[lug] Understanding a SSL/TLS Certificate Issue
David Stearns
stearns at dhyw.com
Thu Jun 18 14:43:44 MDT 2020
First easy thing to check, make sure you system time is correct. Assuming
that's fine, I'd hazard a guess and say your ca store is an old version,
and the root CA was re-issued recently.
My investigation is based on the TLS chain from 443 on www.cotse.net. Since
you're using email, it's possible you're using a different cert and might
need to repeat my debugging at the end of this message to get a different
result.
For the trust chain to work, it needs to terminate to a CA cert your
machine trusts. Usually this is part of the system trust store, but some
applications (most commonly browsers) have their own trust stores as well.
For this chain, the root CA (identified by finding the issuer for the first
intermediate cert in the chain supplied by the server) is C = US, ST = New
Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA
Certification Authority. On my system, running fairly recently updated Arch
linux, that CA has a validity
"Not After : Jan 18 23:59:59 2038 GMT".
Looking at the rest of the intermediates and server cert, supplied as part
of the connection setup, they all have expires after today as well.
Server (leaf) cert: Not After : Apr 17 23:59:59 2021 GMT
Intermediate 1: Not After : Dec 31 23:59:59 2030 GMT
Root (on my system): Not After : Jan 18 23:59:59 2038 GMT
You can verify this with the following:
First, lets get the full chain from the server.
$ openssl s_client -connect www.cotse.net:443 | openssl x509 -out chain.pem
-CA ~/UserTrustRoot.pem
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN =
www.cotse.net
verify return:1
unable to load certificate
140107587052864:error:0909006C:PEM routines:get_name:no start
line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
^C
[craisis at craisis-p1 Downloads]$ openssl s_client -host www.cotse.net -port
443 -prexit -showcerts
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN =
www.cotse.net
verify return:1
---
Certificate chain
0 s:OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN =
www.cotse.net
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN
= Sectigo RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIGmzCCBYOgAwIBAgIRAKReLcVz2D28T82Ck9wsWngwDQYJKoZIhvcNAQELBQAw
gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xOTAxMTgwMDAwMDBaFw0yMTA0MTcyMzU5NTlaMF4xITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVs
dGktRG9tYWluMRYwFAYDVQQDEw13d3cuY290c2UubmV0MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA28AyLLQNQ/0Xor/6uqGO8dD4LQlYTfOJtKUx9LRX
aeIgnYConKsw1pe0dDBNdWUf6IJceGG3Hyk0yf8M8RpB+2uuimyTTpEIp1lCzydf
QsaUEz3DOCCiQNhr9bvuVhVjvZirKfZIpnXzmoIa7k6zCr4M6sdadeDCk0MVvq2Q
2LWiXyH6JEI0704dC0Gi8MerBFKjXDJ9PXjrGoNigW7oTdC0zIIXzLstUHlJHEHB
RDpJFNmpx1UgmqYYrMTyVQORoRfmKHGnQHR4Y5R+0nn/CEsbUsQ61Rzn5UgbyZ1C
hdG3MLQRDZeDWdljZbqfYj2bjWT4renOlSnCKa5T8VqtGwIDAQABo4IDIDCCAxww
HwYDVR0jBBgwFoAUjYxexFStiuF36Zv5mwXhuAGNYeEwHQYDVR0OBBYEFKW3NX/z
2scuDI4ZxqwrkszZseRwMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQB
sjEBAgIHMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgG
BmeBDAECATCBhAYIKwYBBQUHAQEEeDB2ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0
LnNlY3RpZ28uY29tL1NlY3RpZ29SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2Vy
dmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTBJ
BgNVHREEQjBAgg13d3cuY290c2UubmV0ggljb3RzZS5uZXSCD2lkZW50aWNsb2Fr
LmNvbYITd3d3LmlkZW50aWNsb2FrLmNvbTCCAX4GCisGAQQB1nkCBAIEggFuBIIB
agFoAHcAu9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YUAAAFoYjIzVgAA
BAMASDBGAiEAg17iMrQOqdjnLl+0HxIkGEce3XY7xm5L1oApfX3Kb2ICIQD18Qbs
i49EvcPeufqzS1/qz1YtFVihSqtaAEYQ6d4sTwB2AESUZS6w7s6vxEAH2Kj+KMDa
5oK+2MsxtT/TM5a1toGoAAABaGIyM6YAAAQDAEcwRQIgUv7J3oH3HULi/V6mbhbV
INmaf5QR5phDsUYyWwCnveACIQDMzkqER4yClBlXURphmffOVm9sJMeZtb5kMiny
DySZ1QB1AFzcQ5L+5qtFRLFemtRW5hA3+9X6R9yhc5SyXub2xw7KAAABaGIyM6IA
AAQDAEYwRAIgIPbtlwvc1VCiaekLdUTnQF1KWiK8Zk9/nkKaE50il9MCIA0TZ+Zq
Z8AyRw+uWBw2rVZoHxFhwnffsy8irqjhicuAMA0GCSqGSIb3DQEBCwUAA4IBAQB/
VnShFC2gYePuwivWToWlMD21FTT5nbCCzifKrYrpJ/ZGhp1kK/9YqQdvhUasoVYC
YWnhe5xQknGVTLQ9WRRtAX1yx3gYwJi4PLNILJJsBM8U/ARjYdb/In0XiKo+MkhX
oAkc+YYVBHtDilTl3exepGHNUHwSPx9CigSBe5osPrxSYpHw9SRKTt4pm/cvycLE
1+c7Gc+Mgyqb1wWsfpx3yRaumv0EvdPUiPRIZASbo0/hc/KCIchIU2TUcrseHDfx
kq5AegefqIwYMjQaiclb1P9dLF3Zi5+ChuBMM9H84e8KWKUNst05sbPm5yj+V3/n
iISXn9mpmHgX0KHivQk4
-----END CERTIFICATE-----
1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN
= Sectigo RSA Domain Validation Secure Server CA
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network,
CN = USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
+ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
-----END CERTIFICATE-----
---
Server certificate
subject=OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN =
www.cotse.net
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
CN = Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3963 bytes and written 441 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
F1F0170F93CF71F6A3D83572313BB07132051FB05717E0CA0E8C46CB3F4ED81A
Session-ID-ctx:
Master-Key:
A6B078B66C4AEC171BE8F046A1A7AC566A11C9D3677DC74C92CA1D925945613CA39A3A5D5640B940070B578934F6BEA9
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - a7 bb fe 40 78 ed 55 85-95 d9 60 7d ca 07 54 8c
... at x.U...`}..T.
0010 - 36 1f 7f 6e 1e cb 9e 17-78 db 7c ae 69 48 b7 2b
6..n....x.|.iH.+
0020 - 63 75 f7 23 be 62 6c f5-06 42 cc 9d 17 1f 70 6b
cu.#.bl..B....pk
0030 - 9a 9c 1e cf 46 e8 22 d9-00 6b 39 3a 89 8b 41 f2
....F."..k9:..A.
0040 - b0 ef c3 9d 43 b6 83 6f-b7 42 0b df f7 fc 76 70
....C..o.B....vp
0050 - 9c 8a 2d 95 71 31 83 42-7d 97 02 22 60 38 7b 94
..-.q1.B}.."`8{.
0060 - 54 e1 34 5a 8d 8c 59 a2-31 0a f6 6f 3e b4 77 81
T.4Z..Y.1..o>.w.
0070 - 43 65 66 e7 65 7f 10 e8-ca 37 57 b7 56 da 7b db
Cef.e....7W.V.{.
0080 - 85 56 20 77 ee 8c d8 e4-fa d5 f9 6d 33 8e e3 74 .V
w.......m3..t
0090 - da 92 0a 44 18 98 5e ca-2c 98 bb aa 9f dc 2b ad
...D..^.,.....+.
00a0 - 8b 1c 6e 61 8d 82 8a cf-08 87 92 d2 b8 08 8f 0c
..na............
00b0 - 19 66 4c 95 ac 3c 79 0c-54 7e c0 de c9 f3 c2 f5
.fL..<y.T~......
00c0 - 61 54 19 3c 27 dc 0a 9e-3e 04 c3 66 b3 47 fa a2
aT.<'...>..f.G..
Start Time: 1592512439
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
>From this, we can see that the issuer for the first intermediate is "CN =
USERTrust RSA Certification Authority".
I checked this against /etc/ssl/certs/ca-certificates.crt (your mileage may
vary depending on your distro and client application, for example Java is
notorious for maintaining their own CA store, and ignoring the system
CA's).
