2

On one machine with an up-to-date Ubuntu 20.04, certificates issued by Let's Encrypt are rejected by GnuTLS and only GnuTLS. They fail with applications that are linked with GnuTLS, such as Git and Lynx. They work with applications that are linked with other TLS stacks, such as OpenSSL, Firefox and Chrome. Sites with certificates issued by other CAs work fine.

I don't often use Git on sites with certificates from Let's Encrypt on this machine, so it's likely that this has been going on since 30 September 2021 when the old root of LE expired. What I don't understand is how an up-to-date Ubuntu has trouble with that.

Example:

$ git clone https://git.savannah.gnu.org/git/bash.git/
Cloning into 'bash'...
fatal: unable to access 'https://git.savannah.gnu.org/git/bash.git/': server certificate verification failed. CAfile: none CRLfile: none

And here's more detail from gnutls-cli --print-cert -p 443 {--sni-hostname=,}git.savannah.gnu.org:

Processed 140 CA certificate(s).
Resolving 'git.savannah.gnu.org:443'...
Connecting to '209.51.188.168:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=git.savannah.gnu.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04fb91dc102c76be8ac0ae2d77169d581a7d, RSA key 4096 bits, signed using RSA-SHA256, activated `2022-04-28 09:26:15 UTC', expires `2022-07-27 09:26:14 UTC', pin-sha256="QokL42m6ShyuyTUCH1OtbQRsDL92EWuwFY9wGQM4TGI="
        Public Key ID:
                sha1:a8b73346c9460221472b9dfa1a1b80b3b5273994
                sha256:42890be369ba4a1caec935021f53ad6d046c0cbf76116bb0158f701903384c62
        Public Key PIN:
                pin-sha256:QokL42m6ShyuyTUCH1OtbQRsDL92EWuwFY9wGQM4TGI=

-----BEGIN CERTIFICATE-----
MIIGaTCCBVGgAwIBAgISBPuR3BAsdr6KwK4tdxadWBp9MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA0MjgwOTI2MTVaFw0yMjA3MjcwOTI2MTRaMB8xHTAbBgNVBAMT
FGdpdC5zYXZhbm5haC5nbnUub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAnxN8JSu/p8zU9d3SV7K82K+wV0GJTaJe1GgtkJCd5GD3v62HtHlvj9W5
ZQ/52R3UFvr5RCsEPNkWy52t2606qk+eTj0YeSWMBI97RUjIDA+FfAT8gGCdt9S8
LMWAv/YLQDWpOhyOLjfEAYti9H8JwY0Wl9v9oD3FvGrYHC87lppe5AIABne0HhO1
L95rP6KryxDBrIk5rn435MxqYakMw0YlTdk7z+xWtMk+27gaWnBxz1XhROUCOs2f
4mAFt6CDo8KrlbNBWajpulOzSV7OE0y8iXKnkh0ufpJoYusF+ujxcNMnaKChoztv
RkUbSy9J3Ql5diuxNQYNHmA3/gJ9/Yt/8y/RdaC0Gl5tdDkpA2OfkDT4icxs2jWw
Kqg3b4mfOmTeGo4jibHSq/o7qFAijGerykyIHd8OnKOSIgbc+5KZFD9mNIT40cBN
xK1PWSmy5oURZVaSaAj3IcaMFLmKsng1a0V4Tj/LY/v7mHJRyBnePvP5ESDAK05S
MYOC+n6/fgkrBwYsQs66MP5qMirbpwsYfAVvJKi4hpskKpzMaIClIcAcHB2Jg833
84z4n1iD2YFrTSxuboQ4nEeo2XvJ81L5JzWg/qpslhtdFa2AaYDyQ94NgyfMKcMD
c5kY8Y6NL+AYXrue3KLvrgHfjdp5o1uTAB+lgdzkUcAXvnfrnHMCAwEAAaOCAoow
ggKGMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUrhEMLJItVCDPBFYcDJU7X+Qnyvgw
HwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBH
MCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wWwYDVR0RBFQwUoIUZ2l0LnNhdmFubmFo
LmdudS5vcmeCF2dpdC5zYXZhbm5haC5ub25nbnUub3Jngg5naXQuc3YuZ251Lm9y
Z4IRZ2l0LnN2Lm5vbmdudS5vcmcwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYB
BAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5v
cmcwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdgApeb7wnjk5IfBWc59jpXflvld9
nGAK+PlNXSZcJV3HhAAAAYBvtQWDAAAEAwBHMEUCIQCq3KjnGPbwjCPLRopaQg8k
44cSTOPXxwL6j2K3UinJzgIgZCLiSdMQXs+5SCgCco+TepIBuay6rea1EPcYBIgg
RGoAdQDfpV6raIJPH2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAYBvtQeHAAAE
AwBGMEQCIE9iQbm55QZA3z4CL10wf61vDTcFytEfqiK4Ih1iOghGAiAVxynyluTl
hjRnRm9+G2jj7pb7Q4zs8V8s4A9hrb2NkTANBgkqhkiG9w0BAQsFAAOCAQEAnQ9q
9ZfZLrvxSE6UJ9rDTEJerFXFLjt6+LjvSKCXU1/qyoOvqkmCXz7dZAEq/5H7Okzr
PIxzJNCmxpo8PdUeJpV++YYs1xMG2vrTG5r+jG1DgWH0/RC+MnChVXTQU+y+8Ckh
b7hOt4m/ddyfIUDQbTTeDJFdCNJVOqbikBXx/bTkTZeel8V6qXMRnwMPKx3SNQCL
r2OQA/C9J/DWGb9LDZUM/DOSl8Y4/FhnSZ2fgUv4nL7IdijvMpWSXwLOqJR+i1fK
OvOmCH39AVGLbpW/7FB2rOq5SONgk2QS97pQU4qzBjWDd97n+pGnpkw+8At0KxRl
cfWgxjtDVqMVBfhgxQ==
-----END CERTIFICATE-----


    

  • Certificate[1] info:
    • 

  • subject CN=R3,O=Let's Encrypt,C=US', issuerCN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated 2020-09-04 00:00:00 UTC', expires2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
    • 



-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----


    

  • Certificate[2] info:
    • 

  • subject CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuerCN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated 2021-01-20 19:14:03 UTC', expires2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
    • 



-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----


    

  • Status: The certificate is NOT trusted. The certificate chain uses expired certificate.
    • 



*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

The machine's clock is correct, and the certificates listed here are not expired. However, the issuer CN=DST Root CA X3,O=Digital Signature Trust Co. has a certificate in the trusted store (/etc/ssl/certs/ca-certificates.crt — I've confirmed that GnuTLS reads this file), which expired on 2021-09-30.

This should not be a problem, because this certificate is not needed to establish a chain of trust: the entity CN=ISRG Root X1,O=Internet Security Research Group,C=US has a self-signed certificate in /etc/ssl/certs/ca-certificates.crt. Other TLS implementations cope with it just fine, so why can't GnuTLS figure it out on my machine?

How do I make GnuTLS accept Let's Encrypt certificates on my Ubuntu 20.04?

tanius
  • 6,610
  • 2
  • 42
  • 52
Gilles 'SO- stop being evil'
  • 61,858

0 Answers0