Re: [Lynx-dev] invisible-mirror.net uses untrusted certificate

Sun, 03 Oct 2021 08:01:58 -0700 

On Sun, Oct 03, 2021 at 02:45:29PM +0200, Andreas Metzler wrote:
> Hello,
> 
> looks like invisible-mirror.net stumbled over the recent letsencrypt
> change
> <https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/>

yes... I read about it, but didn't know it would bite me.

I just installed a new certificate (which presumably because it's signed
by a new R3...) works.  That doesn't agree with this comment:

https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190

        "Most problems related to DST Root CA X3 expiring will not be solved by
        force renewal."

> it sends a chain signed by the expired R3 cert:
> ametzler@argenau:/tmp/EXIM4$ gnutls-cli invisible-mirror.net
> Processed 127 CA certificate(s).
> Resolving 'invisible-mirror.net:443'...
> Connecting to '160.153.42.69:443'...
> - Certificate type: X.509
> - Got a certificate list of 2 certificates.
> - Certificate[0] info:
>  - subject `CN=invisible-mirror.net', issuer `CN=R3,O=Let's Encrypt,C=US', 
> serial 0x0361c3003e1413e8655113f8907eeb16e4b4, RSA key 2048 bits, signed 
> using RSA-SHA256, activated `2021-08-01 17:19:48 UTC', expires `2021-10-30 
> 17:19:46 UTC', pin-sha256="LnOGaFwh9ztb+ce0tQdEB/Gx3A0dBPJjYzDn+Sdu+8A="
>         Public Key ID:
>                 sha1:1b7234964165216ed84d88ad8d5f8c836fc01f72
>                 
> sha256:2e7386685c21f73b5bf9c7b4b5074407f1b1dc0d1d04f2636330e7f9276efbc0
>         Public Key PIN:
>                 pin-sha256:LnOGaFwh9ztb+ce0tQdEB/Gx3A0dBPJjYzDn+Sdu+8A=
> 
> - Certificate[1] info:
>  - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital 
> Signature Trust Co.', serial 0x400175048314a4c8218c84a90c16cddf, RSA key 2048 
> bits, signed using RSA-SHA256, activated `2020-10-07 19:21:40 UTC', expires 
> `2021-09-29 19:21:40 UTC', 
> pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
> - Status: The certificate is NOT trusted. The certificate chain uses expired 
> certificate.
> *** PKI verification of server certificate failed...
> *** Fatal error: Error in the certificate.
> 
> Net sure why it works in firefox, but it fails with lynx.

perhaps firefox has a bug :-)

-- 
Thomas E. Dickey <dic...@invisible-island.net>
https://invisible-island.net
ftp://ftp.invisible-island.net

Attachment: signature.asc
Description: PGP signature

Reply via email to