Bug#995926: Error validating Let's Encrypt cert chains
On 11/10/2021 18:41, Andreas Metzler wrote: This looks like https://github.com/lavv17/lftp/issues/641 which has a fix in upstream GIT. That indeed looks likely, thanks!
Bug#995926: Error validating Let's Encrypt cert chains
Control: reassign -1 lftp 4.8.4-2 On 2021-10-11 Andreas Metzler wrote: > On 2021-10-08 Andre Heider wrote: >> Source: gnutls28 >> Version: 3.7.2-2 >> Apps using gnutls fail to connect to servers using a Let's Encrypt >> certificate which are cross-signed by the now expired DST Root CA X3, see >> [0]. >> Examples: >> $ lftp https://shop.bbc.com >> cd: Fatal error: Certificate verification: Not trusted >> (93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF) > [...] >> [0] https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ > given that > gnutls-cli --port https shop.bbc.com > works I suspect that it is not necessarily a GnuTLS problem. This looks like https://github.com/lavv17/lftp/issues/641 which has a fix in upstream GIT. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#995926: Error validating Let's Encrypt cert chains
X-Debbugs-Cc: Andre Heider , l...@packages.debian.org On 2021-10-08 Andre Heider wrote: > Source: gnutls28 > Version: 3.7.2-2 > Apps using gnutls fail to connect to servers using a Let's Encrypt > certificate which are cross-signed by the now expired DST Root CA X3, see > [0]. > Examples: > $ lftp https://shop.bbc.com > cd: Fatal error: Certificate verification: Not trusted > (93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF) [...] > [0] https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ Hello, given that gnutls-cli --port https shop.bbc.com works I suspect that it is not necessarily a GnuTLS problem. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
Bug#995926: Error validating Let's Encrypt cert chains
The audacious cmdline from above works now, I guess because of the resolved bug #995432 ? lftp still fails though.
Bug#995926: Error validating Let's Encrypt cert chains
Source: gnutls28 Version: 3.7.2-2 Apps using gnutls fail to connect to servers using a Let's Encrypt certificate which are cross-signed by the now expired DST Root CA X3, see [0]. Examples: $ lftp https://shop.bbc.com cd: Fatal error: Certificate verification: Not trusted (93:3C:6D:DE:E9:5C:9C:41:A4:0F:9F:50:49:3D:82:BE:03:AD:87:BF) $ audacious https://stream.tonkuhle.de/tonkuhle.mp3 ERROR neon.cc:542 [open_request]: <0x7f68d4025660> Could not open URL: 1 (0) ERROR neon.cc:545 [open_request]: <0x7f68d4025660> neon error string: Server certificate verification failed: bad certificate chain ERROR neon.cc:756 [fopen]: <0x7f68d4025660> Could not open URL ERROR util.cc:269 [audgui_simple_message]: Error playing https://stream.tonkuhle.de/tonkuhle.mp3: Server certificate verification failed: bad certificate chain [0] https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/