I extracted the UserTrust RSA CA from ca-certificates.crt (using vim,
just searched for "USERTrust RSA" and copied it into a new file), and check
the validity time using openssl:
$ openssl x509 -CA UserTrustRoot.pem -in -text -noout
Can't open -text for reading, No such file or directory
140551111132480:error:02001002:system library:fopen:No such file or
directory:crypto/bio/bss_file.c:69:fopen('-text','r')
140551111132480:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:76:
unable to load certificate
[craisis at craisis-p1 ~]$ openssl x509 -in UserTrustRoot.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
Signature Algorithm: sha384WithRSAEncryption
Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority
Validity
Not Before: Feb 1 00:00:00 2010 GMT
Not After : Jan 18 23:59:59 2038 GMT
Subject: C = US, ST = New Jersey, L = Jersey City, O = The
USERTRUST Network, CN = USERTrust RSA Certification Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:80:12:65:17:36:0e:c3:db:08:b3:d0:ac:57:0d:
76:ed:cd:27:d3:4c:ad:50:83:61:e2:aa:20:4d:09:
2d:64:09:dc:ce:89:9f:cc:3d:a9:ec:f6:cf:c1:dc:
f1:d3:b1:d6:7b:37:28:11:2b:47:da:39:c6:bc:3a:
19:b4:5f:a6:bd:7d:9d:a3:63:42:b6:76:f2:a9:3b:
2b:91:f8:e2:6f:d0:ec:16:20:90:09:3e:e2:e8:74:
c9:18:b4:91:d4:62:64:db:7f:a3:06:f1:88:18:6a:
90:22:3c:bc:fe:13:f0:87:14:7b:f6:e4:1f:8e:d4:
e4:51:c6:11:67:46:08:51:cb:86:14:54:3f:bc:33:
fe:7e:6c:9c:ff:16:9d:18:bd:51:8e:35:a6:a7:66:
c8:72:67:db:21:66:b1:d4:9b:78:03:c0:50:3a:e8:
cc:f0:dc:bc:9e:4c:fe:af:05:96:35:1f:57:5a:b7:
ff:ce:f9:3d:b7:2c:b6:f6:54:dd:c8:e7:12:3a:4d:
ae:4c:8a:b7:5c:9a:b4:b7:20:3d:ca:7f:22:34:ae:
7e:3b:68:66:01:44:e7:01:4e:46:53:9b:33:60:f7:
94:be:53:37:90:73:43:f3:32:c3:53:ef:db:aa:fe:
74:4e:69:c7:6b:8c:60:93:de:c4:c7:0c:df:e1:32:
ae:cc:93:3b:51:78:95:67:8b:ee:3d:56:fe:0c:d0:
69:0f:1b:0f:f3:25:26:6b:33:6d:f7:6e:47:fa:73:
43:e5:7e:0e:a5:66:b1:29:7c:32:84:63:55:89:c4:
0d:c1:93:54:30:19:13:ac:d3:7d:37:a7:eb:5d:3a:
6c:35:5c:db:41:d7:12:da:a9:49:0b:df:d8:80:8a:
09:93:62:8e:b5:66:cf:25:88:cd:84:b8:b1:3f:a4:
39:0f:d9:02:9e:eb:12:4c:95:7c:f3:6b:05:a9:5e:
16:83:cc:b8:67:e2:e8:13:9d:cc:5b:82:d3:4c:b3:
ed:5b:ff:de:e5:73:ac:23:3b:2d:00:bf:35:55:74:
09:49:d8:49:58:1a:7f:92:36:e6:51:92:0e:f3:26:
7d:1c:4d:17:bc:c9:ec:43:26:d0:bf:41:5f:40:a9:
44:44:f4:99:e7:57:87:9e:50:1f:57:54:a8:3e:fd:
74:63:2f:b1:50:65:09:e6:58:42:2e:43:1a:4c:b4:
f0:25:47:59:fa:04:1e:93:d4:26:46:4a:50:81:b2:
de:be:78:b7:fc:67:15:e1:c9:57:84:1e:0f:63:d6:
e9:62:ba:d6:5f:55:2e:ea:5c:c6:28:08:04:25:39:
b8:0e:2b:a9:f2:4c:97:1c:07:3f:0d:52:f5:ed:ef:
2f:82:0f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha384WithRSAEncryption
5c:d4:7c:0d:cf:f7:01:7d:41:99:65:0c:73:c5:52:9f:cb:f8:
cf:99:06:7f:1b:da:43:15:9f:9e:02:55:57:96:14:f1:52:3c:
27:87:94:28:ed:1f:3a:01:37:a2:76:fc:53:50:c0:84:9b:c6:
6b:4e:ba:8c:21:4f:a2:8e:55:62:91:f3:69:15:d8:bc:88:e3:
c4:aa:0b:fd:ef:a8:e9:4b:55:2a:06:20:6d:55:78:29:19:ee:
5f:30:5c:4b:24:11:55:ff:24:9a:6e:5e:2a:2b:ee:0b:4d:9f:
7f:f7:01:38:94:14:95:43:07:09:fb:60:a9:ee:1c:ab:12:8c:
a0:9a:5e:a7:98:6a:59:6d:8b:3f:08:fb:c8:d1:45:af:18:15:
64:90:12:0f:73:28:2e:c5:e2:24:4e:fc:58:ec:f0:f4:45:fe:
22:b3:eb:2f:8e:d2:d9:45:61:05:c1:97:6f:a8:76:72:8f:8b:
8c:36:af:bf:0d:05:ce:71:8d:e6:a6:6f:1f:6c:a6:71:62:c5:
d8:d0:83:72:0c:f1:67:11:89:0c:9c:13:4c:72:34:df:bc:d5:
71:df:aa:71:dd:e1:b9:6c:8c:3c:12:5d:65:da:bd:57:12:b6:
43:6b:ff:e5:de:4d:66:11:51:cf:99:ae:ec:17:b6:e8:71:91:
8c:de:49:fe:dd:35:71:a2:15:27:94:1c:cf:61:e3:26:bb:6f:
