<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en" style='--code-editor-font: var(--default-mono-font, "GitLab Mono"), JetBrains Mono, Menlo, DejaVu Sans Mono, Liberation Mono, Consolas, Ubuntu Mono, Courier New, andale mono, lucida console, monospace;'>

<head>

<meta content="text/html; charset=utf-8" http-equiv="Content-Type">

<title>

GitLab

</title>

<style data-premailer="ignore" type="text/css">

a { color: #1068bf; }

</style>

<style>img {

max-width: 100%; height: auto;

}

body {

font-size: .875rem;

}

body {

-webkit-text-shadow: rgba(255,255,255,.01) 0 0 1px;

}

body {

font-family: "GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"; font-size: inherit;

}

</style>

</head>

<body style='font-size: inherit; -webkit-text-shadow: rgba(255,255,255,.01) 0 0 1px; font-family: "GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";'>

<div class="content">

<p style="color: #777777;">

<a href="https://gitlab.com/TheRealMichaelCatanzaro">Michael Catanzaro</a>

<a href="https://gitlab.com/gnutls/gnutls/-/issues/1771#note_2943262061">commented</a>:

</p>

<div class="md" style="position: relative; z-index: 1; color: #3a383f; word-wrap: break-word;">

<p dir="auto" style="color: #3a383f; margin: 0 0 1rem;" align="initial">OK, I discovered that gnutls-cli actually already supports this via the <code style='font-size: 90%; color: #18171d; word-wrap: break-word; background-color: #ececef; border-radius: .25rem; margin-top: 0; font-weight: inherit; overflow-wrap: break-word; white-space: break-spaces; font-family: "GitLab Mono", "JetBrains Mono", "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; font-variant-ligatures: none; word-break: keep-all; padding: 0.125rem 0.25rem;'>--ca-auto-retrieve</code> option:</p>

<div class="gl-relative markdown-code-block js-markdown-code">

<pre class="code highlight js-syntax-highlight language-plaintext" v-pre="true" style='display: block; font-size: 14px; color: #3a383f; line-height: 1.6em; overflow-x: auto; border-radius: .25rem; position: relative; font-family: "GitLab Mono", "JetBrains Mono", "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; font-variant-ligatures: none; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; margin: 0 0 1rem; padding: 12px; border: 1px solid #dcdcde;'><code style='font-size: inherit; color: inherit; word-wrap: normal; word-break: keep-all; background-color: inherit; border-radius: .25rem; white-space: pre; margin-top: 0; font-family: "GitLab Mono", "JetBrains Mono", "Menlo", "DejaVu Sans Mono", "Liberation Mono", "Consolas", "Ubuntu Mono", "Courier New", "andale mono", "lucida console", monospace; font-variant-ligatures: none; overflow-wrap: normal; padding: unset;'><span id="LC1" class="line" lang="plaintext" style="margin-top: 0;">$ gnutls-cli --ca-auto-retrieve app.usmobile.com</span>

<span id="LC2" class="line" lang="plaintext">Processed 393 CA certificate(s).</span>

<span id="LC3" class="line" lang="plaintext">Resolving 'app.usmobile.com:443'...</span>

<span id="LC4" class="line" lang="plaintext">Connecting to '2606:4700::6812:667:443'...</span>

<span id="LC5" class="line" lang="plaintext">- Certificate type: X.509</span>

<span id="LC6" class="line" lang="plaintext">- Got a certificate list of 3 certificates.</span>

<span id="LC7" class="line" lang="plaintext">- Certificate[0] info:</span>

<span id="LC8" class="line" lang="plaintext"> - subject `CN=app.usmobile.com', issuer `CN=Cloudflare TLS Issuing ECC CA 3,O=SSL Corporation,C=US', serial 0x3d7fb41e831e456921073810e12e6290, EC/ECDSA key 256 bits, signed using ECDSA-SHA256, activated `2025-11-12 18:05:49 UTC', expires `2026-11-12 17:47:06 UTC', pin-sha256="70y5eLrafXTVMjbptBrllO9Mw8FW9c2xuofNXy0Qqkc="</span>

