Invalid cert authority on lineageos 18.1 (Android 11)

Help
1

My domain is: pvr.interlinx.bc.ca

I ran this command: opened the above site in Chrome (99.0.4844.58) on LineageOS 18.1/Android 11

It produced this output: NET::ERR_CERT_AUTHORITY_INVALID

My web server is (include version): N/A

The operating system my web server runs on is (include version): EL 8.5

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.22.0

The exact same URL on Chrome (99.0.4844.51) on Linux produces no error.

2

I cannot connect to this.

If it's on your internal network, make sure you're sending the entire certificate chain and not the leaf alone (ie: either send fullchain.pem or cert.pem and chain.pem both)

2 Likes
3

I cannot connect to this.

Correct. It is on an internal network.

make sure you're sending the entire certificate chain and not the leaf alone (ie: either send fullchain.pem or cert.pem and chain.pem both)

But doesn't the fact that Chrome on Linux having no problem with this mean that the server must be sending the entire certificate chain?

How can I verify that this is or is not the case? An openssl s_client perhaps that I can paste the output of?

FWIW, this server wants everything in a single file and so I have to run:

    openssl pkcs12 -export                               \
                   -out $RENEWED_LINEAGE/certificate.pfx \
                   -inkey $RENEWED_LINEAGE/privkey.pem   \
                   -in $RENEWED_LINEAGE/cert.pem         \
                   -certfile $RENEWED_LINEAGE/chain.pem  \
                   -password [redacted]

to generate the file it needs. It looks like I am using both cert.pem and chain.pem as you suggest though.

Cheers,
b.

4

openssl s_client -showcerts -connect $host:$port [-servername $host]

(-servername not needed if your openssl is 1.1.1 or newer)

1 Like
5

I think this might be wrong. Try using -chain instead of -certfile

https://www.openssl.org/docs/manmaster/man1/openssl-pkcs12.html

(also, I think openssl will have no problem using fullchain.pem as -in -- it will include the other certs in the output file)

1 Like
6

openssl s_client -showcerts -connect $host:$port [-servername $host]

$ openssl s_client -showcerts -connect pvr:443 -servername videoserver.interlinx.bc.ca
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:1
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
notAfter=Sep 30 14:01:15 2021 GMT
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=10:certificate has expired
notAfter=Sep 29 19:21:40 2021 GMT
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
notAfter=Sep 29 19:21:40 2021 GMT
verify return:1
depth=0 CN = pvr.interlinx.bc.ca
notAfter=Jun  9 15:31:34 2022 GMT
verify return:1
---
Certificate chain
 0 s:CN = pvr.interlinx.bc.ca
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIFSjCCBDKgAwIBAgISBPfTC9LMKNQYMQimXCpclVw7MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjAzMTExNTMxMzVaFw0yMjA2MDkxNTMxMzRaMB4xHDAaBgNVBAMT
E3B2ci5pbnRlcmxpbnguYmMuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDYmlW2qLwPLFTLwz7uLFC8aG29lxNkT7qbgkpiEYYJ5OVZSWrERAE89MDO
W879pTjcU5X5nU4Yoi49zf40ym/hOlx91KTEjAcf2JWLoBnIDIvdq7rZevodxXKv
6AtNtkGam+sehNDsj4ZMidG41UM5FpxfHWu8vPx8BeP89uYfD2tCbIbm/LiP3AOt
EpzhnU2ALnQmqzed028nJ6xhTcgh/cEsD9kNz8aKGV4zdjPYuBYTM+wABOo0bfgW
QY69mRQEGEaobSsHRhBuG0D/beIjBGGCCS1hVIDu+FU0gTFi5CbEbb6aYsj+2Iph
GxoCcuqIo2CEqe8AHLZ1J5Nlez7hAgMBAAGjggJsMIICaDAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
HQYDVR0OBBYEFBCdrodWI3EaEVZRX3MOm0+B11/6MB8GA1UdIwQYMBaAFBQusxe3
WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0
cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j
ci5vcmcvMDsGA1UdEQQ0MDKCE3B2ci5pbnRlcmxpbnguYmMuY2GCG3ZpZGVvc2Vy
dmVyLmludGVybGlueC5iYy5jYTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEE
AYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9y
ZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2ACl5vvCeOTkh8FZzn2Old+W+V32c
YAr4+U1dJlwlXceEAAABf3nSPhAAAAQDAEcwRQIhAPBQaPL30aWrkuZkLYPsQBuG
NRhuL6kOEdbUh4E2FjUIAiBOQQ5KTf/GAy5FuWrB8Q4XRaEbTJzgDEulC8w9orOM
5QB3AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABf3nSPtkAAAQD
AEgwRgIhAN9wQDkTNSIrmKEjRCk/e+tWxED29U4YIrR+qbQTQAaAAiEAk+HYE0Ls
riW71JcroJs+i+aymhSCdtIsosuQWWHUEmcwDQYJKoZIhvcNAQELBQADggEBADum
odLHOK+Cx/tcb7kSePHcGfxsvnUxxCK/oJaSWgUUVJ3Vu9QGtFW6UhvskJkUQMPz
Pru/eBckGLp6w9FuNdNr0sVc9wnThABL5dpweu8803QApn8XCXG4u3pGt1Oc0q+Q
3+Zxl5yqqbLvhgw9wCPRFUGtFaHI9SOENc03HK8/upwHASS9h7tpaFiVe1GYBRS8
SWvn7pU8z+ZrDdUenvn1UeC3KmODSGy2hmQBL3QW9FyZoVx/aqteRro1dZdh7oRs
j7MgI6ohKgPfbbQEWYCQBBBtU/hTtQ5fIofBqJlSOVt+dTE/NAuVkG1pbJEYGhjL
TTXNXj5rer1J5dOd0mQ=
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = pvr.interlinx.bc.ca

