[naemon-users] [PSA] labs.consol.de certificate trouble /

[Christian Kujau]

This just bit me today, so I thought I'd share this if other people come 
across the same.

TL;DR: there's nothing wrong with the repository's certificate, but your 
local CA store may present an expired root certificate. Details and 
workaround in https://bugs.debian.org/961907


Having configured the Consol repository for a Debian/buster installation 
(with HTTPS), apt-get update would fail with:

--------------------------------
 Ign:1 https://labs.consol.de/repo/stable/debian buster InRelease
 Err:2 https://labs.consol.de/repo/stable/debian buster Release
  Certificate verification failed: The certificate is NOT trusted. The 
  certificate chain uses expired certificate.  Could not handshake: Error 
  in the certificate verification. [IP: 2a03:3680:0:2::21 443]
--------------------------------

But the Consol certificate is not really expired at all:

--------------------------------
$ echo | openssl s_client  -connect labs.consol.de:443 2>&1 | head -7
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.consol.de
verify return:1
CONNECTED(00000003)
--------------------------------


For OpenSSL, "verify return:1" means "verification succeeded"[0]. However, 
the HTTPS transport for apt-get is not linked to OpenSSL but to GnuTLS:

--------------------------------
$ ldd /usr/lib/apt/methods/https | grep tls
        libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30
--------------------------------


And indeed, the GnuTLS client errors out with:

--------------------------------
$ gnutls-cli labs.consol.de:443
[...]
 - subject `CN=COMODO RSA Certification Authority,O=COMODO CA 
Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust 
External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', 
serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using 
RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 
10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME="
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate.
--------------------------------


The root certifcate for the "COMODO RSA Certification Authority" appears 
to be expired:

--------------------------------
$ openssl x509 -in $(locate -i addtrust | grep -i external) -noout -dates
notBefore=May 30 10:48:38 2000 GMT
notAfter=May 30 10:48:38 2020 GMT
--------------------------------


And while the OpenSSL client (or "curl", for that matter) apparently 
doesn't check on the expiration date of intermediate or root certificates, 
GnuTLS does and thus /usr/lib/apt/methods/https resp. apt-get fails :(

Details and workaround, for a Debian system: https://bugs.debian.org/961907

 sudo sed 's|mozilla/AddTrust_External_Root.crt|!&|' -i.bak /etc/ca-certificates.conf
 sudo update-ca-certificates

For the record, other local certificate stores are affectes as well. For 
example, on a current openSUSE system:

$ openssl x509 -in /var/lib/ca-certificates/openssl/AddTrust_External_Root.pem -noout -dates
notBefore=May 30 10:48:38 2000 GMT
notAfter=May 30 10:48:38 2020 GMT

Maybe it's time to switch to Let's Encrypt certificates? Their ISRG root 
is good until 2035 ;-)

HTH,
Christian.

[0] https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_verify.html
-- 
BOFH excuse #273:

The cord jumped over and hit the power switch.