[naemon-users] [PSA] labs.consol.de certificate trouble /
Christian Kujau
lists at nerdbynature.de
Mon Jun 1 07:28:28 CEST 2020
This just bit me today, so I thought I'd share this if other people come
across the same.
TL;DR: there's nothing wrong with the repository's certificate, but your
local CA store may present an expired root certificate. Details and
workaround in https://bugs.debian.org/961907
Having configured the Consol repository for a Debian/buster installation
(with HTTPS), apt-get update would fail with:
--------------------------------
Ign:1 https://labs.consol.de/repo/stable/debian buster InRelease
Err:2 https://labs.consol.de/repo/stable/debian buster Release
Certificate verification failed: The certificate is NOT trusted. The
certificate chain uses expired certificate. Could not handshake: Error
in the certificate verification. [IP: 2a03:3680:0:2::21 443]
--------------------------------
But the Consol certificate is not really expired at all:
--------------------------------
$ echo | openssl s_client -connect labs.consol.de:443 2>&1 | head -7
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.consol.de
verify return:1
CONNECTED(00000003)
--------------------------------
For OpenSSL, "verify return:1" means "verification succeeded"[0]. However,
the HTTPS transport for apt-get is not linked to OpenSSL but to GnuTLS:
--------------------------------
$ ldd /usr/lib/apt/methods/https | grep tls
libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30
--------------------------------
And indeed, the GnuTLS client errors out with:
--------------------------------
$ gnutls-cli labs.consol.de:443
[...]
- subject `CN=COMODO RSA Certification Authority,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust
External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE',
serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using
RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30
10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME="
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate.
--------------------------------
The root certifcate for the "COMODO RSA Certification Authority" appears
to be expired:
--------------------------------
$ openssl x509 -in $(locate -i addtrust | grep -i external) -noout -dates
notBefore=May 30 10:48:38 2000 GMT
notAfter=May 30 10:48:38 2020 GMT
--------------------------------
And while the OpenSSL client (or "curl", for that matter) apparently
doesn't check on the expiration date of intermediate or root certificates,
GnuTLS does and thus /usr/lib/apt/methods/https resp. apt-get fails :(
Details and workaround, for a Debian system: https://bugs.debian.org/961907
sudo sed 's|mozilla/AddTrust_External_Root.crt|!&|' -i.bak /etc/ca-certificates.conf
sudo update-ca-certificates
For the record, other local certificate stores are affectes as well. For
example, on a current openSUSE system:
$ openssl x509 -in /var/lib/ca-certificates/openssl/AddTrust_External_Root.pem -noout -dates
notBefore=May 30 10:48:38 2000 GMT
notAfter=May 30 10:48:38 2020 GMT
Maybe it's time to switch to Let's Encrypt certificates? Their ISRG root
is good until 2035 ;-)
HTH,
Christian.
[0] https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_verify.html
--
BOFH excuse #273:
The cord jumped over and hit the power switch.
More information about the Naemon-users
mailing list