[Turris OS 3.x] GnuTLS fails to verify Let's Encrypt certificates
Cause
Let's Encrypt original cross-signed root CA DST Root CA X3 expired at Sep 30 14:01:15 2021 GMT (today). LE' issued certificates are signed with ISRG Root X1, which is present in certificate store for a long time as a trusted root CA. However, GnuTLS fails to verify Let's Encrypt certificate, returning Status: The certificate is NOT trusted. The certificate chain uses expired certificate.
Issue
As a result, kresd at Turris OS 3.x fails to verify TLS certificate on odvr.nic.cz server and returns SERVFAIL on every DNS query High Bug
Further info
| Package | version in Turris OS 3.x | version in Turris OS 5.x |
|---|---|---|
| turris-version | 3.11.23 | 5.2.7 |
| knot-resolver | 5.2.0-1 | 5.3.2-2 |
| libgnutls | 3.6.7-4 | 3.6.15-2 |
Issue can be simply verified via command:
gnutls-cli -p 853 odvr.nic.czWhich is successful on TOS 5.x but unsuccessful on TOS 3.x:
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.Certificate chain
+-------------------------------------------+
| subject=CN = odvr.nic.cz |
| issuer=C = US, O = Let's Encrypt, CN = R3 |
| notBefore=Aug 31 17:23:50 2021 GMT |
| notAfter=Nov 29 17:23:49 2021 GMT |
+-------------------------------------------+
\
\
\
+------------------------------------------------------------------------+
| subject=C = US, O = Let's Encrypt, CN = R3 |
| issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1 |
| notBefore=Sep 4 00:00:00 2020 GMT |
| notAfter=Sep 15 16:00:00 2025 GMT |
+------------------------------------------------------------------------+
\
\
\
+-------------------------------------------------------------------------+
| subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1 |
| issuer=O = Digital Signature Trust Co., CN = DST Root CA X3 |
| notBefore=Jan 20 19:14:03 2021 GMT |
| notAfter=Sep 30 18:14:03 2024 GMT |
+-------------------------------------------------------------------------+
/ \
| \ |
| \ |
| \ |
| +-----------------------------------------------------------+ |
| | subject= /O=Digital Signature Trust Co./CN=DST Root CA X3 | |
| | issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 | |
| | notBefore=Sep 30 21:12:19 2000 GMT | |
| | notAfter=Sep 30 14:01:15 2021 GMT | |
| +-----------------------------------------------------------+ |
\ / /etc/ssl/certs/DST_Root_CA_X3.crt
Original and expired root CA that should be ignored now
subject= /O=Digital Signature Trust Co./CN=DST Root CA X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
notBefore=Sep 30 21:12:19 2000 GMT
notAfter=Sep 30 14:01:15 2021 GMT/etc/ssl/certs/ISRG_Root_X1.crt
Current valid root CA
subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
notBefore=Jun 4 11:04:38 2015 GMT
notAfter=Jun 4 11:04:38 2035 GMT/etc/resolver/dns_servers/00_odvr-cznic.conf
kresd DNS forwarding to DoT ODVR servers configuration:
name="00_odvr-cznic.conf"
description="CZ.NIC (TLS)"
enable_tls="1"
port="853"
ipv4="193.17.47.1 185.43.135.1"
ipv6="2001:148f:ffff::1 2001:148f:fffe::1"
ca_file="/etc/ssl/certs/ca-certificates.crt"
hostname="odvr.nic.cz"