### Cause Let's Encrypt original cross-signed root CA *DST Root CA X3* expired at *Sep 30 14:01:15 2021 GMT* (today). LE' issued certificates are signed with *ISRG Root X1*, which is present in certificate store for a long time as a trusted root CA. However, GnuTLS fails to verify Let's Encrypt certificate, returning `Status: The certificate is NOT trusted. The certificate chain uses expired certificate.` ### Issue As a result, `kresd` at Turris OS 3.x fails to verify TLS certificate on `odvr.nic.cz` server and returns `SERVFAIL` on every DNS query ~High ~Bug ### Further info | Package | version in Turris OS 3.x | version in Turris OS 5.x | |--|--|--| | turris-version | 3.11.23 | 5.2.7 | | knot-resolver | 5.2.0-1 | 5.3.2-2 | | libgnutls | 3.6.7-4 | 3.6.15-2 | Issue can be simply verified via command: ``` gnutls-cli -p 853 odvr.nic.cz ``` Which is successful on _TOS 5.x_ but unsuccessful on _TOS 3.x_: ``` - Status: The certificate is NOT trusted. The certificate chain uses expired certificate. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. ``` <details> <summary>Certificate chain</summary> ``` +-------------------------------------------+ | subject=CN = odvr.nic.cz | | issuer=C = US, O = Let's Encrypt, CN = R3 | | notBefore=Aug 31 17:23:50 2021 GMT | | notAfter=Nov 29 17:23:49 2021 GMT | +-------------------------------------------+ \ \ \ +------------------------------------------------------------------------+ | subject=C = US, O = Let's Encrypt, CN = R3 | | issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1 | | notBefore=Sep 4 00:00:00 2020 GMT | | notAfter=Sep 15 16:00:00 2025 GMT | +------------------------------------------------------------------------+ \ \ \ +-------------------------------------------------------------------------+ | subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1 | | issuer=O = Digital Signature Trust Co., CN = DST Root CA X3 | | notBefore=Jan 20 19:14:03 2021 GMT | | notAfter=Sep 30 18:14:03 2024 GMT | +-------------------------------------------------------------------------+ / \ | \ | | \ | | \ | | +-----------------------------------------------------------+ | | | subject= /O=Digital Signature Trust Co./CN=DST Root CA X3 | | | | issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 | | | | notBefore=Sep 30 21:12:19 2000 GMT | | | | notAfter=Sep 30 14:01:15 2021 GMT | | | +-----------------------------------------------------------+ | \ / ``` </details> <details> <summary>/etc/ssl/certs/DST_Root_CA_X3.crt</summary> Original and expired root CA that should be ignored now ``` subject= /O=Digital Signature Trust Co./CN=DST Root CA X3 issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 notBefore=Sep 30 21:12:19 2000 GMT notAfter=Sep 30 14:01:15 2021 GMT ``` </details> <details> <summary>/etc/ssl/certs/ISRG_Root_X1.crt</summary> Current valid root CA ``` subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1 issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1 notBefore=Jun 4 11:04:38 2015 GMT notAfter=Jun 4 11:04:38 2035 GMT ``` </details> <details> <summary>/etc/resolver/dns_servers/00_odvr-cznic.conf</summary> kresd DNS forwarding to DoT ODVR servers configuration: ``` name="00_odvr-cznic.conf" description="CZ.NIC (TLS)" enable_tls="1" port="853" ipv4="193.17.47.1 185.43.135.1" ipv6="2001:148f:ffff::1 2001:148f:fffe::1" ca_file="/etc/ssl/certs/ca-certificates.crt" hostname="odvr.nic.cz" ``` </details>