Bug 1842178
Summary: | AddTrust External Root CA certificate expiration causes cert validation issue | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Christian Heimes <cheimes> |
Component: | gnutls | Assignee: | Anderson Sasaki <ansasaki> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 32 | CC: | ansasaki, brian, crypto-team, dueno, luca, mcatanza, nmavrogi, pemensik, redhat, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | gnutls-3.6.13-6.fc32 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-06-02 03:53:35 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Christian Heimes
2020-05-30 19:37:10 UTC
FEDORA-2020-6ec1d85ab1 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6ec1d85ab1 The new build with patch https://src.fedoraproject.org/rpms/gnutls/blob/master/f/gnutls-3.6.13-superseding-chain.patch fixes the cert validation issue for me: ``` # rpm -qa gnutls gnutls-3.6.13-6.fc32.x86_64 # gnutls-cli api.ipify.org Processed 150 CA certificate(s). Resolving 'api.ipify.org:443'... Connecting to '23.21.153.210:443'... - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: - subject `CN=*.ipify.org,OU=PositiveSSL Wildcard,OU=Domain Control Validated', issuer `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00920fd1b7fe4b88aeb6ed5ab0c36c5668, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-01-24 00:00:00 UTC', expires `2021-01-23 23:59:59 UTC', pin-sha256="gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44=" Public Key ID: sha1:8e05c08fb342748ee63ac348448821bc628b8150 sha256:80064b5a6898d0e446c6a1b471c121aa20776daba038eb3dbdd71ecd1087738e Public Key PIN: pin-sha256:gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44= - Certificate[1] info: - subject `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x2b2e6eead975366c148a6edba37c8c07, RSA key 2048 bits, signed using RSA-SHA384, activated `2014-02-12 00:00:00 UTC', expires `2029-02-11 23:59:59 UTC', pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=" - Certificate[2] info: - subject `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=" - Certificate[3] info: - subject `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x01, RSA key 2048 bits, signed using RSA-SHA1, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=" - Status: The certificate is trusted. - Description: (TLS1.2-X.509)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-128-GCM) - Session ID: 7A:F6:D0:6D:48:15:16:62:A5:F5:E4:AE:BB:C5:10:1C:C2:50:12:F7:AF:AB:39:0B:CE:9B:07:29:02:15:2D:A2 - Options: safe renegotiation, - Handshake was completed - Simple Client Mode: ^C ``` Before upgrade: ``` # rpm -qa gnutls gnutls-3.6.13-4.fc32.x86_64 # gnutls-cli api.ipify.org Processed 150 CA certificate(s). Resolving 'api.ipify.org:443'... Connecting to '204.236.231.159:443'... - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: - subject `CN=*.ipify.org,OU=PositiveSSL Wildcard,OU=Domain Control Validated', issuer `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00920fd1b7fe4b88aeb6ed5ab0c36c5668, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-01-24 00:00:00 UTC', expires `2021-01-23 23:59:59 UTC', pin-sha256="gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44=" Public Key ID: sha1:8e05c08fb342748ee63ac348448821bc628b8150 sha256:80064b5a6898d0e446c6a1b471c121aa20776daba038eb3dbdd71ecd1087738e Public Key PIN: pin-sha256:gAZLWmiY0ORGxqG0ccEhqiB3baugOOs9vdcezRCHc44= - Certificate[1] info: - subject `CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x2b2e6eead975366c148a6edba37c8c07, RSA key 2048 bits, signed using RSA-SHA384, activated `2014-02-12 00:00:00 UTC', expires `2029-02-11 23:59:59 UTC', pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=" - Certificate[2] info: - subject `CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x2766ee56eb49f38eabd770a2fc84de22, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=" - Certificate[3] info: - subject `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x01, RSA key 2048 bits, signed using RSA-SHA1, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', pin-sha256="lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=" - Status: The certificate is NOT trusted. The certificate chain uses expired certificate. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. ``` FEDORA-2020-6ec1d85ab1 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6ec1d85ab1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6ec1d85ab1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-6ec1d85ab1 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. *** Bug 1850512 has been marked as a duplicate of this bug. *** |