1
21.7 Legacy Series / OPNsense cannot connect via TLS to any server with an Let's Encrypt certificate.
« on: September 30, 2021, 07:18:49 pm »
After having issues with both updating OPNsense and DNS over TLS it seems to me that there is an issue with LE certificates.
after I remove the DST Root CA X3 certificate from /etc/ssl/certs.pem and /usr/local/etc/ssl/certs.pem I get the following:
Running openssl s_client -connect unicast.uncensoreddns.org:853 (using a LE cert) gives the following (shortend):
KH
Code: [Select]
[admin@OPNsense ~]$ fetch -o mimugmail.conf https://www.routerperformance.net/mimugmail.conf
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
5843273977856:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://www.routerperformance.net/mimugmail.conf: Authentication error
after I remove the DST Root CA X3 certificate from /etc/ssl/certs.pem and /usr/local/etc/ssl/certs.pem I get the following:
Code: [Select]
[admin@OPNsense ~]# fetch -o mimugmail.conf https://www.routerperformance.net/mimugmail.conf
Certificate verification failed for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
898400673792:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://www.routerperformance.net/mimugmail.conf: Authentication error
And in both places the ISRG Root X1 is valid till 2035.Running openssl s_client -connect unicast.uncensoreddns.org:853 (using a LE cert) gives the following (shortend):
Code: [Select]
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:1
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
notAfter=Sep 30 14:01:15 2021 GMT
verify return:1
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
notAfter=Sep 30 18:14:03 2024 GMT
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
notAfter=Sep 15 16:00:00 2025 GMT
verify return:1
depth=0 CN = unicast.censurfridns.dk
notAfter=Nov 18 18:38:31 2021 GMT
verify return:1
---
Certificate chain
0 s:CN = unicast.censurfridns.dk
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
...
subject=CN = unicast.censurfridns.dk
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA384
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4404 bytes and written 409 bytes
Verification error: certificate has expired
...
KH