CN=DST Root CA X3, O=Digital Signature Trust Co. and serial number 4001 7721 37D4 E942 B8EE 76AA 3C64 0AB7 is not a trusted certificate

I applied exactly what is showing webbrowser, means new chain:

image466×551 25.7 KB

In this case, http connection is failing with this error:
CA certificate with issuer CN=DST Root CA X3, O=Digital Signature Trust Co. and serial number 4001 7721 37D4 E942 B8EE 76AA 3C64 0AB7 is not a trusted certificate
server chain validation failed: com.tibco.security.AXSecurityException: CA certificate with issuer CN=DST Root CA X3, O=Digital Signature Trust Co. and serial number 4001 7721 37D4 E942 B8EE 76AA 3C64 0AB7 is not a trusted certificate

Apart from certs in the trust store it is referring to the DST Root CA X3 (same way like openssl).

Where did you apply that? Because the webserver is still serving the default chain including the intermediate signed by DST Root CA X3..

I added a new chain to the truststore (JKS).

That's the trust store of the client, right?

Yeah just to confirm, when I'm talking about the exception from TIBCO I mean, TIBCO itself is the thing opening an https connection (as a client) and it's TIBCO that's not trusting stark-research.net (which has a valid certificate).

So it's TIBCO you need to fix, not the website. make sure you are uploading ISRG Root X1 (Self signed) to the TIBCO software, not ISRG Root X1 (Issued by DST Root CA X3). You may also need a TIBCO server restart in case it caches CA certs.

Yeah! Correct. TIBCO app is just a Client to the Stark-Research. To open HTTP connection, it requires valid certificates uploaded to the trust store. Webbrowser is showing new chain (with X1 self signed), anyway openssl is still showing X1 issued by X3. I think there is some mismatch between web server and stark-research host. This is not connected to the TIBCO ... openssl, portecle and key tool explorer are showing old chain while I examine SSL connection. Pls check below:

image1438×1162 109 KB

TIBCO has the other ISRG Root X1 (issued by DST Root CA X3) installed and you should probably remove that and install the other one. You want the self signed ISRG Root X1 (issued by ISRG Root X1)

See Chain of Trust - Let's Encrypt

On TIBCO side, You don't need to install anything. While doing HTTP connection, just point to the directory with trusted certificates. I uploaded only certs from new chain (X1 issued by X1). Anyway while component is trying to establish connection, it is referring to the old chain exactly the same way like openssl, portecle and key explorer. Please check below part of logs from ssl debug during renegotiation:

Send StarkResearch Login Service0, setSoTimeout(361000) called
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1634650892 bytes = { 216, 32, 215, 249, 24, 72, 243, 2, 50, 237, 171, 162, 53, 199, 95, 112, 28, 95, 99, 56, 46, 187, 192, 255, 26, 67, 233, 52 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256]
Compression Methods: { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: stark-research.net]
Extension renegotiation_info, renegotiated_connection:

Send StarkResearch Login Service0, WRITE: TLSv1.2 Handshake, length = 133
Send StarkResearch Login Service0, READ: TLSv1.2 Handshake, length = 81
*** ServerHello, TLSv1.2
RandomCookie: GMT: -1785615296 bytes = { 109, 193, 16, 83, 229, 225, 218, 128, 117, 135, 236, 46, 186, 123, 185, 230, 135, 205, 142, 202, 193, 119, 186, 86, 196, 225, 204, 193 }
Session ID: {101, 80, 76, 115, 130, 143, 144, 63, 43, 149, 82, 180, 6, 161, 221, 193, 92, 91, 65, 163, 148, 220, 117, 84, 115, 87, 234, 162, 16, 100, 23, 82}
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection:

chain [2] = [
[
Version: V3
Subject: CN=ISRG Root X1, O=Internet Security Research Group, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 4096 bits
modulus: 709477870415445373015359016562426660610553770685944520893298396600226760899977879191004898543350831842119174188613678136510262472550532722234131754439181090009824131001234702144200501816519311599904090606194984753842587622398776018408050245574116028550608708896478977104703101364577377554823893350339376892984086676842821506637376561471221178677513035811884589888230947855482554780924844280661412982827405878164907670403886160896655313460186264922042760067692235383478494519985672059698752915965998412445946254227413232257276525240006651483130792248112417425846451951438781260632137645358927568158361961710185115502577127010922344394993078948994750404287047493247048147066090211292167313905862438457453781042040498702821432013765502024105065778257759178356925494156447570322373310256999609083201778278588599854706241788119448943034477370959349516873162063461521707809689839710972753590949570167489887658749686740890549110678989462474318310617765270337415238713770800711236563610171101328052424145478220993016515262478543813796899677215192789612682845145008993144513547444131126029557147570005369943143213525671105288817016183804256755470528641042403865830064493168693765438364296560479053823886598989258655438933191724193029337334607
public exponent: 65537
Validity: [From: Wed Jan 20 20:14:03 CET 2021,
To: Mon Sep 30 20:14:03 CEST 2024]
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
SerialNumber: [ 40017721 37d4e942 b8ee76aa 3c640ab7]

Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c
]
]

Finally even Support from Stark-Research confirmed that chain from host is not valid.

Regards, Krystian

Ah, I'm sure you were using the ISRG Root X1 chain on stark-research.net but it is currently using the ISRG Root X1 > DST Root CA X3 chain.

Set your preferred issuer to ISRG Root X1 in certbot and get your stark-research.net cert again.

hmm, You mean as a HTTP Client, I can change preferred issuer for server ?

Sorry no, I'm assuming you control the stark-research.net website?

Either way, path validation should stop at ISRG Root X1 (Self signed) if you have that installed, I think it would be worth you raising this with TIBCO.

I was assuming this too, but I'm afraid this is a false assumption...

@krystian_kk The 'long chain' is being sent from stark-research.net (what you call the 'old chain'). I think you should upload the certs from this chain to your TIBCO trust location rather than the 'new chain'. I saw an article in TIBCO Knowledgebase that said "BW has an explicit trust model that requires a whole chain to be available in a Trusted Certificates folder."

The chain shown by a browser may not be the same as the one sent by the server. Browsers initially see the chain from the server but then may adjust it to match their trust stores and own logic. They do this to adapt to servers which may not be configured well - and other reasons.

But, you must setup TIBCO to match what the server actually sends. Openssl shows the actual chain from the server.

I hope this helps.

Update: Oh, even with this change TIBCO may reject the chain because DST Root CA X3 is expired. You would need to discuss with TIBCO how to resolve this. For some older versions of openssl (1.0.2) you must add the -trusted_first option to the command to allow verification, for example. Perhaps there is something similar for TIBCO

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.