[gnutls-devel] GnuTLS | `The certificate issuer is unknown.` despite certificate being present (#1455)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Mon Feb 20 10:16:12 CET 2023 


Paul Menzel created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1455



Using self-built GnuTLS 3.7.8, it’s unable to verify www.netfilter.org (or iptables.org).

```
$ gnutls-cli --version
gnutls-cli 3.7.8
[…]
$ gnutls-cli www.netfilter.org
Processed 142 CA certificate(s).
Resolving 'www.netfilter.org:443'...
Connecting to '92.243.18.11:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
 - subject `CN=iptables.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04675191b85af1eea91388782cc5a2e1258c, RSA key 2048 bits, signed using RSA-SHA256, activated `2023-01-06 22:33:05 UTC', expires `2023-04-06 22:33:04 UTC', pin-sha256="+uWS05Cq49ezAdUve1eMV+fAqtOqSVI1kPr0UM9mxGE="
	Public Key ID:
		sha1:138a74de0999cbecdbfda39e88f372307a2e4ee8
		sha256:fae592d390aae3d7b301d52f7b578c57e7c0aad3aa49523590faf450cf66c461
	Public Key PIN:
		pin-sha256:+uWS05Cq49ezAdUve1eMV+fAqtOqSVI1kPr0UM9mxGE=

- Certificate[1] info:
 - subject `CN=iptables.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04675191b85af1eea91388782cc5a2e1258c, RSA key 2048 bits, signed using RSA-SHA256, activated `2023-01-06 22:33:05 UTC', expires `2023-04-06 22:33:04 UTC', pin-sha256="+uWS05Cq49ezAdUve1eMV+fAqtOqSVI1kPr0UM9mxGE="
- Certificate[2] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[3] info:
 - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
```

strace shows that it’s parsing `/etc/ssl/certs/ca-certificates.crt`

    openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY|O_CLOEXEC) = 3

pointing to `/etc/ssl/ca-bundle.crt`.

    $ ls -lh /etc/ssl/certs/ca-certificates.crt
    lrwxrwxrwx 1 root root 22 Jun 17  2014 /etc/ssl/certs/ca-certificates.crt -> /etc/ssl/ca-bundle.crt

That file contains

    Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1

but not the listed issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.`.

The certificates are retrieved from `https://curl.haxx.se/ca/cacert.pem`.

For some reason it works in Debian sid/unstable with *gnutls-bin* 3.7.9-1..

It might be related to [DST Root CA X3 Expiration (September 2021)](https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/).

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1455
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20230220/c2cf92fc/attachment-0001.html>

More information about the Gnutls-devel mailing list