[gnutls-devel] GnuTLS | "The certificate is NOT trusted. The certificate issuer is unknown." for let's encrypt cert on irc.sekrit.org (#1285)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Thu Oct 28 13:44:54 CEST 2021
Daiki Ueno commented:
"CN=R3,O=Let's Encrypt,C=US" is an [intermediate CA](https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html) and the client needs to retrieve the rest of the certificate chain. In this case, as the server uses the AIA extension for that, you could use the `--ca-auto-retrieve` option:
gnutls-cli --ca-auto-retrieve irc.sekrit.org -p 994
Connecting to caIssuer server: r3.i.lencr.org...
Connecting to '2a02:26f0:4700:185::21cc:80'...
- Status: The certificate is trusted.
- Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Session ID: 83:F4:C0:C1:38:BC:9D:5F:59:48:83:80:4A:C6:37:9A:B5:C2:AB:28:01:C4:88:BF:99:1D:FA:17:15:A1:3B:59
- Handshake was completed
> openssl works fine:
Looks like it just continues the handshake ignoring the error (as printed in your log). If you specify `-verify_return_error` the behavior would be different.
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1285#note_717191369
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel