From owner-freebsd-questions@freebsd.org  Thu Sep 30 16:55:40 2021
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0A7366B48E2
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Thu, 30 Sep 2021 16:55:40 +0000 (UTC)
 (envelope-from kudzu@tenebras.com)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com
 [IPv6:2a00:1450:4864:20::12f])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4HKzrq3gc8z4WfT
 for <freebsd-questions@freebsd.org>; Thu, 30 Sep 2021 16:55:39 +0000 (UTC)
 (envelope-from kudzu@tenebras.com)
Received: by mail-lf1-x12f.google.com with SMTP id j5so23218847lfg.8
 for <freebsd-questions@freebsd.org>; Thu, 30 Sep 2021 09:55:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tenebras-com.20210112.gappssmtp.com; s=20210112;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
 bh=6UwGWbTIMWoaa30TXhmmX6avQFOdk/WSp7PFpVB11P0=;
 b=AXFxlamMMaRZY961m9Sw2CgqhOUASvoE1OZHUi7KHum7U25+xeS1Py/IXKl1kl2vtf
 jb/lHf3fjOLD4s4qeo+ypXRlrEZAIOwuxaYpRQ9cy95UU1t7rq4gKbgwUywwQbdfr4GE
 5M8XCyi4WjFIilfGK/oubmPUClu+8B2IMj3EJZ3FxFbx6SqRVlB4HdcnF8spx2bfT3yW
 eLE5NUQCLQZ+XJcRGKExdgZqccFp+QFOeOxa/QEZtWEVqC2lDbcHxQU+HNuY2I7cLXnT
 AZwGlRYSdHmfYjs3VmdRamJho8dfsATosI4R00tVDUBSCRaQolbFPhqhzWdw1H1MD6ER
 0rAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to;
 bh=6UwGWbTIMWoaa30TXhmmX6avQFOdk/WSp7PFpVB11P0=;
 b=TkGfBojhEeumK5gvzKK/x/ptfWt1w13ztvrEOwBtzrR8CJnwB9Pt69RF4yDVOuSz5X
 zL75Nk6uyPV7lboRFia6T+0QxcO9CCWrXdL/SVFLrUDY1M8FFiqfx7H8vgHE32g87ZUE
 dHlvZcyoC6la4Gnep6Vbk/3OXFRHBGhwiAcxqH4Dl/oqrE0o5vQPI9q7CUiahjizRYsZ
 9ICxrTltd0dkPN92N55US0v9jpt4ba6186SEuL+xPpxxMuCHjucyEocmhFWpO0PfYVO5
 CNqwn/g5ek2FfUFc7axx/SPhvsRA4XS17GjA5/0NKzZOH8/ay2+TWRmwmaqs9C8UgW2m
 QL/w==
X-Gm-Message-State: AOAM5316DcShycSObT4M/ZsucJN/VAoxplY5orq3huAoLAVis4WjciBn
 QvRGmWICEPEv4v7kq2afCmqdmjgMq8F0CuX/KsEjd653ZjaCmg==
X-Google-Smtp-Source: ABdhPJxAZyLUIj0agvjDFgo/asjl0/OBu8w2Wt37XVAZQtUnpYdsGFzGil3d0tGbg93FhujViHpVRz+CX3OCCSN7OzM=
X-Received: by 2002:a05:6512:12d4:: with SMTP id
 p20mr281561lfg.328.1633020937828; 
 Thu, 30 Sep 2021 09:55:37 -0700 (PDT)
MIME-Version: 1.0
References: <b5400e1d-acde-3ca4-f244-d935df9544ab@sentex.net>
 <YVXolrutpxGYwPc5@geeks.org>
In-Reply-To: <YVXolrutpxGYwPc5@geeks.org>
From: Michael Sierchio <kudzu@tenebras.com>
Date: Thu, 30 Sep 2021 09:55:02 -0700
Message-ID: <CAHu1Y70Y08q-wYskdR5tAM9tig3SpeMUm=ibTXG8WsX5okJPFw@mail.gmail.com>
Subject: Re: expired Lets Encrypt CA and fetch
To: FreeBSD Questions <freebsd-questions@freebsd.org>
X-Rspamd-Queue-Id: 4HKzrq3gc8z4WfT
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=tenebras-com.20210112.gappssmtp.com header.s=20210112
 header.b=AXFxlamM; dmarc=none;
 spf=none (mx1.freebsd.org: domain of kudzu@tenebras.com has no SPF policy when
 checking 2a00:1450:4864:20::12f) smtp.mailfrom=kudzu@tenebras.com
X-Spamd-Result: default: False [-3.30 / 15.00]; RCVD_TLS_ALL(0.00)[];
 ARC_NA(0.00)[];
 R_DKIM_ALLOW(-0.20)[tenebras-com.20210112.gappssmtp.com:s=20210112];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 DMARC_NA(0.00)[tenebras.com]; RCPT_COUNT_ONE(0.00)[1];
 TO_DN_ALL(0.00)[];
 DKIM_TRACE(0.00)[tenebras-com.20210112.gappssmtp.com:+];
 NEURAL_HAM_SHORT(-1.00)[-1.000];
 RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::12f:from];
 R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+,1:+,2:~];
 ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US];
 RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions]
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Sep 2021 16:55:40 -0000

Are there unexpired certs in the chain that have DST Root CA X3 as their
root?  Because that should never happen, right?

