Page MenuHomePureOS Tracker

Amber GnuTLS fails on expired intermediate cert
Open, NormalPublic

Description

In a PureOS 9 Amber container I ran GnuTLS like this;

root@c025729fd1a8:/# gnutls-cli repo.puri.sm:443
Processed 0 CA certificate(s).
Resolving 'repo.puri.sm:443'...
Connecting to '138.201.228.45:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=repo.pureos.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x0399fb524be1d68831ab006b7a29baaba15d, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-08-28 15:21:11 UTC', expires `2021-11-26 15:21:10 UTC', pin-sha256="GmkUEOwRUB93Z3jBmt6Y24YxoQ4ldt7FSN5hvjJI/+E="
	Public Key ID:
		sha1:b24b3ed9b73a339e94f397107d9b183afc3e620a
		sha256:1a691410ec11501f776778c19ade98db8631a10e2576dec548de61be3248ffe1
	Public Key PIN:
		pin-sha256:GmkUEOwRUB93Z3jBmt6Y24YxoQ4ldt7FSN5hvjJI/+E=

- Certificate[1] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[2] info:
 - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

Possibly a duplicate of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961889

Event Timeline

Same thing occurs in Byzantium and GnuTLS

jeremiah.foster triaged this task as Normal priority.Tue, Oct 5, 12:36

On Debian 11 this works;

gnutls-cli repo.puri.sm:443
Processed 129 CA certificate(s).
Resolving 'repo.puri.sm:443'...
Connecting to '138.201.228.45:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=repo.pureos.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x0399fb524be1d68831ab006b7a29baaba15d, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-08-28 15:21:11 UTC', expires `2021-11-26 15:21:10 UTC', pin-sha256="GmkUEOwRUB93Z3jBmt6Y24YxoQ4ldt7FSN5hvjJI/+E="
	Public Key ID:
		sha1:b24b3ed9b73a339e94f397107d9b183afc3e620a
		sha256:1a691410ec11501f776778c19ade98db8631a10e2576dec548de61be3248ffe1
	Public Key PIN:
		pin-sha256:GmkUEOwRUB93Z3jBmt6Y24YxoQ4ldt7FSN5hvjJI/+E=

- Certificate[1] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[2] info:
 - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is trusted.

It looks like updating the certs for repo.puri.sm is the workaround. Asked systeam to do this and then we can test again.

mak added a comment.Tue, Oct 5, 14:47

We certainly can't update the system's certificates store, as that would mean people couldn't get the update that lets them get updates again :-P

My understanding was that in Debian they updated the buildd chroots. In any case, Stelios writes; "very likely an issue client side. a few days ago intermediate lets-encrypt certificates expired ,workaround on older debian systems was to drop the line DST from /etc/ca-certificates.conf and run update-ca-certificates its not a server side issue its a client side issue".

jeremiah.foster added a project: Restricted Project.Tue, Oct 5, 22:32

Amber works now but Byzantium still fails.

$  docker exec -it amber gnutls-cli repo.puri.sm:443
Processed 137 CA certificate(s).
Resolving 'repo.puri.sm:443'...
Connecting to '138.201.228.45:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=repo.pureos.net', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x03ce539f185ebac1cad5e0abe4f27c4a1bfb, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-10-06 05:35:40 UTC', expires `2022-01-04 05:35:39 UTC', pin-sha256="z6bRBtaL9QkIJ4gKA4IVyc0bE+ajft8v0YT/oaPjRFI="
	Public Key ID:
		sha1:be79d7b5096da472bd87bc0005bc189abb7f47c7
		sha256:cfa6d106d68bf5090827880a038215c9cd1b13e6a37edf2fd184ffa1a3e34452
	Public Key PIN:
		pin-sha256:z6bRBtaL9QkIJ4gKA4IVyc0bE+ajft8v0YT/oaPjRFI=

- Certificate[1] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[2] info:
 - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is trusted. 
- Description: (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-128-GCM)
- Session ID: 10:E9:48:A8:B2:6D:92:BE:24:65:E9:D2:8C:47:56:1C:3B:B9:E6:40:9F:4D:82:5F:C8:4C:61:7E:DB:B2:69:F1
- Options: safe renegotiation,
- Handshake was completed
jeremiah.foster closed this task as Resolved.Thu, Oct 7, 18:23
jeremiah.foster claimed this task.

Updating ca-certificates on Byzantium solves this issue.

mladen added a comment.Mon, Oct 11, 09:16

@jeremiah.foster could you please explain how to update ca-certificates?

Yes - thanks @mladen.

Updating ca-certificates is the same as updating any other package, simply do

$ sudo apt update 
$ sudo apt upgrade 

It _may_ be that ca-certificates is not installed, although that should be somewhat rare.

$ sudo apt install ca-certificates

On my amber instance here, running an upgrade just of ca-certificates would work but I've already done it and get an expected result;

$ apt upgrade ca-certificates
Reading package lists... Done
Building dependency tree       
Reading state information... Done
ca-certificates is already the newest version (20200601~deb10u2).
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
mladen added a comment.Wed, Oct 13, 02:29

@jeremiah.foster some people still report the issue, even though they have the latest ca-certificates (both on amber and byzantium). Any way to troubleshoot this further?

jeremiah.foster reopened this task as Open.Wed, Oct 13, 13:10

Reopened to collect other issues and hopefully other solutions.

@mladen Feel free to direct people to enter more details of their issue here, I get notification quickly.