[gnutls-devel] GnuTLS | "The certificate is NOT trusted. The certificate issuer is unknown." for let's encrypt cert on irc.sekrit.org (#1285)

[Read-only notification of GnuTLS library development activities]

Daiki Ueno commented:


"CN=R3,O=Let's Encrypt,C=US" is an [intermediate CA](https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html) and the client needs to retrieve the rest of the certificate chain. In this case, as the server uses the AIA extension for that, you could use the `--ca-auto-retrieve` option:
```console
gnutls-cli --ca-auto-retrieve irc.sekrit.org -p 994
...
Connecting to caIssuer server: r3.i.lencr.org...
Resolving 'r3.i.lencr.org:80'...
Connecting to '2a02:26f0:4700:185::21cc:80'...
- Status: The certificate is trusted. 
- Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Session ID: 83:F4:C0:C1:38:BC:9D:5F:59:48:83:80:4A:C6:37:9A:B5:C2:AB:28:01:C4:88:BF:99:1D:FA:17:15:A1:3B:59
- Options:
- Handshake was completed
```

> openssl works fine:

Looks like it just continues the handshake ignoring the error (as printed in your log). If you specify `-verify_return_error` the behavior would be different.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1285#note_717191369
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20211028/37071547/attachment.html>