problem s fetch a SSL/TLS certifikaty

Miroslav Lachman 000.fbsd at quip.cz
Thu Sep 30 23:32:09 CEST 2021


Je to podobny problem, co se tu ted resil v "upgrade BSD 10.0".
Na jednom starem serveru "na doziti" s FreeBSD 11.2 dnes zacal "fetch" 
vyhazovat chybu:

Certificate verification failed for /O=Digital Signature Trust 
Co./CN=DST Root CA X3
34374359624:error:14090086:SSL 
routines:ssl3_get_server_certificate:certificate verify 
failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:

Je to intermediate certifikat od Let's Encrypt:
         Validity
             Not Before: Sep 30 21:12:19 2000 GMT
             Not After : Sep 30 14:01:15 2021 GMT
         Subject: O=Digital Signature Trust Co., CN=DST Root CA X3

Samotny certifikat pro HTTPS je aktualni. A tak nejak jsem si myslel, ze 
bude stacit zaktualizovat ca_root_nss, ale i kdyz na tom stroji ted mam 
ca_root_nss-3.63, stejne to porad haze tu samou chybu.

Zkousel jsem ktrace fetch a tam vidim, ze se pouzije 
/usr/local/etc/ssl/cert.pem

V nem je skutecne ten stary certifikat, ktery dnes expiroval:

# grep -B3 'DST Root CA X3' /usr/local/etc/ssl/cert.pem
         Serial Number:
             44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
         Signature Algorithm: sha1WithRSAEncryption
         Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
         Validity
             Not Before: Sep 30 21:12:19 2000 GMT
             Not After : Sep 30 14:01:15 2021 GMT
         Subject: O = Digital Signature Trust Co., CN = DST Root CA X3

Zvlastni je, ze kdyz stejny fetch na stejnou URL pustim na stroji s 
FreeBSD 12.2, tak tam projde v poradku, pritom je tam stejna verze 
ca_root_nss.

Takze odkud fetch teda bere info o tom, jaky intermediate a root 
certifikat je validni pro tu URL, ktera mi ted na tom starem serveru 
haze error? (fetch i webserver bezi na tom stejnem 11.2 stroji)

Certifikat s celym chainem pouzity na webserveru, je tento:

subject= /CN=XXXX.XXXXX.XXX
issuer= /C=US/O=Let's Encrypt/CN=R3
notBefore=Sep 30 19:36:33 2021 GMT
notAfter=Dec 29 19:36:32 2021 GMT
SHA1 Fingerprint=E3:BF:09:F9:AC:64:9A:C5:D5:21:83:7E:74:52:BE:C3:CC:EF:5C:C7

subject= /C=US/O=Let's Encrypt/CN=R3
issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
notBefore=Sep  4 00:00:00 2020 GMT
notAfter=Sep 15 16:00:00 2025 GMT
SHA1 Fingerprint=A0:53:37:5B:FE:84:E8:B7:48:78:2C:7C:EE:15:82:7A:6A:F5:A4:05

subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
notBefore=Jan 20 19:14:03 2021 GMT
notAfter=Sep 30 18:14:03 2024 GMT
SHA1 Fingerprint=93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF


Takze tady se pouziva novejsi DST Root CA X3 s platnosti do 2024.

Uz me moc nenapada, co jeste zkusit, aby fetch na FreeBSD 11.2 s 
ca_root_nss-3.63 byl schopny stahnout soubor z webserveru s aktualnim 
Let's Encrypt certifikatem.

Mirek


More information about the Users-l mailing list