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3048 bytes and written 401 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 841A83E3D19EB20BDD52BC9F2636AB9D8439DFBFB52E2B6ED424A7F2FB943B04
    Session-ID-ctx: 
    Resumption PSK: 186B6B4E4C3C19FFB8B93B27BC0F07141E88F07BCE0A78AC584D5D1746D5D30C3F1D251FA7C48A245A471216C36BE2BE
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 8d e0 a5 81 da 92 b0 46-cc 39 72 a6 a8 07 0f d5   .......F.9r.....
    0010 - ac 01 14 93 11 8b 91 b6-7f e0 bd f9 bb 1b 53 18   ..............S.
    0020 - e4 fe 79 9d 00 03 77 07-bc 9b bf a2 2a a0 5b 1f   ..y...w.....*.[.
    0030 - ac e7 37 02 c5 46 93 ba-06 fe 1b ed 58 8c b5 84   ..7..F......X...
    0040 - 01 3f 84 85 00 8d 3d 75-ee f7 66 05 55 93 27 b3   .?....=u..f.U.'.
    0050 - 25 b2 b0 19 e1 86 42 58-96 37 0e ca 72 fa 0f c6   %.....BX.7..r...
    0060 - 1c 2b 11 85 6c 8b 04 51-62 4d 2d 19 2e 70 a3 81   .+..l..QbM-..p..
    0070 - e0 19 6e ca 54 dd bb fe-cb 1a cf f5 1a 89 2f 77   ..n.T........./w
    0080 - f2 44 de 2a 64 41 86 b0-8e 51 58 e6 ba a6 95 ae   .D.*dA...QX.....
    0090 - c4 1a 50 d3 07 de 6e 36-29 90 cb 6e 64 e7 20 45   ..P...n6)..nd. E
    00a0 - ae 5d cb 12 43 c4 b1 5a-47 56 6d 86 cd f3 c4 e9   .]..C..ZGVm.....
    00b0 - 48 9e 44 ce 64 7b 49 e1-e1 35 99 ea e7 1b 56 b9   H.D.d{I..5....V.

    Start Time: 1647448361
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: DFFF7FE6DE1F0B6E97C6A851190A247568165D4A37CF85A8D3497F5735B42F4B
    Session-ID-ctx: 
    Resumption PSK: 6360CC2018916CF4A6C4BA9293104D727A5B124C8CFE449358A3954D03B0D15E843FB26CB2D51C87C0F616E25B5A3E5B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 8d e0 a5 81 da 92 b0 46-cc 39 72 a6 a8 07 0f d5   .......F.9r.....
    0010 - 3b 88 f6 49 36 05 15 51-71 39 bc 26 ef a1 38 a0   ;..I6..Qq9.&..8.
    0020 - 2d ea 8e 35 07 b0 08 71-51 b8 e8 7b 9c 5b c6 ab   -..5...qQ..{.[..
    0030 - de 0b d0 f8 c5 75 8d db-7e d6 4a 38 e5 52 69 81   .....u..~.J8.Ri.
    0040 - ed 30 40 aa c7 c3 40 51-ff 28 eb 5b be 62 eb a3   .0@...@Q.(.[.b..
    0050 - a7 13 c0 5a ef f0 ff 34-c7 dd c6 c1 df e5 e7 d9   ...Z...4........
    0060 - 8c a4 87 d7 bd e7 39 4a-fd b7 be 30 f2 b6 40 6c   ......9J...0..@l
    0070 - 56 e0 9b c5 a3 7c 42 b0-b5 4b 22 87 90 d3 8a da   V....|B..K".....
    0080 - e6 d4 ef b9 6d 91 b3 3e-af 78 e6 78 43 72 d2 33   ....m..>.x.xCr.3
    0090 - 81 04 ae 81 42 2c 9b 7f-c4 ef 91 37 2f a5 ec 30   ....B,.....7/..0
    00a0 - a2 66 bf 25 16 2e 31 b2-e3 21 dc c5 78 3b 86 63   .f.%..1..!..x;.c
    00b0 - 01 de c8 aa 52 c8 99 43-2b 9a e8 ee 62 7f 6c 85   ....R..C+...b.l.

