#178 cloud.centos.org certificate is invalid
Closed: Fixed 3 years ago by arrfab. Opened 3 years ago by martinpitt.

$ curl -L https://cloud.centos.org/centos/7/images/
curl: (60) SSL certificate problem: unable to get local issuer certificate

Oops, it's obviously not expired. And yet https downloads still worked this morning, and now they fail. So something regressed with the certificate, I just can't put my finger on it yet.

So cloud.centos.org sends a chain with (1) the actual certificate:

    Data:
        Version: 3 (0x2)
        Serial Number:
            03:d7:1b:be:db:60:0b:7a:71:01:cc:a6:da:6a:6f:7a:f7:2a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Jan  4 06:38:29 2021 GMT
            Not After : Apr  4 06:38:29 2021 GMT
        Subject: CN = cloud.centos.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:98:e8:b5:8a:9d:42:c5:55:9a:45:03:f3:e5:e3:
                    e3:e3:1a:90:fe:10:b3:68:2a:0e:dd:cf:8c:7b:c5:
                    a3:ee:f0:55:61:c7:c1:15:2a:fc:64:3a:56:81:a7:
                    5a:c3:90:96:5e:a4:f0:1a:b4:4d:e7:01:88:b8:b8:
                    f4:0c:08:2d:09:57:a7:bb:c7:61:6b:9e:e1:0a:14:
                    75:a4:79:6f:3a:06:97:60:39:b7:ea:2b:24:d7:4c:
                    ba:b8:50:60:d2:a7:35:9e:4c:01:e2:c4:3c:c5:fe:
                    97:89:89:ba:9d:56:f3:a3:a1:95:8d:5d:dd:7e:4b:
                    24:83:8a:24:d4:39:fe:ad:8c:67:12:09:72:f4:af:
                    ce:b4:69:ff:d1:0f:be:26:dc:e2:c2:2b:61:00:a5:
                    9b:86:22:54:fe:4e:7e:f9:e7:52:0e:7a:0e:e1:5a:
                    43:4b:87:fe:98:62:e0:66:df:3f:63:ff:9e:c5:02:
                    47:74:26:40:ff:b7:73:c8:6a:f7:4d:df:78:d6:ff:
                    35:f9:04:7e:e8:6d:d7:e5:40:55:df:c1:f1:d9:42:
                    d1:61:2d:fd:7d:c5:8c:5c:89:47:e0:d2:5c:b0:66:
                    97:84:52:71:92:5c:fa:06:dc:ef:0f:40:e8:82:05:
                    da:99:8d:5f:61:d5:8d:ef:1c:8b:82:58:56:98:89:
                    5f:33
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                6A:5D:2D:02:55:42:82:97:D5:36:30:51:37:4A:23:D4:5F:D3:87:35
            X509v3 Authority Key Identifier: 
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access: 
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name: 
                DNS:buildlogs.centos.org, DNS:cloud.centos.org
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 94:20:BC:1E:8E:D5:8D:6C:88:73:1F:82:8B:22:2C:0D:
                                D1:DA:4D:5E:6C:4F:94:3D:61:DB:4E:2F:58:4D:A2:C2
                    Timestamp : Jan  4 07:38:30.027 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:DA:7B:01:84:77:C1:BA:19:8E:5C:36:
                                EE:94:9B:1D:CF:B6:29:E6:68:26:80:DC:90:C0:05:F7:
                                67:A4:BD:0C:71:02:20:67:8A:AD:13:AE:02:EC:5B:2E:
                                37:04:28:9F:CC:26:3A:59:AE:4E:4D:73:64:A4:A7:04:
                                AD:CE:B8:E9:1B:A8:C7
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : F6:5C:94:2F:D1:77:30:22:14:54:18:08:30:94:56:8E:
                                E3:4D:13:19:33:BF:DF:0C:2F:20:0B:CC:4E:F1:64:E3
                    Timestamp : Jan  4 07:38:30.032 2021 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:CB:56:B1:A9:E2:84:EB:80:06:98:DC:
                                6E:9F:1A:3B:3B:E9:31:9A:B8:6C:9B:83:46:1A:98:EA:
                                0E:65:4A:4F:82:02:20:15:E1:B4:F0:23:8F:CD:7B:F1:
                                B7:54:A7:F7:2E:CF:73:DB:42:48:41:84:11:0A:D0:72:
                                7D:15:FF:45:A6:47:63
    Signature Algorithm: sha256WithRSAEncryption

and (2) the LetsEncrypt CA cert:

