[Blink] Expired certificate for Ubuntu Focal Repository?

g4-lisz at tonarchiv.ch g4-lisz at tonarchiv.ch
Tue Nov 2 20:42:59 CET 2021


I think the problem is that the ISRG_Root_X1 is still signed by
DST_Root_CA_X3 and this is outdated:

~$ openssl x509 -text -noout -in
/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
        Validity
            Not Before: Sep 30 21:12:19 2000 GMT
            Not After : Sep 30 14:01:15 2021 GMT

On 02.11.21 20:20, g4-lisz at tonarchiv.ch wrote:
> Same issue here with Focal.
>
> I run update-ca-certificates:
>
>   0 added, 0 removed; done.
>
> Both certs DST Root X3 and ISG Root X1 are installed:
>
> /etc/ssl/certs/DST_Root_CA_X3.pem ->
> /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
>
> /etc/ssl/certs/ISRG_Root_X1.pem ->
> /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
>
>
> On 28.10.21 19:05, Lars Noodén wrote:
>> On 10/28/21 19:56, Adrian Georgescu wrote:
>>> Try this command in a Terminal:
>>>
>>> openssl s_client -connect proxy.sipthor.net:5061
>>> <http://proxy.sipthor.net:5061/>
>> It returned the following:
>>
>> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
>> verify return:1
>> depth=1 C = US, O = Let's Encrypt, CN = R3
>> verify return:1
>> depth=0 CN = sip2sip.info
>> verify return:1
>> CONNECTED(00000003)
>> ---
>> Certificate chain
>>  0 s:CN = sip2sip.info
>>    i:C = US, O = Let's Encrypt, CN = R3
>>  1 s:C = US, O = Let's Encrypt, CN = R3
>>    i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
>>  2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
>>    i:O = Digital Signature Trust Co., CN = DST Root CA X3
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> MIIFQjCCBCqgAwIBAgISBJ4BuE1hGOUGZ2rQVugrE9dkMA0GCSqGSIb3DQEBCwUA
>> MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
>> EwJSMzAeFw0yMTEwMTkyMjAxMDFaFw0yMjAxMTcyMjAxMDBaMBcxFTATBgNVBAMT
>> DHNpcDJzaXAuaW5mbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKjS
>> td1Vm9gjozuux97+tzjgBdx+wS5h4XVnTvLn+ZbMS4f83ws1uPpl9m6mZtRja1Pz
>> DruIrzExHVXyWI1miae3LZUF45AxlaW3yIL09QsfMbKO0kKsK6K9LfoT8NbhzMWG
>> HDVrsZtXHeLhX3hHR1uGdEnvTa/AbezO+E7RfGaOtd+KC/zbHuxnodHd/IlFMH7v
>> q8+51ZOHcYV0wBF+AiQ7jPpHGZXJz/XuS9LvpheRzpsAlKaNvvqB9ULbztirtxo5
>> 8Gh6j310vaQmP8h4OEkjPIpI/954keg0SBdBm7Xpwz1wpquzHuLjWn+aSzTZq1iA
>> aKsnHdef4x9NQa/OnE8CAwEAAaOCAmswggJnMA4GA1UdDwEB/wQEAwIFoDAdBgNV
>> HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
>> FgQUibj6bp60DbsM0d7XTAjsOMVABNQwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA
>> 5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu
>> by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w
>> PAYDVR0RBDUwM4IRcHJveHkuc2lwdGhvci5uZXSCDHNpcDJzaXAuaW5mb4IQd3d3
>> LnNpcDJzaXAuaW5mbzBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEB
>> ATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQMG
>> CisGAQQB1nkCBAIEgfQEgfEA7wB2AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do