    Start Time: 1647448361
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: no
    Max Early Data: 0
---
[brian@pc fs]$ openssl s_client -showcerts -connect pvr:443 -servername videoserver.interlinx.bc.ca
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:1
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
notAfter=Sep 30 14:01:15 2021 GMT
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=10:certificate has expired
notAfter=Sep 29 19:21:40 2021 GMT
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
notAfter=Sep 29 19:21:40 2021 GMT
verify return:1
depth=0 CN = pvr.interlinx.bc.ca
notAfter=Jun  9 15:31:34 2022 GMT
verify return:1
---
Certificate chain
 0 s:CN = pvr.interlinx.bc.ca
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIFSjCCBDKgAwIBAgISBPfTC9LMKNQYMQimXCpclVw7MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjAzMTExNTMxMzVaFw0yMjA2MDkxNTMxMzRaMB4xHDAaBgNVBAMT
E3B2ci5pbnRlcmxpbnguYmMuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDYmlW2qLwPLFTLwz7uLFC8aG29lxNkT7qbgkpiEYYJ5OVZSWrERAE89MDO
W879pTjcU5X5nU4Yoi49zf40ym/hOlx91KTEjAcf2JWLoBnIDIvdq7rZevodxXKv
6AtNtkGam+sehNDsj4ZMidG41UM5FpxfHWu8vPx8BeP89uYfD2tCbIbm/LiP3AOt
EpzhnU2ALnQmqzed028nJ6xhTcgh/cEsD9kNz8aKGV4zdjPYuBYTM+wABOo0bfgW
QY69mRQEGEaobSsHRhBuG0D/beIjBGGCCS1hVIDu+FU0gTFi5CbEbb6aYsj+2Iph
GxoCcuqIo2CEqe8AHLZ1J5Nlez7hAgMBAAGjggJsMIICaDAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
HQYDVR0OBBYEFBCdrodWI3EaEVZRX3MOm0+B11/6MB8GA1UdIwQYMBaAFBQusxe3
WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0
cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j
ci5vcmcvMDsGA1UdEQQ0MDKCE3B2ci5pbnRlcmxpbnguYmMuY2GCG3ZpZGVvc2Vy
dmVyLmludGVybGlueC5iYy5jYTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEE
AYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9y
ZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2ACl5vvCeOTkh8FZzn2Old+W+V32c
YAr4+U1dJlwlXceEAAABf3nSPhAAAAQDAEcwRQIhAPBQaPL30aWrkuZkLYPsQBuG
NRhuL6kOEdbUh4E2FjUIAiBOQQ5KTf/GAy5FuWrB8Q4XRaEbTJzgDEulC8w9orOM
5QB3AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABf3nSPtkAAAQD
AEgwRgIhAN9wQDkTNSIrmKEjRCk/e+tWxED29U4YIrR+qbQTQAaAAiEAk+HYE0Ls
riW71JcroJs+i+aymhSCdtIsosuQWWHUEmcwDQYJKoZIhvcNAQELBQADggEBADum
odLHOK+Cx/tcb7kSePHcGfxsvnUxxCK/oJaSWgUUVJ3Vu9QGtFW6UhvskJkUQMPz
Pru/eBckGLp6w9FuNdNr0sVc9wnThABL5dpweu8803QApn8XCXG4u3pGt1Oc0q+Q
3+Zxl5yqqbLvhgw9wCPRFUGtFaHI9SOENc03HK8/upwHASS9h7tpaFiVe1GYBRS8
SWvn7pU8z+ZrDdUenvn1UeC3KmODSGy2hmQBL3QW9FyZoVx/aqteRro1dZdh7oRs
j7MgI6ohKgPfbbQEWYCQBBBtU/hTtQ5fIofBqJlSOVt+dTE/NAuVkG1pbJEYGhjL
TTXNXj5rer1J5dOd0mQ=
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = pvr.interlinx.bc.ca

