OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of KHE »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - KHE

Pages: [1]
1
21.7 Legacy Series / OPNsense cannot connect via TLS to any server with an Let's Encrypt certificate.
« on: September 30, 2021, 07:18:49 pm »
After having issues with both updating OPNsense and DNS over TLS it seems to me that there is an issue with LE certificates.

Code: [Select]
[admin@OPNsense ~]$ fetch -o mimugmail.conf https://www.routerperformance.net/mimugmail.conf
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
5843273977856:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://www.routerperformance.net/mimugmail.conf: Authentication error
after I remove the DST Root CA X3 certificate from /etc/ssl/certs.pem and /usr/local/etc/ssl/certs.pem I get the following:
Code: [Select]
[admin@OPNsense ~]# fetch -o mimugmail.conf https://www.routerperformance.net/mimugmail.conf
Certificate verification failed for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
898400673792:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://www.routerperformance.net/mimugmail.conf: Authentication error
And in both places the ISRG Root X1 is valid till 2035.

Running openssl s_client -connect unicast.uncensoreddns.org:853 (using a LE cert) gives the following (shortend):
Code: [Select]
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:1
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
notAfter=Sep 30 14:01:15 2021 GMT
verify return:1
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
notAfter=Sep 30 18:14:03 2024 GMT
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
notAfter=Sep 15 16:00:00 2025 GMT
verify return:1
depth=0 CN = unicast.censurfridns.dk
notAfter=Nov 18 18:38:31 2021 GMT
verify return:1
---
Certificate chain
 0 s:CN = unicast.censurfridns.dk
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
...
subject=CN = unicast.censurfridns.dk

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA384
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4404 bytes and written 409 bytes
Verification error: certificate has expired
...

KH

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2