   Data:
        Version: 3 (0x2)
        Serial Number:
            0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
        Validity
            Not Before: Mar 17 16:40:46 2016 GMT
            Not After : Mar 17 16:40:46 2021 GMT
        Subject: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:9c:d3:0c:f0:5a:e5:2e:47:b7:72:5d:37:83:b3:
                    68:63:30:ea:d7:35:26:19:25:e1:bd:be:35:f1:70:
                    92:2f:b7:b8:4b:41:05:ab:a9:9e:35:08:58:ec:b1:
                    2a:c4:68:87:0b:a3:e3:75:e4:e6:f3:a7:62:71:ba:
                    79:81:60:1f:d7:91:9a:9f:f3:d0:78:67:71:c8:69:
                    0e:95:91:cf:fe:e6:99:e9:60:3c:48:cc:7e:ca:4d:
                    77:12:24:9d:47:1b:5a:eb:b9:ec:1e:37:00:1c:9c:
                    ac:7b:a7:05:ea:ce:4a:eb:bd:41:e5:36:98:b9:cb:
                    fd:6d:3c:96:68:df:23:2a:42:90:0c:86:74:67:c8:
                    7f:a5:9a:b8:52:61:14:13:3f:65:e9:82:87:cb:db:
                    fa:0e:56:f6:86:89:f3:85:3f:97:86:af:b0:dc:1a:
                    ef:6b:0d:95:16:7d:c4:2b:a0:65:b2:99:04:36:75:
                    80:6b:ac:4a:f3:1b:90:49:78:2f:a2:96:4f:2a:20:
                    25:29:04:c6:74:c0:d0:31:cd:8f:31:38:95:16:ba:
                    a8:33:b8:43:f1:b1:1f:c3:30:7f:a2:79:31:13:3d:
                    2d:36:f8:e3:fc:f2:33:6a:b9:39:31:c5:af:c4:8d:
                    0d:1d:64:16:33:aa:fa:84:29:b6:d4:0b:c0:d8:7d:
                    c3:93
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            Authority Information Access: 
                OCSP - URI:http://isrg.trustid.ocsp.identrust.com
                CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c

            X509v3 Authority Key Identifier: 
                keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10

            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.root-x1.letsencrypt.org

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl

            X509v3 Subject Key Identifier: 
                A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
    Signature Algorithm: sha256WithRSAEncryption

Both are not expired, the (1) cert is brand new. But I don't know where to go from here..

If I use curl with --cacert /tmp/ca where that file is the CA PEM extracted from above, I still get an error. So at first sight the error is with the cert itself, the CA is ok.

@martinpitt : renewed LetsEncrypt certificates are now using different intermediate CA (R3, instead of X1, see https://letsencrypt.org/certificates/) .. but let me investigate as it was reflected in how renewed certs were pushed out (and browser doesn't complain either)

Should be fixed as just that one was pointing to wrong CA chain, now (re)deployed/pushed :

 openssl s_client -connect cloud.centos.org:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = cloud.centos.org
verify return:1

---
SSL handshake has read 3182 bytes and written 482 bytes
Verification: OK

Metadata Update from @arrfab:
- Issue assigned to arrfab

3 years ago

Metadata Update from @arrfab:
- Issue tagged with: centos-common-infra, low-gain, low-trouble

3 years ago

Metadata Update from @arrfab:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Yay, many thanks for the super-fast fix! Confirming that it works again. :clap:

Login to comment on this ticket.

Metadata
Boards 1