CN=DST Root CA X3, O=Digital Signature Trust Co. and serial number 4001 7721 37D4 E942 B8EE 76AA 3C64 0AB7 is not a trusted certificate

Hello,

I'm trying to establish connection to the https://www.stark-research.net domain. Web browser is giving correct certs chain with new ISRG Root X1 cert (SN: 008210cfb0d240e3594463e0bb63828b00).

Anyway openssl is giving incorrect chain:

command: openssl s_client -tls1_2 -cipher aRSA -connect stark-research.net:443 -showcerts

Certificate chain
0 s:CN = www.stark-research.net
i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIFRzCCBC+gAwIBAgISBAypFGLCrFvhsSeAY1TAf0QIMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MTUwODIxMjdaFw0yMTEyMTQwODIxMjZaMCExHzAdBgNVBAMT
Fnd3dy5zdGFyay1yZXNlYXJjaC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDrWNYHC2Z6eWDIeqb+WxcrfdvWP7wwCjM1T3Yq45ELGia4xh8xD2xb
VOqSTddjmncSmgTRIE+z+V12h3XYabU8dVTvUQaYLgnqVjDWR2uqL9s/WYWPF5Ca
kGiesiYqcd+qWeluNSr1F7E6krZZE1h9km3vmhipqwsgbXMsouLj9qv/Az8HIdw0
DXHIR9K/PI899GK+BbOPVRUvS5QixedNtwv8lKe6jfSDJW19qdgSgSmfmhMl1JPc
Nb6pCpHa/Gr5rS52cdk/FN5Cq7SehDr9ZlSkFK9GotH08oEeUHeHvKuYpHT+xI9B
XapV9KJQIYECAVvo1yfsdXUa570PywOtAgMBAAGjggJmMIICYjAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFBhENJY6654s7d92yFG+x24UO7fxMB8GA1UdIwQYMBaAFBQu
sxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYV
aHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5s
ZW5jci5vcmcvMDUGA1UdEQQuMCyCEnN0YXJrLXJlc2VhcmNoLm5ldIIWd3d3LnN0
YXJrLXJlc2VhcmNoLm5ldDBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLf
EwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCC
AQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AFzcQ5L+5qtFRLFemtRW5hA3+9X6R9yh
c5SyXub2xw7KAAABe+jC1JwAAAQDAEgwRgIhAN8ZfN8Z2BOIhIvqWtCuqDEozE1I
frYxuOOIJQH3v418AiEAj2eIxblUa55dkJb9LSCHCs42K1Bjx5lKFltCv0zzhz8A
dgB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5ql2iZfiLw1wAAAXvowtS7AAAEAwBH
MEUCIBudLsO24z34/uJfDXUrKtjprW1UZUq9n9OJMApjRtozAiEA1Yj/NLMSMI1s
RlSS+rH6fI437yiU0SLuqwEXzG7PFqMwDQYJKoZIhvcNAQELBQADggEBAI+HHajm
gCzI6lDhazvGx9pakbivZbfLBA9hgv9T9KAYPNwkiJ613QMo8zQHA8gb4HA+Tqid
k8jLA0oCRSe4pfsnFNgFUI4ZHZaZ/B4Sz+ya1Lb/Q6g92ZRHBGbEWzRMf8ci2ckA
eeu9ZcL8I5PtURRBYxG1Wm48+2u6a8xUSvLdU5ChZSPEOtkFdCFXrSBdrzjNUeoF
bSemIddFT/R6xwOpMbkuAGYLct417G/kWQdZxD5hrWmAJO8L5kfJUrstyGxW8Oki
PAH7KgC2ZtD36lmHx9MuZmaYAgFy663nEy/zyN8IAh0DloB2YYR/FVfQQ112+ZDc
RpsWRuUq50QnPEw=
-----END CERTIFICATE-----
1 s:C = US, O = Let's Encrypt, CN = R3

i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1

i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE--------

I don't understand why it is still require DST Root CA X3 that is expired now.

Please advice.

Regards, Krystian

Please see Extending Android Device Compatibility for Let's Encrypt Certificates - Let's Encrypt

3 Likes

Thanks! Anyway I'm using just a simple openssl cmd on windows. Certs are different than from webbrowser. It is not Android.

Regards, Krystian

1 Like

The long chain that @Osiris mentions is served automatically by web servers to all clients, regardless of whether a particular client benefits from it (like old Android), ignores it (like most web browsers), or is harmed by it (like older OpenSSL clients and some older web browsers). Its motivation is to provide compatibility with older Android clients, but an individual web server doesn't actually know whether a particular client will want the long chain or not, so it normally serves that chain to all clients.

The web browser is probably receiving the same chain from the server, but not displaying it to you. Most web browsers (unlike openssl s_client) don't actually show exactly what chain was sent by the server, but rather show whatever valid chain the web browser was able to build based on its own root store and cached intermediate certificates (including those from other sites).

4 Likes

Client operating systems (and many tools) build there own preferred chain based on what they see from the server. So the server can present one thing and the client can choose to build a trusted path however it wants to. On Windows in IE, Edge, Chrome (current version) this specifically works using the Windows trust store and the windows chain building engine, which if it's up to date will build Leaf > R3 > ISRG Root X1 regardless of which LE chain is presented by the server.

