> $ gnutls-cli gitlab.nic.cz > Processed 149 CA certificate(s). > Resolving 'gitlab.nic.cz:443'... > Connecting to '217.31.192.133:443'... > - Certificate type: X.509 > - Got a certificate list of 3 certificates. > - Certificate[0] info: > - subject `CN=gitlab.labs.nic.cz', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x043d7d8a63166e0368df867d4c584791ae65, RSA key 4096 bits, signed using RSA-SHA256, activated `2020-11-16 08:03:24 UTC', expires `2021-02-14 08:03:24 UTC', pin-sha256="7NBmA2/dDjJ3o6SHLLbhoP6nTu95BhIMlOQG/FGTTMs=" > Public Key ID: > sha1:1bb89b72e0dfd583e5cc970030310e38f7740ffa > sha256:ecd066036fdd0e3277a3a4872cb6e1a0fea74eef7906120c94e406fc51934ccb > Public Key PIN: > pin-sha256:7NBmA2/dDjJ3o6SHLLbhoP6nTu95BhIMlOQG/FGTTMs= > > - Certificate[1] info: > - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=" > - Certificate[2] info: > - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=" > - Status: The certificate is NOT trusted. The certificate issuer is unknown. > *** PKI verification of server certificate failed... > *** Fatal error: Error in the certificate. or > $ gnutls-cli downloads.vivaldi.com > Processed 131 CA certificate(s). > Resolving 'downloads.vivaldi.com:443'... > Connecting to '151.139.236.233:443'... > - Certificate type: X.509 > - Got a certificate list of 3 certificates. > - Certificate[0] info: > - subject `CN=downloads.vivaldi.com', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x03664d470a886028bf1731346929f11afb1c, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-12-05 05:46:54 UTC', expires `2021-03-05 05:46:54 UTC', pin-sha256="JJSX4zoTWx5oZA3XNwD1FDBVMypI/vsDEhV9ncDOBzQ=" > Public Key ID: > sha1:ab1df9dd578804288e2eee593b34e7693f793ed9 > sha256:249497e33a135b1e68640dd73700f5143055332a48fefb0312157d9dc0ce0734 > Public Key PIN: > pin-sha256:JJSX4zoTWx5oZA3XNwD1FDBVMypI/vsDEhV9ncDOBzQ= > > - Certificate[1] info: > - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x400175048314a4c8218c84a90c16cddf, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-10-07 19:21:40 UTC', expires `2021-09-29 19:21:40 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=" > - Certificate[2] info: > - subject `CN=GlobalSign Organization Validation CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE', issuer `CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE', serial 0x040000000001444ef04247, RSA key 2048 bits, signed using RSA-SHA256, activated `2014-02-20 10:00:00 UTC', expires `2024-02-20 10:00:00 UTC', pin-sha256="IQBnNBEiFuhj+8x6X8XLgh01V9Ic5/V3IRQLNFFc7v4=" > - Status: The certificate is NOT trusted. The certificate issuer is unknown. > *** PKI verification of server certificate failed... > *** Fatal error: Error in the certificate. > In short: Any newer Let's Encrypt certificate using the new LE root certificate will be affected.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e1c7d251838e402f4df6c95c29d8dc8a1fe27d84 commit e1c7d251838e402f4df6c95c29d8dc8a1fe27d84 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-12-08 11:51:37 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-12-08 11:53:06 +0000 profiles: p.mask =net-libs/gnutls-3.7.0 Fails to validate certificates which have more than one valid trust path, i.e. new LE root certificate. Bug: https://bugs.gentoo.org/759037 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)
Upstream fix: https://gitlab.com/gnutls/gnutls/-/commit/4e7cc1e23824eac92382d615ce41bf56e85dfbd1.patch
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c14a846f98e90712f3db8cb838706fc26224e5e2 commit c14a846f98e90712f3db8cb838706fc26224e5e2 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2021-02-20 19:03:31 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2021-02-20 19:04:19 +0000 net-libs/gnutls: ignore duplicate certificates Closes: https://bugs.gentoo.org/759037 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> ...nutls-3.7.0-ignore-duplicate-certificates.patch | 403 +++++++++++++++++++++ ...{gnutls-3.7.0.ebuild => gnutls-3.7.0-r1.ebuild} | 2 + profiles/package.mask | 5 - 3 files changed, 405 insertions(+), 5 deletions(-)
