[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sectigo root CA expiry issue

From: darnir
Subject: Re: Sectigo root CA expiry issue
Date: Sun, 31 May 2020 00:18:08 +0200
User-agent: K-9 Mail for Android

For anyone interested, this topic is currently trending on Hacker News:


On May 30, 2020 9:02:36 PM GMT+02:00, Petr Pisar <petr.pisar@atlas.cz> wrote:
>On Sat, May 30, 2020 at 07:57:22PM +0200, Tenboro wrote:
>> Today I started getting some errors with a maintenance script that
>> use of wget, where it claims that a certificate has expired.
>> DEBUG output created by Wget 1.19.5 on linux-gnu.
>> Reading HSTS entries from /root/.wget-hsts
>> URI encoding = ‘UTF-8’
>> --2020-05-30 17:29:58--  https://ehwiki.org/
>> Certificates loaded: 154
>> Resolving ehwiki.org (ehwiki.org)...
>> Caching ehwiki.org =>
>> Connecting to ehwiki.org (ehwiki.org)||:443... connected.
>> Created socket 4.
>> Releasing 0x00005633a3c84880 (new refcount 1).
>> ERROR: The certificate of ‘ehwiki.org’ is not trusted.
>> ERROR: The certificate of ‘ehwiki.org’ has expired.
>> However, the certificate does not expire until March 2021.
>Yes. That's a badly worder error message by wget. The issue is not with
>ehwiki.org certificate. The issue is with its authority's certificate.
>> Doing the same
>> with curl on the same box produces no errors, so it does not seem to
>be an
>> issue with the system CA certs. Based on some slouching around, it
>seems to
>> have something to do with wget not correctly handling the expiry of
>> Sectigo AddTrust root certificate:
>> The issue is present on CentOS 6, CentOS 7 and CentOS 8 installations
>> all updates applied.
>> I'm not sure if this is a distro issue or an issue with wget itself?
>I experience it on Gentoo either. The problem is not in wget:
>$ wget --version
>GNU Wget 1.20.3 built on linux-gnu.
>-cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls 
>-ntlm +opie -psl +ssl/gnutls 
>but in GnuTLS library:
>$ gnutls-cli --port https ehwiki.org
>Processed 158 CA certificate(s).
>Resolving 'ehwiki.org:https'...
>Connecting to ''...
>- Certificate type: X.509
>- Got a certificate list of 3 certificates.
>- Certificate[0] info:
>- subject `CN=ehwiki.org,OU=Gandi Standard SSL,OU=Domain Control
>Validated', issuer `CN=Gandi Standard SSL CA
>2,O=Gandi,L=Paris,ST=Paris,C=FR', serial
>0x63a5ea656ff9efdfe68ec85d3025466c, RSA key 2048 bits, signed using
>RSA-SHA256, activated `2019-01-31 00:00:00 UTC', expires `2021-03-12
>23:59:59 UTC',
>        Public Key ID:
>                sha1:63ddc827cb0c5efda0634864ececc9855001c8bc
>        Public Key PIN:
>                pin-sha256:wPbqFLlZqQbuF+thnCarsf0k8CbvM8wbbjhcT45lx78=
>- Certificate[1] info:
>- subject `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR',
>issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST
>Network,L=Jersey City,ST=New Jersey,C=US', serial
>0x05e4dc3b9438ab3b8597cba6a19850e3, RSA key 2048 bits, signed using
>RSA-SHA384, activated `2014-09-12 00:00:00 UTC', expires `2024-09-11
>23:59:59 UTC',
>- Certificate[2] info:
>- subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST
>Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External
>CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial
>0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using
>RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30
>10:48:38 UTC',
>- Status: The certificate is NOT trusted. The certificate chain uses
>expired certificate. 
>*** PKI verification of server certificate failed...
>*** Fatal error: Error in the certificate.
>It seems that GnuTLS stops on a failure in the first certificate chain,
>other libraries like OpenSSL explore other chains before giving up.
>It would help if ehwiki.org server did not send to expired certificate
>in the
>certificate chain of the TLS handshake and send the alternative one
>that has
>not yet expired as advertised on the Sectigo web page you linked.
>-- Petr

Sent from my Android device with K-9 Mail. Please excuse my brevity.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]