>> 8JBilgb2AAABfJrJYKAAAAQDAEcwRQIhAJttKmhLEaYmTH0jc2xEzKWzwmmJzpUO
>> NcfNRU0iN1a1AiA9tAf6DwP3U8jaQTAN7LN3LGAx7hOO9UbyxcXXm95X4gB1ACl5
>> vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABfJrJYHYAAAQDAEYwRAIg
>> IyJdN94OVm97wQZWu5GxywEDAzN+6MsK4IhdP+qDpFkCIBW4maL+qCQs3P3TsCdt
>> UwdQ7Ic1fnVUN2pJua3ncoZCMA0GCSqGSIb3DQEBCwUAA4IBAQBbmNZfHbjzvhux
>> THLOF08Ox3adk6Jl0azlWEsSDUY/xCYeo9cnqNJJzzA3Fg7w9PCUbRrOINi+ICNe
>> yprxADbHUHplmsX9oUx+s56q1+GA9yshKqoIdAk/GhzepR3VNwVr78lKE34/i0bC
>> 8HTK12QMoR2CJZKOkafiP3ioz3U4P5AXzeeOZqCQdBqXHslCt0217yZFNCKcSla8
>> sn1qHZQ0RZf1iR74tcvpbgp/2IHQNp0A6KN7EVYYIQzV/KQDWUQdQJP5ZhvzDoOD
>> IuXxY0SyLfV+kKt5Xb1/QYQky5+gFVb0cyLlLRVre+EVGf/MmpyDaxau2Pa8odlf
>> M60CyzB1
>> -----END CERTIFICATE-----
>> subject=CN = sip2sip.info
>>
>> issuer=C = US, O = Let's Encrypt, CN = R3
>>
>> ---
>> No client certificate CA names sent
>> Requested Signature Algorithms:
>> ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
>>
>> Shared Requested Signature Algorithms:
>> ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
>>
>> Peer signing digest: SHA256
>> Peer signature type: RSA-PSS
>> Server Temp Key: X25519, 253 bits
>> ---
>> SSL handshake has read 4673 bytes and written 419 bytes
>> Verification: OK
>> ---
>> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
>> Server public key is 2048 bit
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> Early data was not sent
>> Verify return code: 0 (ok)
>> ---
>> ---
>> Post-Handshake New Session Ticket arrived:
>> SSL-Session:
>>     Protocol  : TLSv1.3
>>     Cipher    : TLS_AES_256_GCM_SHA384
>>     Session-ID:
>> 48507559565B481EDF60F8822F39CD3AC13071778D475BDEA427BE9089A60AB3
>>     Session-ID-ctx:
>>     Resumption PSK:
>> 25DA4631F5DB9835B57642FE18C8264AAEE46761638972226F50395AC6FCD1E53050648DA2822DE0A670A098E7D44026
>>
>>     PSK identity: None
>>     PSK identity hint: None
>>     SRP username: None
>>     TLS session ticket lifetime hint: 7200 (seconds)
>>     TLS session ticket:
>>     0000 - 7b c4 d5 6f 43 be 7a 88-fe 2c 16 f2 4a 25 b8 74
>> {..oC.z..,..J%.t
>>     0010 - 8e 36 0a 6c 7e df c5 34-c6 65 cb b4 a9 f4 2d a2
>> .6.l~..4.e....-.
>>     0020 - 56 86 94 77 f4 14 80 f7-8f 12 2f b9 3d 4a 32 6d
>> V..w....../.=J2m
>>     0030 - 47 7b 26 8b f4 bc 34 71-72 4b 79 9c 54 ad 80 7c
>> G{&...4qrKy.T..|
>>     0040 - c5 3f 85 18 1a 79 ae e6-3d 22 6f 45 13 af a5 1b
>> .?...y..="oE....
>>     0050 - 64 b6 44 24 5c cc 8d e0-b4 0e 54 bf 72 3a 30 56
>> d.D$\.....T.r:0V
>>     0060 - a8 cb 27 9d cc 15 cf 09-f5 cf 9e 53 7d f8 c5 55
>> ..'........S}..U
>>     0070 - d8 12 9b d3 ce 64 a5 0a-ab d6 ea 7b 87 97 d8 61
>> .....d.....{...a
>>     0080 - 4c 45 10 75 13 5c c6 eb-98 97 03 bf 79 13 f3 fd
>> LE.u.\......y...
>>     0090 - 4a df 2d 5f 7a 4c 8a 61-06 44 fb f4 3a 8e 5f d0
>> J.-_zL.a.D..:._.
>>     00a0 - 9b 08 e7 e7 fe e3 5e cd-e4 ba 8c d0 7f ba 40 cb
