                                                                             
                                                                                                                                                                                                                                                                                            
issuer=C = US, O = Let's Encrypt, CN = R3                                                                                                                                                                                                                                                   
                                                                                                                                                                                                                                                                                            
---                                     
```

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1285
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20211028/2b33f462/attachment-0001.html>


More information about the Gnutls-devel mailing list