<span id="LC9" class="line" lang="plaintext">       Public Key ID:</span>

<span id="LC10" class="line" lang="plaintext">              sha1:edd8ffacf5be4501880ac4d61bb967f84583cb6f</span>

<span id="LC11" class="line" lang="plaintext">              sha256:ef4cb978bada7d74d53236e9b41ae594ef4cc3c156f5cdb1ba87cd5f2d10aa47</span>

<span id="LC12" class="line" lang="plaintext">      Public Key PIN:</span>

<span id="LC13" class="line" lang="plaintext">              pin-sha256:70y5eLrafXTVMjbptBrllO9Mw8FW9c2xuofNXy0Qqkc=</span>

<span id="LC14" class="line" lang="plaintext"></span>

<span id="LC15" class="line" lang="plaintext">- Certificate[1] info:</span>

<span id="LC16" class="line" lang="plaintext"> - subject `CN=Cloudflare TLS Issuing ECC CA 3,O=SSL Corporation,C=US', issuer `CN=SSL.com TLS Transit ECC CA R2,O=SSL Corporation,C=US', serial 0x31eee88afb87cd9ef8336604743f9b27, EC/ECDSA key 256 bits, signed using ECDSA-SHA384, activated `2025-05-29 19:49:45 UTC', expires `2035-05-27 19:49:44 UTC', pin-sha256="44viFzTC+h/L+3OHRg4Rs5v4+AcpzHZvI9Tne2RDNGk="</span>

<span id="LC17" class="line" lang="plaintext">- Certificate[2] info:</span>

<span id="LC18" class="line" lang="plaintext"> - subject `CN=SSL.com TLS Transit ECC CA R2,O=SSL Corporation,C=US', issuer `CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00ad8d2df64681a0d36447eaa94fa273c1, EC/ECDSA key 384 bits, signed using RSA-SHA256, activated `2024-06-21 00:00:00 UTC', expires `2028-12-31 23:59:59 UTC', pin-sha256="OXyj9ngbqO9cjLeO/+t9Ggl2EP4JTnVWHq4LEwhFM9w="</span>

<span id="LC19" class="line" lang="plaintext">- Status: The certificate is NOT trusted. The certificate issuer is unknown. </span>

<span id="LC20" class="line" lang="plaintext">*** PKI verification of server certificate failed...</span>

<span id="LC21" class="line" lang="plaintext">*** Fatal error: Error in the certificate.</span></code></pre>

<copy-code></copy-code><insert-code-snippet></insert-code-snippet>

</div>

<p dir="auto" style="color: #3a383f; margin: 0;" align="initial">Unfortunately it still fails to validate. Since browsers can find a valid certification path, ideally GnuTLS would be able to as well.</p>

</div>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #626168;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1771#note_2943262061">view it on GitLab</a>.

<br>

You're receiving this email because of your account on <a target="_blank" rel="noopener noreferrer" href="https://gitlab.com">gitlab.com</a>. <a href="https://gitlab.com/-/sent_notifications/2-0o3xxpfyqxp8s5nezdm7ajrf6/unsubscribe" target="_blank" rel="noopener noreferrer">Unsubscribe</a> from this thread · <a href="https://gitlab.com/-/profile/notifications" target="_blank" rel="noopener noreferrer" class="mng-notif-link">Manage all notifications</a> · <a href="https://gitlab.com/help" target="_blank" rel="noopener noreferrer" class="help-link">Help</a>

<span style="color: transparent; font-size: 0; display: none; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0;">

Notification message regarding https://gitlab.com/gnutls/gnutls/-/issues/1771#note_2943262061 at 1765312032

</span>

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1771#note_2943262061"}}</script>

</p>

</div>

</body>

</html>