[naemon-users] [PSA] labs.consol.de certificate trouble /

[Sven Nierlein]

Hi Christian,

thanks for your investigation. Seems like the labs.consol.de nginx had that expired
ca file in its bundle certificate file as well. I removed it and a simple test with gnutls-cli
looks good now.

Thanks,
 Sven


On 01.06.20 07:28, Christian Kujau wrote:
> This just bit me today, so I thought I'd share this if other people come 
> across the same.
> 
> TL;DR: there's nothing wrong with the repository's certificate, but your 
> local CA store may present an expired root certificate. Details and 
> workaround in https://bugs.debian.org/961907
> 
> 
> Having configured the Consol repository for a Debian/buster installation 
> (with HTTPS), apt-get update would fail with:
> 
> --------------------------------
>  Ign:1 https://labs.consol.de/repo/stable/debian buster InRelease
>  Err:2 https://labs.consol.de/repo/stable/debian buster Release
>   Certificate verification failed: The certificate is NOT trusted. The 
>   certificate chain uses expired certificate.  Could not handshake: Error 
>   in the certificate verification. [IP: 2a03:3680:0:2::21 443]
> --------------------------------
> 
> But the Consol certificate is not really expired at all:
> 
> --------------------------------
> $ echo | openssl s_client  -connect labs.consol.de:443 2>&1 | head -7
> depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
> verify return:1
> depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
> verify return:1
> depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.consol.de
> verify return:1
> CONNECTED(00000003)
> --------------------------------
> 
> 
> For OpenSSL, "verify return:1" means "verification succeeded"[0]. However, 
> the HTTPS transport for apt-get is not linked to OpenSSL but to GnuTLS:
> 
> --------------------------------
> $ ldd /usr/lib/apt/methods/https | grep tls
>         libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30
> --------------------------------
> 
> 
> And indeed, the GnuTLS client errors out with:
> 
> --------------------------------
> $ gnutls-cli labs.consol.de:443
> [...]
>  - subject `CN=COMODO RSA Certification Authority,O=COMODO CA 
> Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust 
> External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', 
> serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using 
> RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 
> 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME="
> - Status: The certificate is NOT trusted. The certificate chain uses expired certificate.
> --------------------------------
> 
> 
> The root certifcate for the "COMODO RSA Certification Authority" appears 
> to be expired:
> 
> --------------------------------
> $ openssl x509 -in $(locate -i addtrust | grep -i external) -noout -dates
> notBefore=May 30 10:48:38 2000 GMT
> notAfter=May 30 10:48:38 2020 GMT
> --------------------------------
> 
> 
> And while the OpenSSL client (or "curl", for that matter) apparently 
> doesn't check on the expiration date of intermediate or root certificates, 
> GnuTLS does and thus /usr/lib/apt/methods/https resp. apt-get fails :(
> 
> Details and workaround, for a Debian system: https://bugs.debian.org/961907
> 
>  sudo sed 's|mozilla/AddTrust_External_Root.crt|!&|' -i.bak /etc/ca-certificates.conf
>  sudo update-ca-certificates
> 
> For the record, other local certificate stores are affectes as well. For 
> example, on a current openSUSE system:
> 
> $ openssl x509 -in /var/lib/ca-certificates/openssl/AddTrust_External_Root.pem -noout -dates
> notBefore=May 30 10:48:38 2000 GMT
> notAfter=May 30 10:48:38 2020 GMT
> 
> Maybe it's time to switch to Let's Encrypt certificates? Their ISRG root 
> is good until 2035 ;-)
> 
> HTH,
> Christian.
> 
> [0] https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_verify.html
> 


-- 
Sven Nierlein

Sven.Nierlein at consol.de
Phone: +49-89-45841-439

ConSol Consulting & Solutions Software GmbH
St.-Cajetan-Str. 43, D-81669 München, Germany
Phone: +49-89-45841-100, Fax: +49-89-45841-111