problem s fetch a SSL/TLS certifikaty
Miroslav Lachman
000.fbsd at quip.cz
Thu Sep 30 23:32:09 CEST 2021
Je to podobny problem, co se tu ted resil v "upgrade BSD 10.0".
Na jednom starem serveru "na doziti" s FreeBSD 11.2 dnes zacal "fetch"
vyhazovat chybu:
Certificate verification failed for /O=Digital Signature Trust
Co./CN=DST Root CA X3
34374359624:error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify
failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
Je to intermediate certifikat od Let's Encrypt:
Validity
Not Before: Sep 30 21:12:19 2000 GMT
Not After : Sep 30 14:01:15 2021 GMT
Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
Samotny certifikat pro HTTPS je aktualni. A tak nejak jsem si myslel, ze
bude stacit zaktualizovat ca_root_nss, ale i kdyz na tom stroji ted mam
ca_root_nss-3.63, stejne to porad haze tu samou chybu.
Zkousel jsem ktrace fetch a tam vidim, ze se pouzije
/usr/local/etc/ssl/cert.pem
V nem je skutecne ten stary certifikat, ktery dnes expiroval:
# grep -B3 'DST Root CA X3' /usr/local/etc/ssl/cert.pem
Serial Number:
44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
Signature Algorithm: sha1WithRSAEncryption
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Validity
Not Before: Sep 30 21:12:19 2000 GMT
Not After : Sep 30 14:01:15 2021 GMT
Subject: O = Digital Signature Trust Co., CN = DST Root CA X3
Zvlastni je, ze kdyz stejny fetch na stejnou URL pustim na stroji s
FreeBSD 12.2, tak tam projde v poradku, pritom je tam stejna verze
ca_root_nss.
Takze odkud fetch teda bere info o tom, jaky intermediate a root
certifikat je validni pro tu URL, ktera mi ted na tom starem serveru
haze error? (fetch i webserver bezi na tom stejnem 11.2 stroji)
Certifikat s celym chainem pouzity na webserveru, je tento:
subject= /CN=XXXX.XXXXX.XXX
issuer= /C=US/O=Let's Encrypt/CN=R3
notBefore=Sep 30 19:36:33 2021 GMT
notAfter=Dec 29 19:36:32 2021 GMT
SHA1 Fingerprint=E3:BF:09:F9:AC:64:9A:C5:D5:21:83:7E:74:52:BE:C3:CC:EF:5C:C7
subject= /C=US/O=Let's Encrypt/CN=R3
issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
notBefore=Sep 4 00:00:00 2020 GMT
notAfter=Sep 15 16:00:00 2025 GMT
SHA1 Fingerprint=A0:53:37:5B:FE:84:E8:B7:48:78:2C:7C:EE:15:82:7A:6A:F5:A4:05
subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
notBefore=Jan 20 19:14:03 2021 GMT
notAfter=Sep 30 18:14:03 2024 GMT
SHA1 Fingerprint=93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF
Takze tady se pouziva novejsi DST Root CA X3 s platnosti do 2024.
Uz me moc nenapada, co jeste zkusit, aby fetch na FreeBSD 11.2 s
ca_root_nss-3.63 byl schopny stahnout soubor z webserveru s aktualnim
Let's Encrypt certifikatem.
Mirek
More information about the Users-l
mailing list