Re: Sectigo root CA expiry issue
For anyone interested, this topic is currently trending on Hacker News: https://news.ycombinator.com/item?id=23362759 On May 30, 2020 9:02:36 PM GMT+02:00, Petr Pisar wrote: >On Sat, May 30, 2020 at 07:57:22PM +0200, Tenboro wrote: >> Today I started getting some errors with a maintenance script that >makes >> use of wget, where it claims that a certificate has expired. >> >> DEBUG output created by Wget 1.19.5 on linux-gnu. >> >> Reading HSTS entries from /root/.wget-hsts >> URI encoding = ‘UTF-8’ >> --2020-05-30 17:29:58-- https://ehwiki.org/ >> Certificates loaded: 154 >> Resolving ehwiki.org (ehwiki.org)... 94.100.29.76 >> Caching ehwiki.org => 94.100.29.76 >> Connecting to ehwiki.org (ehwiki.org)|94.100.29.76|:443... connected. >> Created socket 4. >> Releasing 0x5633a3c84880 (new refcount 1). >> ERROR: The certificate of ‘ehwiki.org’ is not trusted. >> ERROR: The certificate of ‘ehwiki.org’ has expired. >> >> However, the certificate does not expire until March 2021. > >Yes. That's a badly worder error message by wget. The issue is not with >ehwiki.org certificate. The issue is with its authority's certificate. > >> Doing the same >> with curl on the same box produces no errors, so it does not seem to >be an >> issue with the system CA certs. Based on some slouching around, it >seems to >> have something to do with wget not correctly handling the expiry of >the >> Sectigo AddTrust root certificate: >> >> >https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 >> >[...] >> The issue is present on CentOS 6, CentOS 7 and CentOS 8 installations >with >> all updates applied. >> >> I'm not sure if this is a distro issue or an issue with wget itself? > >I experience it on Gentoo either. The problem is not in wget: > >$ wget --version >GNU Wget 1.20.3 built on linux-gnu. > >-cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls >-ntlm +opie -psl +ssl/gnutls > >but in GnuTLS library: > >$ gnutls-cli --port https ehwiki.org >Processed 158 CA certificate(s). >Resolving 'ehwiki.org:https'... >Connecting to '94.100.29.76:443'... >- Certificate type: X.509 >- Got a certificate list of 3 certificates. >- Certificate[0] info: >- subject `CN=ehwiki.org,OU=Gandi Standard SSL,OU=Domain Control >Validated', issuer `CN=Gandi Standard SSL CA >2,O=Gandi,L=Paris,ST=Paris,C=FR', serial >0x63a5ea656ff9efdfe68ec85d3025466c, RSA key 2048 bits, signed using >RSA-SHA256, activated `2019-01-31 00:00:00 UTC', expires `2021-03-12 >23:59:59 UTC', >pin-sha256="wPbqFLlZqQbuF+thnCarsf0k8CbvM8wbbjhcT45lx78=" >Public Key ID: >sha1:63ddc827cb0c5efda0634864ececc9855001c8bc >sha256:c0f6ea14b959a906ee17eb619c26abb1fd24f026ef33cc1b6e385c4f8e65c7bf >Public Key PIN: >pin-sha256:wPbqFLlZqQbuF+thnCarsf0k8CbvM8wbbjhcT45lx78= > >- Certificate[1] info: >- subject `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR', >issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST >Network,L=Jersey City,ST=New Jersey,C=US', serial >0x05e4dc3b9438ab3b8597cba6a19850e3, RSA key 2048 bits, signed using >RSA-SHA384, activated `2014-09-12 00:00:00 UTC', expires `2024-09-11 >23:59:59 UTC', >pin-sha256="WGJkyYjx1QMdMe0UqlyOKXtydPDVrk7sl2fV+nNm1r4=" >- Certificate[2] info: >- subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST >Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External >CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial >0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using >RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 >10:48:38 UTC', >pin-sha256="x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4=" >- Status: The certificate is NOT trusted. The certificate chain uses >expired certificate. >*** PKI verification of server certificate failed... >*** Fatal error: Error in the certificate. > >It seems that GnuTLS stops on a failure in the first certificate chain, >while >other libraries like OpenSSL explore other chains before giving up. > >It would help if ehwiki.org server did not send to expired certificate >in the >certificate chain of the TLS handshake and send the alternative one >that has >not yet expired as advertised on the Sectigo web page you linked. > >-- Petr -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Sectigo root CA expiry issue