On Thu, Sep 30, 2021 at 9:41 AM Doug McIntyre <merlyn@geeks.org> wrote:

> Let's Encrypt used to cross-sign with DST Root CA X3, but that
> expired, and they stopped doing that a year ago.
>
> They've been cross-signing with their own root, but there is still fallout
> from
> DST Root CA X3 expiring. I am seeing my own stuff be affected in weird
> ways too.
>
> https://community.letsencrypt.org/t/production-chain-changes/150739/4
>
>
>
> On Thu, Sep 30, 2021 at 11:46:50AM -0400, mike tancsa wrote:
> > I noticed on RELENG_11 boxes that fetch is failing, even with an updated
> > ca bundle.
> >
> > eg.
> >
> > % fetch https://expired-r3-test.scotthelme.co.uk/
> > Certificate verification failed for /O=Digital Signature Trust
> > Co./CN=DST Root CA X3
> > 34374360472:error:14090086:SSL
> > routines:ssl3_get_server_certificate:certificate verify
> > failed:/crossbuilds/src/11/crypto/openssl/ssl/s3_clnt.c:1269:
> > fetch: https://expired-r3-test.scotthelme.co.uk/: Authentication error
> >
> > fails on releng11 and some RELENG_12, but not recent releng13.  Does
> > anyone know whats going on and why its so inconsistent ? If I remove the
> > expired CA entry from the bundle, it works but I dont have to on all
> > clients ? Anyone know whats going on ?
> >
> > --- ca-root-nss.crt     2021-09-03 21:13:10.000000000 -0400
> > +++ /tmp/ca-root-nss.crt        2021-09-30 10:54:36.000000000 -0400
> > @@ -4178,88 +4178,6 @@
> >  -----END CERTIFICATE-----
> >
> >
> > -
> > -Certificate:
> > -    Data:
> > -        Version: 3 (0x2)
> > -        Serial Number:
> > -            44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
> > -        Signature Algorithm: sha1WithRSAEncryption
> > -        Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
> > -        Validity
> > -            Not Before: Sep 30 21:12:19 2000 GMT
> > -            Not After : Sep 30 14:01:15 2021 GMT
> > -        Subject: O = Digital Signature Trust Co., CN = DST Root CA X3
> > -        Subject Public Key Info:
> > -            Public Key Algorithm: rsaEncryption
> > -                RSA Public-Key: (2048 bit)
> > -                Modulus:
> > -                    00:df:af:e9:97:50:08:83:57:b4:cc:62:65:f6:90:
> > -                    82:ec:c7:d3:2c:6b:30:ca:5b:ec:d9:c3:7d:c7:40:
> > -                    c1:18:14:8b:e0:e8:33:76:49:2a:e3:3f:21:49:93:
> > -                    ac:4e:0e:af:3e:48:cb:65:ee:fc:d3:21:0f:65:d2:
> > -                    2a:d9:32:8f:8c:e5:f7:77:b0:12:7b:b5:95:c0:89:
> > -                    a3:a9:ba:ed:73:2e:7a:0c:06:32:83:a2:7e:8a:14:
> > -                    30:cd:11:a0:e1:2a:38:b9:79:0a:31:fd:50:bd:80:
> > -                    65:df:b7:51:63:83:c8:e2:88:61:ea:4b:61:81:ec:
> > -                    52:6b:b9:a2:e2:4b:1a:28:9f:48:a3:9e:0c:da:09:
> > -                    8e:3e:17:2e:1e:dd:20:df:5b:c6:2a:8a:ab:2e:bd:
> > -                    70:ad:c5:0b:1a:25:90:74:72:c5:7b:6a:ab:34:d6:
> > -                    30:89:ff:e5:68:13:7b:54:0b:c8:d6:ae:ec:5a:9c:
> > -                    92:1e:3d:64:b3:8c:c6:df:bf:c9:41:70:ec:16:72:
> > -                    d5:26:ec:38:55:39:43:d0:fc:fd:18:5c:40:f1:97:
