Ticket Hash: | 78b7f6c22f3003be66916ed7db0d5fabd18b4038 | |||
Title: | Invalid intermediate certificate for chiselapp.com | |||
Status: | Open | Type: | Incident | |
Severity: | Important | Priority: | Immediate | |
Subsystem: | Resolution: | Open | ||
Last Modified: | 2021-11-14 15:53:47 | |||
Version Found In: | ||||
User Comments: | ||||
anonymous added on 2021-01-25 08:40:15:
(text/x-markdown)
Hello, Sorry to write this report here, because I failed to find feedback address at chiselapp.com. At this time, intermediate CA is incorrect at chiselapp.com. Openssl fails to validate certificate chain: ``` $ openssl s_client www.chiselapp.com:443 CONNECTED(00000194) --- Certificate chain 0 s:CN = chiselapp.com i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 --- ``` You can see that CN in these certificates don't match. Here is stderr: ``` depth=0 CN = chiselapp.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = chiselapp.com verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = chiselapp.com verify return:1 ``` For comparison, for site openssl.org we have the following: ``` $ openssl s_client www.openssl.org:443 2>kogogo CONNECTED(00000184) --- Certificate chain 0 s:CN = www.openssl.org i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 ``` CN names match here. In stderr we have no errors: ``` depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = www.openssl.org verify return:1 ``` Interestingly, the problem doesn't arise in browsers, may be because of caching of intermediate certs. See, for example, [here](https://shiftordie.de/blog/2017/02/21/fingerprinting-firefox-users-with-cached-intermediate-ca-certificates-fiprinca/) and [there](https://blog.mozilla.org/security/2020/11/13/preloading-intermediate-ca-certificates-into-firefox/). anonymous added on 2021-01-25 08:51:38: (text/x-markdown) PS: the issue arises when I use Fossil on Windows with the latest [cacert.pem](https://curl.haxx.se/ca/cacert.pem). WBR, VZ anonymous added on 2021-11-14 15:53:47: (text/x-markdown) Could be related to https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/. |