Hello, It seems that the /etc/pki/tls/certs/ca-bundle.crt contains an expired certificate for the CA Addtrust AB ( expiration is 30/05/2020 10:48 UTC). This leads to gnutls to deny connexion to some sites when this certificate is used in the certificate validation chain. "cat /etc/pki/tls/certs/ca-bundle.crt | egrep -i -A 20 "AddTrust External CA Root" Issuer: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root Validity Not Before: May 30 10:48:38 2000 GMT Not After : May 30 10:48:38 2020 GMT " When testing trying to access a web radio using Clementine or Vlc, that rely on gnutls to establish the TLS connexion, this is failing ( didn't see an option in Clementine to add exception to allow connexion). A test with gntls-cli show the issue : gnutls-cli ais-live.cloud-services.paris Processed 153 CA certificate(s). Resolving 'ais-live.cloud-services.paris:443'... Connecting to '178.255.129.140:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `CN=*.cloud-services.paris,OU=Gandi Standard Wildcard SSL,OU=Domain Control Validated', issuer `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR', serial 0x00ec58b327f211a632e15de95e59afaa98, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-12-06 00:00:00 UTC', expires `2021-02-12 23:59:59 UTC' [....] - Certificate[1] info: - subject `CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x05e4dc3b9438ab3b8597cba6a19850e3, RSA key 2048 bits, signed using RSA-SHA384, activated `2014-09-12 00:00:00 UTC', expires `2024-09-11 23:59:59 UTC' [...] - Certificate[2] info: - subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC' [...] - Status: The certificate is NOT trusted. The certificate chain uses expired certificate. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. Removing the lines 366 to 536 which contains the CA certificates allow the program to run normally again. But i don't know what is the impact to remove this lines. The CA is also in the Mozilla certdata.txt file as it appears in Firefox ( but doesn't block the TLS connexion).
Summary: Expired CA certificate might cause tls connexion using gnutls to be established => Expired CA certificate might cause tls connexion using gnutls to be not established
CC: (none) => rolfpedersen
@Nicolas Thank you for reporting this, and the thorough evidence. This SRPM has no registered maintainer, so assigning the bug globally; CC'ing DavidW who is the main committer.
Source RPM: rootcerts-20191126.00-2.mga7 => rootcerts-20191126.00-2.mga7.src.rpmCC: (none) => luigiwalserAssignee: bugsquad => pkg-bugs
Should be fixed by the upcoming rootcerts/nss update.
Depends on: (none) => 26711
CC: (none) => boulshet
Depends on: (none) => 26828
Depends on: 26711 => (none)
Fixed in: https://advisories.mageia.org/MGASA-2020-0274.html
Status: NEW => RESOLVEDResolution: (none) => FIXED