This is because Windows doesn't trust the expired DST Root CA X3 (if it can find something else), and will try to build the path to ISRG Root X1 (Self signed) instead, which it should be able to do if the OS trust store is up to date. If you ever see the DST Root CA X3 chain in the Windows certificate viewer it's either because the machine you are on doesn't have ISRG Root X1 installed or the chain presented is still using the old R3 (which is increasingly unlikely, but common on Window servers that haven't been rebooted for a while)

Asides from trying to understand why the chain is shown one way or the other, is there a specific problem you are trying to solve?

2 Likes

Hello,

Thanks for response. My goal is to build simple integration to the stark-research.net. Anyway when I'm trying to establish secure HTTP connection, it is failing with error:

validating certificate chain
looking in datastore for certificate with DN CN=R3, O=Let's Encrypt, C=US
match found
looking in datastore for certificate with DN CN=ISRG Root X1, O=Internet Security Research Group, C=US
CA certificate with correct DN, but fingerprint '0CD2 F9E0 DA17 73E9 ED86 4DA5 E370 E74E' found. Continuing search.
No match found
CA certificate with issuer CN=DST Root CA X3, O=Digital Signature Trust Co. and serial number 4001 7721 37D4 E942 B8EE 76AA 3C64 0AB7 is not a trusted certificate
server chain validation failed: com.tibco.security.AXSecurityException: CA certificate with issuer CN=DST Root CA X3, O=Digital Signature Trust Co. and serial number 4001 7721 37D4 E942 B8EE 76AA 3C64 0AB7 is not a trusted certificate

Certs in my trust store:
adding as trusted cert:
Subject: CN=www.stark-research.net
Issuer: CN=R3, O=Let's Encrypt, C=US
Algorithm: RSA; Serial number: 0x40ca91462c2ac5be1b127806354c07f4408
Valid from Wed Sep 15 10:21:27 CEST 2021 until Tue Dec 14 09:21:26 CET 2021

adding as trusted cert:
Subject: CN=ISRG Root X1, O=Internet Security Research Group, C=US
Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
Algorithm: RSA; Serial number: 0x8210cfb0d240e3594463e0bb63828b00
Valid from Thu Jun 04 13:04:38 CEST 2015 until Mon Jun 04 13:04:38 CEST 2035

adding as trusted cert:
Subject: CN=R3, O=Let's Encrypt, C=US
Issuer: CN=ISRG Root X1, O=Internet Security Research Group, C=US
Algorithm: RSA; Serial number: 0x912b084acf0c18a753f6d62e25a75f5a
Valid from Fri Sep 04 02:00:00 CEST 2020 until Mon Sep 15 18:00:00 CEST 2025

Regards, Krystian

2 Likes

Ok, you need to find out how to update the list of trusted CA certificates that Tibco uses. I'd suggest contacting Tibco support and they can probably easily tell you. For Java based stuff this often involves importing the root certificate into your key store using keytool, but there may also be a UI for that in Tibco as it's a pretty common thing to need to do.

2 Likes

You shouldn't add end leaf certificates nor intermediate certificates into your root trust store: only the ISRG Root X1 should be added.

Also, could you perhaps elaborate on what kind of client is being used? Because that output doesn't look like OpenSSL to me. It's probably the chain building logic of the client used that's giving you trouble.

2 Likes

Thanks! I tried to upload only ISRG Root X1 cert (not the full chain). Anyway it failed this way:

validating certificate chain
looking in datastore for certificate with DN CN=R3, O=Let's Encrypt, C=US
No match found
CA certificate with issuer CN=ISRG Root X1, O=Internet Security Research Group, C=US and serial number 0000 912B 084A CF0C 18A7 53F6 D62E 25A7 5F5A is not a trusted certificate
server chain validation failed: com.tibco.security.AXSecurityException: CA certificate with issuer CN=ISRG Root X1, O=Internet Security Research Group, C=US and serial number 0000 912B 084A CF0C 18A7 53F6 D62E 25A7 5F5A is not a trusted certificate

I'm using TIBCO tool to implement integration. it is based on Java. I used openSSL and Portecle to double check and examine SSL connection and both are giving same issue like I got on TIBCO.

Regards, Krystian

1 Like

When I tried OpenSSL everything worked like a charm. Unfortunately I'm not familiar with Java so I can't help you with that. Maybe someone else knows more about this stuff.

2 Likes

sorry, You mean openssl works fine for you ?

Correct: no expired cert or invalid chain issues.

hmm, can you share your cmd and output ?

Sure:

Thanks. I think it is NOT correct. Please check last one in the chain. It is signed by DST Root CA X3 - it is expired.

Please read the news post I've linked at the top of this thread: this is intended behaviour with the default chain.

If you wish to change that and lose compatibility with Android devices older than 7.1.1, you have the option to change to the alternative certificate chain.

3 Likes

Sorry. It is not clear to me. I'm not working with Android devices. I need to create truststore.jks to establish HTTP connection to the stark-research.net. When I uploaded new chain to the truststore, then it is failing to expect DST Root CA X3. When I'm doing in opposite side, adding old chain - connection is failing as DST Root CA X3 expired. Blog is not giving anything useful to me.

I don't understand this part: how is DST Root CA X3 in the picture when using the new (alternative) chain? With that chain there is no DST Root CA X3 to speak of.

2 Likes

It is expecting DST Root CA X3 because even openssl is showing certs ONLY in the alternative way. Only webbrowser is showing new chain. OpenSSL and Portecle are showing ONLY old chain. Trust store with old chain is failing as X3 is not valid anymore (expired).

Then you haven't changed the chain send by the server of stark-research.net correctly.