<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p class="details" style="font-style: italic; color: #666;">

<a href="https://gitlab.com/darnir">Darshit Shah</a> created an issue <a href="https://gitlab.com/gnutls/gnutls/-/issues/1139">#1139</a>:

</p>

<div></div>

<h2 dir="auto">

<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>

<p dir="auto">It seems like certificates signed by the old Let's Encrypt CA certificate "Let's Encrypt Authority X3", are not being recognized as valid by gnutls.

The same certificate is recorded as valid when I use OpenSSL.</p>

<h2 dir="auto">

<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>

<p dir="auto">3.7.0</p>

<h2 dir="auto">

<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>

<p dir="auto">Arch Linux Official repository package</p>

<h2 dir="auto">

<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>

<p dir="auto">Always</p>

<p dir="auto">Steps to Reproduce:</p>

<ul dir="auto">

<li><code>gnutls-cli translatationproject.org</code></li>

</ul>

<h2 dir="auto">

<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">Processed 139 CA certificate(s).</span>

<span id="LC2" class="line" lang="plaintext">Resolving 'translationproject.org:443'...</span>

<span id="LC3" class="line" lang="plaintext">Connecting to '2a01:7c8:c037:6::20:443'...</span>

<span id="LC4" class="line" lang="plaintext">- Certificate type: X.509</span>

<span id="LC5" class="line" lang="plaintext">- Got a certificate list of 3 certificates.</span>

<span id="LC6" class="line" lang="plaintext">- Certificate[0] info:</span>

<span id="LC7" class="line" lang="plaintext"> - subject `CN=stats.vrijschrift.org', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x04f78efb758d89606ce87baa6471c832d949, RSA key 4096 bits, signed using RSA-SHA256, activated `2020-11-01 10:34:36 UTC', expires `2021-01-30 10:34:36 UTC', pin-sha256="g+cvDmsK+CiS5TfMiasFm7RqsMly8J+yamG+VbKehIM="</span>

<span id="LC8" class="line" lang="plaintext">        Public Key ID:</span>

<span id="LC9" class="line" lang="plaintext">                sha1:3a6a632ee02dacea20b66789fbfc9bf58dc46b27</span>

<span id="LC10" class="line" lang="plaintext">                sha256:83e72f0e6b0af82892e537cc89ab059bb46ab0c972f09fb26a61be55b29e8483</span>

<span id="LC11" class="line" lang="plaintext">        Public Key PIN:</span>

<span id="LC12" class="line" lang="plaintext">                pin-sha256:g+cvDmsK+CiS5TfMiasFm7RqsMly8J+yamG+VbKehIM=</span>

<span id="LC13" class="line" lang="plaintext"></span>

<span id="LC14" class="line" lang="plaintext">- Certificate[1] info:</span>

<span id="LC15" class="line" lang="plaintext"> - subject `CN=stats.vrijschrift.org', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x04f78efb758d89606ce87baa6471c832d949, RSA key 4096 bits, signed using RSA-SHA256, activated `2020-11-01 10:34:36 UTC', expires `2021-01-30 10:34:36 UTC', pin-sha256="g+cvDmsK+CiS5TfMiasFm7RqsMly8J+yamG+VbKehIM="</span>

<span id="LC16" class="line" lang="plaintext">- Certificate[2] info:</span>

<span id="LC17" class="line" lang="plaintext"> - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="</span>

<span id="LC18" class="line" lang="plaintext">- Status: The certificate is NOT trusted. The certificate issuer is unknown. </span>

<span id="LC19" class="line" lang="plaintext">*** PKI verification of server certificate failed...</span>

<span id="LC20" class="line" lang="plaintext">*** Fatal error: Error in the certificate.</span></code></pre>

<h2 dir="auto">

<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>

<p dir="auto">The certificate is recognized as valid. On Firefox I don't see any problems as it recognizes it just fine. As does <code>openssl s_client</code>.

Other websites using Let's Encrypt, but with the newer signing certificate have no problems.</p>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #666;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1139">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/-/sent_notifications/746a3ab96442713bfc6bc304a9c0b3fe/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1139"}}</script>

</p>

</div>

</body>

</html>