[naemon-users] [PSA] labs.consol.de certificate trouble /
Sven Nierlein
Sven.Nierlein at Consol.de
Tue Jun 2 12:56:12 CEST 2020
Hi Christian,
thanks for your investigation. Seems like the labs.consol.de nginx had that expired
ca file in its bundle certificate file as well. I removed it and a simple test with gnutls-cli
looks good now.
Thanks,
Sven
On 01.06.20 07:28, Christian Kujau wrote:
> This just bit me today, so I thought I'd share this if other people come
> across the same.
>
> TL;DR: there's nothing wrong with the repository's certificate, but your
> local CA store may present an expired root certificate. Details and
> workaround in https://bugs.debian.org/961907
>
>
> Having configured the Consol repository for a Debian/buster installation
> (with HTTPS), apt-get update would fail with:
>
> --------------------------------
> Ign:1 https://labs.consol.de/repo/stable/debian buster InRelease
> Err:2 https://labs.consol.de/repo/stable/debian buster Release
> Certificate verification failed: The certificate is NOT trusted. The
> certificate chain uses expired certificate. Could not handshake: Error
> in the certificate verification. [IP: 2a03:3680:0:2::21 443]
> --------------------------------
>
> But the Consol certificate is not really expired at all:
>
> --------------------------------
> $ echo | openssl s_client -connect labs.consol.de:443 2>&1 | head -7
> depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
> verify return:1
> depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
> verify return:1
> depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.consol.de
> verify return:1
> CONNECTED(00000003)
> --------------------------------
>
>
> For OpenSSL, "verify return:1" means "verification succeeded"[0]. However,
> the HTTPS transport for apt-get is not linked to OpenSSL but to GnuTLS:
>
> --------------------------------
> $ ldd /usr/lib/apt/methods/https | grep tls
> libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30
> --------------------------------
>
>
> And indeed, the GnuTLS client errors out with:
>
> --------------------------------
> $ gnutls-cli labs.consol.de:443
> [...]
> - subject `CN=COMODO RSA Certification Authority,O=COMODO CA
> Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust
> External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE',
> serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using
> RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30
> 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME="
> - Status: The certificate is NOT trusted. The certificate chain uses expired certificate.
> --------------------------------
>
>
> The root certifcate for the "COMODO RSA Certification Authority" appears
> to be expired:
>
> --------------------------------
> $ openssl x509 -in $(locate -i addtrust | grep -i external) -noout -dates
> notBefore=May 30 10:48:38 2000 GMT
> notAfter=May 30 10:48:38 2020 GMT
> --------------------------------
>
>
> And while the OpenSSL client (or "curl", for that matter) apparently
> doesn't check on the expiration date of intermediate or root certificates,
> GnuTLS does and thus /usr/lib/apt/methods/https resp. apt-get fails :(
>
> Details and workaround, for a Debian system: https://bugs.debian.org/961907
>
> sudo sed 's|mozilla/AddTrust_External_Root.crt|!&|' -i.bak /etc/ca-certificates.conf
> sudo update-ca-certificates
>
> For the record, other local certificate stores are affectes as well. For
> example, on a current openSUSE system:
>
> $ openssl x509 -in /var/lib/ca-certificates/openssl/AddTrust_External_Root.pem -noout -dates
> notBefore=May 30 10:48:38 2000 GMT
> notAfter=May 30 10:48:38 2020 GMT
>
> Maybe it's time to switch to Let's Encrypt certificates? Their ISRG root
> is good until 2035 ;-)
>
> HTH,
> Christian.
>
> [0] https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_verify.html
>
--
Sven Nierlein
Sven.Nierlein at consol.de
Phone: +49-89-45841-439
ConSol Consulting & Solutions Software GmbH
St.-Cajetan-Str. 43, D-81669 München, Germany
Phone: +49-89-45841-100, Fax: +49-89-45841-111
More information about the Naemon-users
mailing list