bug#45358: bootstrap fails due to a certificate mismatch

bug-coreutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#45358: bootstrap fails due to a certificate mismatch

From:	Grigoriy Sokolik
Subject:	bug#45358: bootstrap fails due to a certificate mismatch
Date:	Tue, 9 Mar 2021 11:28:18 +0200

I've rechecked:

```
    $ gnutls-cli translationproject.org

    Processed 139 CA certificate(s).
    Resolving 'translationproject.org:443'...
    Connecting to '80.69.83.146:443'...
    - Certificate type: X.509
    - Got a certificate list of 3 certificates.
    - Certificate[0] info:
    - subject `CN=stats.vrijschrift.org', issuer `CN=R3,O=Let's
Encrypt,C=US', serial 0x043ecc3aacb8c85e4b142ad6a502a8e749c7, RSA key 4096
bits, signed using RSA-SHA256, activated `2021-03-01 10:34:36 UTC', expires
`2021-05-30 10:34:36 UTC',
pin-sha256="rsabKAqi6gmbwfkm2Kj69kMk9vceM1pOrIsSWJ29axA="
    Public Key ID:
    sha1:351b768332605268f158f75cc602b700c8950d71
    sha256:aec69b280aa2ea099bc1f926d8a8faf64324f6f71e335a4eac8b12589dbd6b10
    Public Key PIN:
    pin-sha256:rsabKAqi6gmbwfkm2Kj69kMk9vceM1pOrIsSWJ29axA=

    - Certificate[1] info:
    - subject `CN=stats.vrijschrift.org', issuer `CN=R3,O=Let's
Encrypt,C=US', serial 0x043ecc3aacb8c85e4b142ad6a502a8e749c7, RSA key 4096
bits, signed using RSA-SHA256, activated `2021-03-01 10:34:36 UTC', expires
`2021-05-30 10:34:36 UTC',
pin-sha256="rsabKAqi6gmbwfkm2Kj69kMk9vceM1pOrIsSWJ29axA="
    - Certificate[2] info:
    - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA
X3,O=Digital Signature Trust Co.', serial
0x400175048314a4c8218c84a90c16cddf, RSA key 2048 bits, signed using
RSA-SHA256, activated `2020-10-07 19:21:40 UTC', expires `2021-09-29
19:21:40 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
    - Status: The certificate is NOT trusted. The certificate issuer is
unknown.
    *** PKI verification of server certificate failed...
    *** Fatal error: Error in the certificate.
```

```
    $ openssl s_client -connect translationproject.org:443 -CApath
/etc/ssl/certs -showcerts </dev/null 2>/dev/null  | sed -n '/^-----BEGIN
CERTIFICATE-----/,/^-----END CERTIFICATE-----/p' >
/tmp/translationproject.org.certs
    $ certtool --verbose --verify-profile=high --verify
--infile=/tmp/translationproject.org.certs
    Loaded system trust (139 CAs available)
    Subject: CN=stats.vrijschrift.org
    Issuer: CN=R3,O=Let's Encrypt,C=US
    Signature algorithm: RSA-SHA256
    Output: Not verified. The certificate is NOT trusted. The certificate
issuer is unknown.

    Subject: CN=stats.vrijschrift.org
    Issuer: CN=R3,O=Let's Encrypt,C=US
    Signature algorithm: RSA-SHA256
    Output: Not verified. The certificate is NOT trusted. The certificate
issuer is unknown.

    Subject: CN=stats.vrijschrift.org
    Issuer: CN=R3,O=Let's Encrypt,C=US
    Signature algorithm: RSA-SHA256
    Output: Not verified. The certificate is NOT trusted. The certificate
issuer is unknown.

    Chain verification output: Not verified. The certificate is NOT
trusted. The certificate issuer is unknown.