> > -                    eb:d5:9a:9b:8d:1d:ba:da:25:b9:c6:d8:df:c1:15:
> > -                    02:3a:ab:da:6e:f1:3e:2e:f5:5c:08:9c:3c:d6:83:
> > -                    69:e4:10:9b:19:2a:b6:29:57:e3:e5:3d:9b:9f:f0:
> > -                    02:5d
> > -                Exponent: 65537 (0x10001)
> > -        X509v3 extensions:
> > -            X509v3 Basic Constraints: critical
> > -                CA:TRUE
> > -            X509v3 Key Usage: critical
> > -                Certificate Sign, CRL Sign
> > -            X509v3 Subject Key Identifier:
> > -
> C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
> > -    Signature Algorithm: sha1WithRSAEncryption
> > -         a3:1a:2c:9b:17:00:5c:a9:1e:ee:28:66:37:3a:bf:83:c7:3f:
> > -         4b:c3:09:a0:95:20:5d:e3:d9:59:44:d2:3e:0d:3e:bd:8a:4b:
> > -         a0:74:1f:ce:10:82:9c:74:1a:1d:7e:98:1a:dd:cb:13:4b:b3:
> > -         20:44:e4:91:e9:cc:fc:7d:a5:db:6a:e5:fe:e6:fd:e0:4e:dd:
> > -         b7:00:3a:b5:70:49:af:f2:e5:eb:02:f1:d1:02:8b:19:cb:94:
> > -         3a:5e:48:c4:18:1e:58:19:5f:1e:02:5a:f0:0c:f1:b1:ad:a9:
> > -         dc:59:86:8b:6e:e9:91:f5:86:ca:fa:b9:66:33:aa:59:5b:ce:
> > -         e2:a7:16:73:47:cb:2b:cc:99:b0:37:48:cf:e3:56:4b:f5:cf:
> > -         0f:0c:72:32:87:c6:f0:44:bb:53:72:6d:43:f5:26:48:9a:52:
> > -         67:b7:58:ab:fe:67:76:71:78:db:0d:a2:56:14:13:39:24:31:
> > -         85:a2:a8:02:5a:30:47:e1:dd:50:07:bc:02:09:90:00:eb:64:
> > -         63:60:9b:16:bc:88:c9:12:e6:d2:7d:91:8b:f9:3d:32:8d:65:
> > -         b4:e9:7c:b1:57:76:ea:c5:b6:28:39:bf:15:65:1c:c8:f6:77:
> > -         96:6a:0a:8d:77:0b:d8:91:0b:04:8e:07:db:29:b6:0a:ee:9d:
> > -         82:35:35:10
> > -SHA1
> > Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13
> > ------BEGIN CERTIFICATE-----
> > -MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
> > -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
> > -DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
> > -PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
> > -Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
> > -AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
> > -rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
> > -OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
> > -xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
> > -7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
> > -aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
> > -HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
> > -SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
> > -ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
> > -AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
> > -R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
> > -JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
> > -Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
> > ------END CERTIFICATE-----
> > -
> > -
> > -
> >  Certificate:
> >      Data:
> >          Version: 3 (0x2)
> >
> > _______________________________________________
> > freebsd-questions@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe@freebsd.org"
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe@freebsd.org"
>