a3:67:25:21:5d:e6:dd:1d:0b:2e:68:1b:3b:82:af:ec:83:67:
85:d4:98:51:74:b1:b9:99:80:89:ff:7f:78:19:5c:79:4a:60:
2e:92:40:ae:4c:37:2a:2c:c9:c7:62:c8:0e:5d:f7:36:5b:ca:
e0:25:25:01:b4:dd:1a:07:9c:77:00:3f:d0:dc:d5:ec:3d:d4:
fa:bb:3f:cc:85:d6:6f:7f:a9:2d:df:b9:02:f7:f5:97:9a:b5:
35:da:c3:67:b0:87:4a:a9:28:9e:23:8e:ff:5c:27:6b:e1:b0:
4f:f3:07:ee:00:2e:d4:59:87:cb:52:41:95:ea:f4:47:d7:ee:
64:41:55:7c:8d:59:02:95:dd:62:9d:c2:b9:ee:5a:28:74:84:
a5:9b:b7:90:c7:0c:07:df:f5:89:36:74:32:d6:28:c1:b0:b0:
0b:e0:9c:4c:c3:1c:d6:fc:e3:69:b5:47:46:81:2f:a2:82:ab:
d3:63:44:70:c4:8d:ff:2d:33:ba:ad:8f:7b:b5:70:88:ae:3e:
19:cf:40:28:d8:fc:c8:90:bb:5d:99:22:f5:52:e6:58:c5:1f:
88:31:43:ee:88:1d:d7:c6:8e:3c:43:6a:1d:a7:18:de:7d:3d:
16:f1:62:f9:ca:90:a8:fd
That shows the 2038 expiry date.
You can use the same openSSL command to check the detials of the TLS chain
you got from the openssl s_client command.
If, on your system, the room expired earlier, then your ca_certificates.crt
file is out of date (or your systems/applications equivalent CA store).
Hope this helped.
-DS
On Thu, Jun 18, 2020 at 1:14 PM Jed S. Baer <blug at jbaer.cotse.net> wrote:
> Hi Everyone.
>
> I'm having some e-mail trouble, stemming from an apparently expired
> upstream certificate from my mail provider. They haven't told me,
> specifically, whether they think their cert is OK, and why.
>
> MUA is Sylpheed 3.4.2, openssl is 1.0.1f. Yes, I know, it's old. Before I
> run off in some direction, what I would like to know is whether the
> problem is really on my end, or the certificate from my mail service is
> the problem.
>
> The symptom: on sending, my MUA gives me this error:
> > The SSL certificate of www.cotse.net cannot be verified by the
> > following reason: certificate has expired
> >
> > Subject: /OU=Domain Control Validated/OU=PositiveSSL
> > Multi-Domain/CN=www.cotse.net Issuer: /C=GB/ST=Greater
> > Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation
> > Secure Server CA Issued date: Jan 18 00:00:00 2019 GMT Expire date: Apr
> > 17 23:59:59 2021 GMT
> >
> > SHA1 fingerprint:
> > 75:64:50:68:65:5F:74:2D:BE:7B:CF:6A:F0:F2:AE:1D:F4:FF:C2:6F MD5
> > fingerprint: 62:7F:D1:B3:A4:FF:49:8D:AF:31:93:17:8F:F0:4D:5B
>
> I can send mail only by clicking "allow" every time.
>
> The COTSE certificate itself has an expiry date in the future, however,
> it appears that the C2 cert in the chain expired on May 30th. I conclude
> that openssl/TLS is rejecting it for that reason.
>
> I checked the cert using sslchecker.com:
> http://www.sslchecker.com/sslchecker?su=31414a6cb870fa05c86bcf7dee836592
>
> I'm not sure what to make of the "missing" label for the root cert, since
> the download button produces output - Verizon, expired 11/2016. (But
> then, Firefox tells me it has "permanent" certificates with expiry dates
> further back than that.)
>
> I captured the SMTP traffic using wireshark, and only 3 certificates are
> presented, not 4 as shown at sslchecker. I suppose there's a reason for
> that, but it's a curiosity I guess, unless it isn't.
>
> Here is some supporting stuff:
> - http://jbaer.cotse.net/docs/cotse_smtp_ws_capture.pcapng (wireshark
> capture)
> - http://jbaer.cotse.net/images/coste_cert_capture_smtp.png (screencap
> showing expired cert)
>
> So, is it a problem with my end or their end?
>
> Thanks in advance.
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20200618/a46f1b90/attachment-0001.html>
More information about the LUG
mailing list