On Sat, May 30, 2020 at 07:57:22PM +0200, Tenboro wrote: > Today I started getting some errors with a maintenance script that makes > use of wget, where it claims that a certificate has expired. > > DEBUG output created by Wget 1.19.5 on linux-gnu. > > Reading HSTS entries from /root/.wget-hsts > URI encoding = ‘UTF-8’ > --2020-05-30 17:29:58-- https://ehwiki.org/ > Certificates loaded: 154 > Resolving ehwiki.org (ehwiki.org)... 94.100.29.76 > Caching ehwiki.org => 94.100.29.76 > Connecting to ehwiki.org (ehwiki.org)|94.100.29.76|:443... connected. > Created socket 4. > Releasing 0x5633a3c84880 (new refcount 1). > ERROR: The certificate of ‘ehwiki.org’ is not trusted. > ERROR: The certificate of ‘ehwiki.org’ has expired. > > However, the certificate does not expire until March 2021. Yes. That's a badly worder error message by wget. The issue is not with ehwiki.org certificate. The issue is with its authority's certificate. > Doing the same > with curl on the same box produces no errors, so it does not seem to be an > issue with the system CA certs. Based on some slouching around, it seems to > have something to do with wget not correctly handling the expiry of the > Sectigo AddTrust root certificate: > > https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 > [...] > The issue is present on CentOS 6, CentOS 7 and CentOS 8 installations with > all updates applied. > > I'm not sure if this is a distro issue or an issue with wget itself? I experience it on Gentoo either. The problem is not in wget: $ wget --version GNU Wget 1.20.3 built on linux-gnu. -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls -ntlm +opie -psl +ssl/gnutls but in GnuTLS library: $ gnutls-cli --port https ehwiki.org Processed 158 CA certificate(s). Resolving 'ehwiki.org:https'... Connecting to '94.100.29.76:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `CN=ehwiki.org,OU=Gandi Standard SSL,OU=Domain Control Validated', issuer `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR', serial 0x63a5ea656ff9efdfe68ec85d3025466c, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-01-31 00:00:00 UTC', expires `2021-03-12 23:59:59 UTC', pin-sha256="wPbqFLlZqQbuF+thnCarsf0k8CbvM8wbbjhcT45lx78=" Public Key ID: sha1:63ddc827cb0c5efda0634864ececc9855001c8bc sha256:c0f6ea14b959a906ee17eb619c26abb1fd24f026ef33cc1b6e385c4f8e65c7bf Public Key PIN: pin-sha256:wPbqFLlZqQbuF+thnCarsf0k8CbvM8wbbjhcT45lx78= - Certificate[1] info: - subject `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x05e4dc3b9438ab3b8597cba6a19850e3, RSA key 2048 bits, signed using RSA-SHA384, activated `2014-09-12 00:00:00 UTC', expires `2024-09-11 23:59:59 UTC', pin-sha256="WGJkyYjx1QMdMe0UqlyOKXtydPDVrk7sl2fV+nNm1r4=" - Certificate[2] info: - subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4=" - Status: The certificate is NOT trusted. The certificate chain uses expired certificate. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. It seems that GnuTLS stops on a failure in the first certificate chain, while other libraries like OpenSSL explore other chains before giving up. It would help if ehwiki.org server did not send to expired certificate in the certificate chain of the TLS handshake and send the alternative one that has not yet expired as advertised on the Sectigo web page you linked. -- Petr signature.asc Description: PGP signature
Sectigo root CA expiry issue
Hello, Today I started getting some errors with a maintenance script that makes use of wget, where it claims that a certificate has expired. DEBUG output created by Wget 1.19.5 on linux-gnu. Reading HSTS entries from /root/.wget-hsts URI encoding = ‘UTF-8’ --2020-05-30 17:29:58-- https://ehwiki.org/ Certificates loaded: 154 Resolving ehwiki.org (ehwiki.org)... 94.100.29.76 Caching ehwiki.org => 94.100.29.76 Connecting to ehwiki.org (ehwiki.org)|94.100.29.76|:443... connected. Created socket 4. Releasing 0x5633a3c84880 (new refcount 1). ERROR: The certificate of ‘ehwiki.org’ is not trusted. ERROR: The certificate of ‘ehwiki.org’ has expired. However, the certificate does not expire until March 2021. Doing the same with curl on the same box produces no errors, so it does not seem to be an issue with the system CA certs. Based on some slouching around, it seems to have something to do with wget not correctly handling the expiry of the Sectigo AddTrust root certificate: https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 This test link from Sectigo similarly works in Chrome/Firefox/curl, but not in wget. https://addtrustchain.test.certificatetest.com/ wget -d https://addtrustchain.test.certificatetest.com/ DEBUG output created by Wget 1.19.5 on linux-gnu. Reading HSTS entries from /root/.wget-hsts URI encoding = ‘UTF-8’ Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8) --2020-05-30 17:50:32-- https://addtrustchain.test.certificatetest.com/ Certificates loaded: 154 Resolving addtrustchain.test.certificatetest.com ( addtrustchain.test.certificatetest.com)... 35.245.138.9 Caching addtrustchain.test.certificatetest.com => 35.245.138.9 Connecting to addtrustchain.test.certificatetest.com ( addtrustchain.test.certificatetest.com)|35.245.138.9|:443... connected. Created socket 3. Releasing 0x559518283390 (new refcount 1). ERROR: The certificate of ‘addtrustchain.test.certificatetest.com’ is not trusted. ERROR: The certificate of ‘addtrustchain.test.certificatetest.com’ has expired. curl https://addtrustchain.test.certificatetest.com/ Certificate issued from a CA signed by USERTrust RSA Certification Authority with a cross cert via server chain from AddTrust External CA Root The issue is present on CentOS 6, CentOS 7 and CentOS 8 installations with all updates applied. I'm not sure if this is a distro issue or an issue with wget itself?