From owner-freebsd-questions@freebsd.org Thu Sep 30 17:23:03 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 58EA96B4B79 for ; Thu, 30 Sep 2021 17:23:03 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HL0SQ4nzqz4bQ6 for ; Thu, 30 Sep 2021 17:23:02 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 18UHN1Hk038701 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 30 Sep 2021 13:23:01 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4::29] ([IPv6:2607:f3e0:0:4:0:0:0:29]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 18UHN1rs032393 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Thu, 30 Sep 2021 13:23:01 -0400 (EDT) (envelope-from mike@sentex.net) Subject: Re: expired Lets Encrypt CA and fetch To: Michael Sierchio , FreeBSD Questions References: From: mike tancsa Message-ID: Date: Thu, 30 Sep 2021 13:23:01 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Scanned-By: MIMEDefang 2.84 X-Rspamd-Queue-Id: 4HL0SQ4nzqz4bQ6 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-3.21 / 15.00]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[sentex.net]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM_SHORT(-0.91)[-0.912]; RCPT_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-questions] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Sep 2021 17:23:03 -0000 On 9/30/2021 12:55 PM, Michael Sierchio wrote: > Are there unexpired certs in the chain that have DST Root CA X3 as their > root? Because that should never happen, right? I think its the intermediary cert that is given by the server and the client is not always able to figure out what to use.  Chrome on Windows can hit the URL https://expired-r3-test.scotthelme.co.uk/ ok but my MAC laptop cannot. I was trying to use https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ to get fetch to work on releng12, but no luck. Its still broken despite trying to explicitly blacklist the CA as suggested. Note, with https://expired-r3-test.scotthelme.co.uk/ I can not get fetch nor curl to work on any freebsd branch.     ---Mike > On Thu, Sep 30, 2021 at 9:41 AM Doug McIntyre wrote: > >> Let's Encrypt used to cross-sign with DST Root CA X3, but that >> expired, and they stopped doing that a year ago. >> >> They've been cross-signing with their own root, but there is still fallout >> from >> DST Root CA X3 expiring. I am seeing my own stuff be affected in weird >> ways too. >> >> https://community.letsencrypt.org/t/production-chain-changes/150739/4 >> >> >> >> On Thu, Sep 30, 2021 at 11:46:50AM -0400, mike tancsa wrote: >>> I noticed on RELENG_11 boxes that fetch is failing, even with an updated >>> ca bundle. >>> >>> eg. >>> >>> % fetch https://expired-r3-test.scotthelme.co.uk/ >>> Certificate verification failed for /O=Digital Signature Trust >>> Co./CN=DST Root CA X3 >>> 34374360472:error:14090086:SSL >>> routines:ssl3_get_server_certificate:certificate verify >>> failed:/crossbuilds/src/11/crypto/openssl/ssl/s3_clnt.c:1269: >>> fetch: https://expired-r3-test.scotthelme.co.uk/: Authentication error >>> >>> fails on releng11 and some RELENG_12, but not recent releng13. Does >>> anyone know whats going on and why its so inconsistent ? If I remove the >>> expired CA entry from the bundle, it works but I dont have to on all >>> clients ? Anyone know whats going on ? >>> >>> --- ca-root-nss.crt 2021-09-03 21:13:10.000000000 -0400 >>> +++ /tmp/ca-root-nss.crt 2021-09-30 10:54:36.000000000 -0400 >>> @@ -4178,88 +4178,6 @@ >>> -----END CERTIFICATE----- >>> >>> >>> - >>> -Certificate: >>> - Data: >>> - Version: 3 (0x2) >>> - Serial Number: >>> - 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b >>> - Signature Algorithm: sha1WithRSAEncryption >>> - Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 >>> - Validity >>> - Not Before: Sep 30 21:12:19 2000 GMT >>> - Not After : Sep 30 14:01:15 2021 GMT >>> - Subject: O = Digital Signature Trust Co., CN = DST Root CA X3 >>> - Subject Public Key Info: >>> - Public Key Algorithm: rsaEncryption >>> - RSA Public-Key: (2048 bit) >>> - Modulus: >>> - 00:df:af:e9:97:50:08:83:57:b4:cc:62:65:f6:90: >>> - 82:ec:c7:d3:2c:6b:30:ca:5b:ec:d9:c3:7d:c7:40: >>> - c1:18:14:8b:e0:e8:33:76:49:2a:e3:3f:21:49:93: >>> - ac:4e:0e:af:3e:48:cb:65:ee:fc:d3:21:0f:65:d2: >>> - 2a:d9:32:8f:8c:e5:f7:77:b0:12:7b:b5:95:c0:89: >>> - a3:a9:ba:ed:73:2e:7a:0c:06:32:83:a2:7e:8a:14: >>> - 30:cd:11:a0:e1:2a:38:b9:79:0a:31:fd:50:bd:80: >>> - 65:df:b7:51:63:83:c8:e2:88:61:ea:4b:61:81:ec: >>> - 52:6b:b9:a2:e2:4b:1a:28:9f:48:a3:9e:0c:da:09: >>> - 8e:3e:17:2e:1e:dd:20:df:5b:c6:2a:8a:ab:2e:bd: >>> - 70:ad:c5:0b:1a:25:90:74:72:c5:7b:6a:ab:34:d6: >>> - 30:89:ff:e5:68:13:7b:54:0b:c8:d6:ae:ec:5a:9c: >>> - 92:1e:3d:64:b3:8c:c6:df:bf:c9:41:70:ec:16:72: >>> - d5:26:ec:38:55:39:43:d0:fc:fd:18:5c:40:f1:97: >>> - eb:d5:9a:9b:8d:1d:ba:da:25:b9:c6:d8:df:c1:15: >>> - 02:3a:ab:da:6e:f1:3e:2e:f5:5c:08:9c:3c:d6:83: >>> - 69:e4:10:9b:19:2a:b6:29:57:e3:e5:3d:9b:9f:f0: >>> - 02:5d >>> - Exponent: 65537 (0x10001) >>> - X509v3 extensions: >>> - X509v3 Basic Constraints: critical >>> - CA:TRUE >>> - X509v3 Key Usage: critical >>> - Certificate Sign, CRL Sign >>> - X509v3 Subject Key Identifier: >>> - >> C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 >>> - Signature Algorithm: sha1WithRSAEncryption >>> - a3:1a:2c:9b:17:00:5c:a9:1e:ee:28:66:37:3a:bf:83:c7:3f: >>> - 4b:c3:09:a0:95:20:5d:e3:d9:59:44:d2:3e:0d:3e:bd:8a:4b: >>> - a0:74:1f:ce:10:82:9c:74:1a:1d:7e:98:1a:dd:cb:13:4b:b3: >>> - 20:44:e4:91:e9:cc:fc:7d:a5:db:6a:e5:fe:e6:fd:e0:4e:dd: >>> - b7:00:3a:b5:70:49:af:f2:e5:eb:02:f1:d1:02:8b:19:cb:94: >>> - 3a:5e:48:c4:18:1e:58:19:5f:1e:02:5a:f0:0c:f1:b1:ad:a9: >>> - dc:59:86:8b:6e:e9:91:f5:86:ca:fa:b9:66:33:aa:59:5b:ce: >>> - e2:a7:16:73:47:cb:2b:cc:99:b0:37:48:cf:e3:56:4b:f5:cf: >>> - 0f:0c:72:32:87:c6:f0:44:bb:53:72:6d:43:f5:26:48:9a:52: >>> - 67:b7:58:ab:fe:67:76:71:78:db:0d:a2:56:14:13:39:24:31: >>> - 85:a2:a8:02:5a:30:47:e1:dd:50:07:bc:02:09:90:00:eb:64: >>> - 63:60:9b:16:bc:88:c9:12:e6:d2:7d:91:8b:f9:3d:32:8d:65: >>> - b4:e9:7c:b1:57:76:ea:c5:b6:28:39:bf:15:65:1c:c8:f6:77: >>> - 96:6a:0a:8d:77:0b:d8:91:0b:04:8e:07:db:29:b6:0a:ee:9d: >>> - 82:35:35:10 >>> -SHA1 >>> Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13 >>> ------BEGIN CERTIFICATE----- >>> -MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ >>> -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT >>> -DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow >>> -PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD >>> -Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB >>> -AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O >>> -rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq >>> -OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b >>> -xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw >>> -7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD >>> -aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV >>> -HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG >>> -SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 >>> -ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr >>> -AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz >>> -R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 >>> -JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo >>> -Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ >>> ------END CERTIFICATE----- >>> - >>> - >>> - >>> Certificate: >>> Data: >>> Version: 3 (0x2) >>> >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >