<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>


<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">

<p class="details" style="font-style: italic; color: #666;">
<a href="https://gitlab.com/tkrizek">Tomas Krizek</a> created an issue <a href="https://gitlab.com/gnutls/gnutls/-/issues/1131">#1131</a>:
</p>
<div></div>
<h2 dir="auto">
<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>
<p dir="auto">When a root certificate appears twice in the certificate chain, it is marked as untrusted. I suppose there's no reason why duplicate certificates should be in the chain, but these do appear in the wild, e.g. <code>gitlab.nic.cz</code> (as of 2020-12-07).</p>
<h2 dir="auto">
<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>
<p dir="auto">3.7.0 (the same certificate chain works fine with 3.6.15)</p>
<h2 dir="auto">
<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>
<p dir="auto">Archlinux</p>
<h2 dir="auto">
<a id="user-content-how-reproducible-100" class="anchor" href="#how-reproducible-100" aria-hidden="true"></a>How reproducible: 100%</h2>
<p dir="auto">Steps to Reproduce:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">$ gnutls-cli gitlab.nic.cz</span>
<span id="LC2" class="line" lang="plaintext">Processed 149 CA certificate(s).</span>
<span id="LC3" class="line" lang="plaintext">Resolving 'gitlab.nic.cz:443'...</span>
<span id="LC4" class="line" lang="plaintext">Connecting to '217.31.192.133:443'...</span>
<span id="LC5" class="line" lang="plaintext">- Certificate type: X.509</span>
<span id="LC6" class="line" lang="plaintext">- Got a certificate list of 3 certificates.</span>
<span id="LC7" class="line" lang="plaintext">- Certificate[0] info:</span>
<span id="LC8" class="line" lang="plaintext"> - subject `CN=gitlab.labs.nic.cz', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x043d7d8a63166e0368df867d4c584791ae65, RSA key 4096 bits, signed using RSA-SHA256, activated `2020-11-16 08:03:24 UTC', expires `2021-02-14 08:03:24 UTC', pin-sha256="7NBmA2/dDjJ3o6SHLLbhoP6nTu95BhIMlOQG/FGTTMs="</span>
<span id="LC9" class="line" lang="plaintext">       Public Key ID:</span>
<span id="LC10" class="line" lang="plaintext">              sha1:1bb89b72e0dfd583e5cc970030310e38f7740ffa</span>
<span id="LC11" class="line" lang="plaintext">              sha256:ecd066036fdd0e3277a3a4872cb6e1a0fea74eef7906120c94e406fc51934ccb</span>
<span id="LC12" class="line" lang="plaintext">      Public Key PIN:</span>
<span id="LC13" class="line" lang="plaintext">              pin-sha256:7NBmA2/dDjJ3o6SHLLbhoP6nTu95BhIMlOQG/FGTTMs=</span>
<span id="LC14" class="line" lang="plaintext"></span>
<span id="LC15" class="line" lang="plaintext">- Certificate[1] info:</span>
<span id="LC16" class="line" lang="plaintext"> - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="</span>
<span id="LC17" class="line" lang="plaintext">- Certificate[2] info:</span>
<span id="LC18" class="line" lang="plaintext"> - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="</span>
<span id="LC19" class="line" lang="plaintext">- Status: The certificate is NOT trusted. The certificate issuer is unknown. </span>
<span id="LC20" class="line" lang="plaintext">*** PKI verification of server certificate failed...</span>
<span id="LC21" class="line" lang="plaintext">*** Fatal error: Error in the certificate.</span></code></pre>
<p dir="auto">In case the service cert gets fixed in the mean time, I'm also attaching a copy of the certificate. <a href="https://gitlab.com/gnutls/gnutls/uploads/ae1a7cd5362b07fcba7210c2b2247503/gitlab.nic.cz.pem" data-link="true" class="gfm">gitlab.nic.cz.pem</a></p>
<h2 dir="auto">
<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>
<p dir="auto">certificate verification fails</p>
<h2 dir="auto">
<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>
<p dir="auto">certificate verification succeeds</p>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #666;">

<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1131">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/-/sent_notifications/1c7220bf39458476e85667edf4057ad1/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1131"}}</script>


</p>
</div>
</body>
</html>