Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - KHE

Pages1
#1
21.7 Legacy Series / OPNsense cannot connect via TLS to any server with an Let's Encrypt certificate.
September 30, 2021, 07:18:49 PM
After having issues with both updating OPNsense and DNS over TLS it seems to me that there is an issue with LE certificates.

Code Select
[admin@OPNsense ~]$ fetch -o mimugmail.conf https://www.routerperformance.net/mimugmail.conf
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
5843273977856:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://www.routerperformance.net/mimugmail.conf: Authentication error

after I remove the DST Root CA X3 certificate from /etc/ssl/certs.pem and /usr/local/etc/ssl/certs.pem I get the following:
Code Select
[admin@OPNsense ~]# fetch -o mimugmail.conf https://www.routerperformance.net/mimugmail.conf
Certificate verification failed for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
898400673792:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://www.routerperformance.net/mimugmail.conf: Authentication error

And in both places the ISRG Root X1 is valid till 2035.

Running openssl s_client -connect unicast.uncensoreddns.org:853 (using a LE cert) gives the following (shortend):
Code Select
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:1
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
notAfter=Sep 30 14:01:15 2021 GMT
verify return:1
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
notAfter=Sep 30 18:14:03 2024 GMT
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
notAfter=Sep 15 16:00:00 2025 GMT
verify return:1
depth=0 CN = unicast.censurfridns.dk
notAfter=Nov 18 18:38:31 2021 GMT
verify return:1
---
Certificate chain
0 s:CN = unicast.censurfridns.dk
   i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
...
subject=CN = unicast.censurfridns.dk

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA384
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4404 bytes and written 409 bytes
Verification error: certificate has expired
...


KH
Pages1