```

Thanks!
Best regards,
Grigorii


On Tue, 9 Mar 2021 at 07:55, Bob Proulx <bob@proulx.com> wrote:

> Is this problem still a problem?  Perhaps it has been fixed in the
> time this has been under discussion?  Because it looks okay to me.
>
> Grigoriy Sokolik wrote:
> >    $ curl -v https://translationproject.org/latest/coreutils/ -o
> /dev/null
> ...
> >    * Connected to translationproject.org (80.69.83.146) port 443 (#0)
> ...
> >    * successfully set certificate verify locations:
> >    *  CAfile: /etc/ssl/certs/ca-certificates.crt
> >    *  CApath: none
>
> I suspect this last line to be the root cause of the problem.  There
> is no CApath and therefore no root anchoring certificates trusted.
> Without that I don't see how any certificates can be trusted.
>
> I do the same test here and see this.
>
>     $ curl -v https://translationproject.org/latest/coreutils/ -o
> /dev/null
>     ...
>     * Connected to translationproject.org (80.69.83.146) port 443 (#0)
>     ...
>     * successfully set certificate verify locations:
>     *  CAfile: /etc/ssl/certs/ca-certificates.crt
>     *  CApath: /etc/ssl/certs
>
> Note the inclusion of the trusted root path.
>
>     * Server certificate:
>     *  subject: CN=stats.vrijschrift.org
>     *  start date: Mar  1 10:34:36 2021 GMT
>     *  expire date: May 30 10:34:36 2021 GMT
>     *  subjectAltName: host "translationproject.org" matched cert's
>     *  "translationproject.org"
>     *  issuer: C=US; O=Let's Encrypt; CN=R3
>     *  SSL certificate verify ok.
>
> Note that the certificate validates as okay.
>
> Also if I simply ask openssl to validate:
>
>     $ openssl s_client -connect translationproject.org:443 -CApath
> /etc/ssl/certs -showcerts </dev/null 2>/dev/null
>     ...
>         Verify return code: 0 (ok)
>
> If I download all of the certificates and validate using certtool,
> since you mentioned certtool I will use your example:
>
>     $ openssl s_client -connect translationproject.org:443 -CApath
> /etc/ssl/certs -showcerts </dev/null 2>/dev/null  | sed -n '/^-----BEGIN
> CERTIFICATE-----/,/^-----END CERTIFICATE-----/p' > /tmp/
> translationproject.org.certs
>     $ certtool --verbose --verify-profile=high --verify
> --infile=/tmp/translationproject.org.certs
>     Loaded system trust (127 CAs available)
>         Subject: CN=R3,O=Let's Encrypt,C=US
>         Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
>         Checked against: CN=DST Root CA X3,O=Digital Signature Trust Co.
>         Signature algorithm: RSA-SHA256
>         Output: Verified. The certificate is trusted.
>
>         Subject: CN=stats.vrijschrift.org
>         Issuer: CN=R3,O=Let's Encrypt,C=US
>         Checked against: CN=R3,O=Let's Encrypt,C=US
>         Signature algorithm: RSA-SHA256
>         Output: Verified. The certificate is trusted.
>
>     Chain verification output: Verified. The certificate is trusted.
>
> Then it again validates okay.
>
> I note that the certificate is current as of now and just recently
> renewed.  It's fresh.
>
>     $ openssl s_client -connect translationproject.org:443 -CApath
> /etc/ssl/certs -showcerts </dev/null 2>/dev/null | sed -n '/^-----BEGIN
> CERTIFICATE-----/,/^-----END CERTIFICATE-----/p;/^-----END
> CERTIFICATE-----/q' | openssl x509 -noout -dates
>     notBefore=Mar  1 10:34:36 2021 GMT
>     notAfter=May 30 10:34:36 2021 GMT
>
> Therefore I think everything is okay as far as I can tell from the
> above.  Perhaps something about the site has changed to resolve a
> problem since then?  Perhaps an intermediate certificate was added?
>
> Bob
>

[Prev in Thread]

Current Thread

[Next in Thread]

bug#45358: bootstrap fails due to a certificate mismatch, Bob Proulx, 2021/03/09
- bug#45358: bootstrap fails due to a certificate mismatch, Grigoriy Sokolik <=
  - bug#45358: bootstrap fails due to a certificate mismatch, Erik Auerswald, 2021/03/09
    - bug#45358: bootstrap fails due to a certificate mismatch, Bob Proulx, 2021/03/09
    - bug#45358: bootstrap fails due to a certificate mismatch, Grigoriy Sokolik, 2021/03/10

Prev by Date: bug#45358: bootstrap fails due to a certificate mismatch
Next by Date: bug#45358: bootstrap fails due to a certificate mismatch
Previous by thread: bug#45358: bootstrap fails due to a certificate mismatch
Next by thread: bug#45358: bootstrap fails due to a certificate mismatch
Index(es):
- Date
- Thread