>> ......^....... at .
>>     00b0 - 3b 44 ba 05 f8 1b 22 b8-c3 e7 89 47 8b f4 80 7f
>> ;D...."....G....
>>     00c0 - 65 60 96 e5 32 ce ba 9c-a3 9c 77 69 4e 07 e5 cc
>> e`..2.....wiN...
>>     00d0 - f5 7a a5 b3 54 58 2b 90-f5 34 9f 18 32 5d 4d b3
>> .z..TX+..4..2]M.
>>     00e0 - ae fe 53 b8 ac 8c 5c b8-34 fc 6c e7 7a a8 74 59
>> ..S...\.4.l.z.tY
>>
>>     Start Time: 1635440532
>>     Timeout   : 7200 (sec)
>>     Verify return code: 0 (ok)
>>     Extended master secret: no
>>     Max Early Data: 0
>> ---
>> read R BLOCK
>> ---
>> Post-Handshake New Session Ticket arrived:
>> SSL-Session:
>>     Protocol  : TLSv1.3
>>     Cipher    : TLS_AES_256_GCM_SHA384
>>     Session-ID:
>> F849BFA3AB6D2F53BC6476767E5BF5694069592513A404CF23F0ADC5672EFBF4
>>     Session-ID-ctx:
>>     Resumption PSK:
>> B2A3158EBCBC425C2A3E0A6357B123EB571CFA0C09A28823CC307540453517D39F03E5CD856D554FA6A9D3F2314BD1F9
>>
>>     PSK identity: None
>>     PSK identity hint: None
>>     SRP username: None
>>     TLS session ticket lifetime hint: 7200 (seconds)
>>     TLS session ticket:
>>     0000 - 7b c4 d5 6f 43 be 7a 88-fe 2c 16 f2 4a 25 b8 74
>> {..oC.z..,..J%.t
>>     0010 - c1 40 70 5d 4d 72 fc dd-1c 7f 38 4d ae 47 a6 e5
>> . at p]Mr....8M.G..
>>     0020 - de 55 8c 34 c2 10 87 23-cb 95 e5 e1 4a 1e 38 f7
>> .U.4...#....J.8.
>>     0030 - 76 d4 95 65 fc f3 14 47-68 8f 95 c3 2d 43 73 26
>> v..e...Gh...-Cs&
>>     0040 - 5a 05 19 d4 a6 85 94 19-c1 59 5e e4 d4 75 3b 01
>> Z........Y^..u;.
>>     0050 - d5 76 aa 10 8c 08 78 10-46 e2 48 f4 1c 9b ee ac
>> .v....x.F.H.....
>>     0060 - 2f 1d 69 5a 1d 86 c7 63-b5 c0 84 d1 b1 d2 33 42
>> /.iZ...c......3B
>>     0070 - 8e 42 6c f1 56 91 63 5e-13 a7 fa e6 a1 10 7f b3
>> .Bl.V.c^........
>>     0080 - 74 24 a7 86 38 8b cd 48-3d 2a 7c 6c 9c 51 18 ed
>> t$..8..H=*|l.Q..
>>     0090 - b0 04 e4 0b 38 54 0c d5-b3 dd f7 45 71 fc 82 0a
>> ....8T.....Eq...
>>     00a0 - 44 c0 4a 61 2c 9b 1c 5f-1f 13 19 cb 24 47 bd 1a
>> D.Ja,.._....$G..
>>     00b0 - be cb 87 97 9e cc 53 44-48 49 59 af 51 f3 f8 44
>> ......SDHIY.Q..D
>>     00c0 - 4d 7f 44 1e ce 5a 7d 34-5d e6 36 05 35 b2 65 28
>> M.D..Z}4].6.5.e(
>>     00d0 - d7 f3 cf db 38 db a3 e9-61 93 83 27 14 46 94 42
>> ....8...a..'.F.B
>>     00e0 - b7 ad 3c 83 a7 28 ac dc-2c cd d1 e9 d8 21 e3 c5
>> ..<..(..,....!..
>>
>>     Start Time: 1635440532
>>     Timeout   : 7200 (sec)
>>     Verify return code: 0 (ok)
>>     Extended master secret: no
>>     Max Early Data: 0
>> ---
>> read R BLOCK
>> closed
>> _______________________________________________
>> Blink mailing list
>> Blink at lists.ag-projects.com
>> https://lists.ag-projects.com/mailman/listinfo/blink
> _______________________________________________
> Blink mailing list
> Blink at lists.ag-projects.com
> https://lists.ag-projects.com/mailman/listinfo/blink


More information about the Blink mailing list