Re: Sectigo root CA expiry issue

[Petr Pisar]

On Sat, May 30, 2020 at 07:57:22PM +0200, Tenboro wrote:
> Today I started getting some errors with a maintenance script that makes
> use of wget, where it claims that a certificate has expired.
> 
> DEBUG output created by Wget 1.19.5 on linux-gnu.
> 
> Reading HSTS entries from /root/.wget-hsts
> URI encoding = ‘UTF-8’
> --2020-05-30 17:29:58--  https://ehwiki.org/
> Certificates loaded: 154
> Resolving ehwiki.org (ehwiki.org)... 94.100.29.76
> Caching ehwiki.org => 94.100.29.76
> Connecting to ehwiki.org (ehwiki.org)|94.100.29.76|:443... connected.
> Created socket 4.
> Releasing 0x00005633a3c84880 (new refcount 1).
> ERROR: The certificate of ‘ehwiki.org’ is not trusted.
> ERROR: The certificate of ‘ehwiki.org’ has expired.
> 
> However, the certificate does not expire until March 2021.

Yes. That's a badly worder error message by wget. The issue is not with
ehwiki.org certificate. The issue is with its authority's certificate.

> Doing the same
> with curl on the same box produces no errors, so it does not seem to be an
> issue with the system CA certs. Based on some slouching around, it seems to
> have something to do with wget not correctly handling the expiry of the
> Sectigo AddTrust root certificate:
> 
> https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
> 
[...]
> The issue is present on CentOS 6, CentOS 7 and CentOS 8 installations with
> all updates applied.
> 
> I'm not sure if this is a distro issue or an issue with wget itself?

I experience it on Gentoo either. The problem is not in wget:

$ wget --version
GNU Wget 1.20.3 built on linux-gnu.

-cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls 
-ntlm +opie -psl +ssl/gnutls 

but in GnuTLS library:

$ gnutls-cli --port https ehwiki.org
Processed 158 CA certificate(s).
Resolving 'ehwiki.org:https'...
Connecting to '94.100.29.76:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=ehwiki.org,OU=Gandi Standard SSL,OU=Domain Control Validated', 
issuer `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR', serial 
0x63a5ea656ff9efdfe68ec85d3025466c, RSA key 2048 bits, signed using RSA-SHA256, 
activated `2019-01-31 00:00:00 UTC', expires `2021-03-12 23:59:59 UTC', 
pin-sha256="wPbqFLlZqQbuF+thnCarsf0k8CbvM8wbbjhcT45lx78="
        Public Key ID:
                sha1:63ddc827cb0c5efda0634864ececc9855001c8bc
                
sha256:c0f6ea14b959a906ee17eb619c26abb1fd24f026ef33cc1b6e385c4f8e65c7bf
        Public Key PIN:
                pin-sha256:wPbqFLlZqQbuF+thnCarsf0k8CbvM8wbbjhcT45lx78=

- Certificate[1] info:
 - subject `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR', issuer 
`CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey 
City,ST=New Jersey,C=US', serial 0x05e4dc3b9438ab3b8597cba6a19850e3, RSA key 
2048 bits, signed using RSA-SHA384, activated `2014-09-12 00:00:00 UTC', 
expires `2024-09-11 23:59:59 UTC', 
pin-sha256="WGJkyYjx1QMdMe0UqlyOKXtydPDVrk7sl2fV+nNm1r4="
- Certificate[2] info:
 - subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST 
Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External CA 
Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 
0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using RSA-SHA384, 
activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', 
pin-sha256="x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4="
- Status: The certificate is NOT trusted. The certificate chain uses expired 
certificate. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

It seems that GnuTLS stops on a failure in the first certificate chain, while
other libraries like OpenSSL explore other chains before giving up.

It would help if ehwiki.org server did not send to expired certificate in the
certificate chain of the TLS handshake and send the alternative one that has
not yet expired as advertised on the Sectigo web page you linked.

-- Petr

signature.asc
Description: PGP signature