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3048 bytes and written 401 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 841A83E3D19EB20BDD52BC9F2636AB9D8439DFBFB52E2B6ED424A7F2FB943B04
    Session-ID-ctx: 
    Resumption PSK: 186B6B4E4C3C19FFB8B93B27BC0F07141E88F07BCE0A78AC584D5D1746D5D30C3F1D251FA7C48A245A471216C36BE2BE
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 8d e0 a5 81 da 92 b0 46-cc 39 72 a6 a8 07 0f d5   .......F.9r.....
    0010 - ac 01 14 93 11 8b 91 b6-7f e0 bd f9 bb 1b 53 18   ..............S.
    0020 - e4 fe 79 9d 00 03 77 07-bc 9b bf a2 2a a0 5b 1f   ..y...w.....*.[.
    0030 - ac e7 37 02 c5 46 93 ba-06 fe 1b ed 58 8c b5 84   ..7..F......X...
    0040 - 01 3f 84 85 00 8d 3d 75-ee f7 66 05 55 93 27 b3   .?....=u..f.U.'.
    0050 - 25 b2 b0 19 e1 86 42 58-96 37 0e ca 72 fa 0f c6   %.....BX.7..r...
    0060 - 1c 2b 11 85 6c 8b 04 51-62 4d 2d 19 2e 70 a3 81   .+..l..QbM-..p..
    0070 - e0 19 6e ca 54 dd bb fe-cb 1a cf f5 1a 89 2f 77   ..n.T........./w
    0080 - f2 44 de 2a 64 41 86 b0-8e 51 58 e6 ba a6 95 ae   .D.*dA...QX.....
    0090 - c4 1a 50 d3 07 de 6e 36-29 90 cb 6e 64 e7 20 45   ..P...n6)..nd. E
    00a0 - ae 5d cb 12 43 c4 b1 5a-47 56 6d 86 cd f3 c4 e9   .]..C..ZGVm.....
    00b0 - 48 9e 44 ce 64 7b 49 e1-e1 35 99 ea e7 1b 56 b9   H.D.d{I..5....V.

    Start Time: 1647448361
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: DFFF7FE6DE1F0B6E97C6A851190A247568165D4A37CF85A8D3497F5735B42F4B
    Session-ID-ctx: 
    Resumption PSK: 6360CC2018916CF4A6C4BA9293104D727A5B124C8CFE449358A3954D03B0D15E843FB26CB2D51C87C0F616E25B5A3E5B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 8d e0 a5 81 da 92 b0 46-cc 39 72 a6 a8 07 0f d5   .......F.9r.....
    0010 - 3b 88 f6 49 36 05 15 51-71 39 bc 26 ef a1 38 a0   ;..I6..Qq9.&..8.
    0020 - 2d ea 8e 35 07 b0 08 71-51 b8 e8 7b 9c 5b c6 ab   -..5...qQ..{.[..
    0030 - de 0b d0 f8 c5 75 8d db-7e d6 4a 38 e5 52 69 81   .....u..~.J8.Ri.
    0040 - ed 30 40 aa c7 c3 40 51-ff 28 eb 5b be 62 eb a3   .0@...@Q.(.[.b..
    0050 - a7 13 c0 5a ef f0 ff 34-c7 dd c6 c1 df e5 e7 d9   ...Z...4........
    0060 - 8c a4 87 d7 bd e7 39 4a-fd b7 be 30 f2 b6 40 6c   ......9J...0..@l
    0070 - 56 e0 9b c5 a3 7c 42 b0-b5 4b 22 87 90 d3 8a da   V....|B..K".....
    0080 - e6 d4 ef b9 6d 91 b3 3e-af 78 e6 78 43 72 d2 33   ....m..>.x.xCr.3
    0090 - 81 04 ae 81 42 2c 9b 7f-c4 ef 91 37 2f a5 ec 30   ....B,.....7/..0
    00a0 - a2 66 bf 25 16 2e 31 b2-e3 21 dc c5 78 3b 86 63   .f.%..1..!..x;.c
    00b0 - 01 de c8 aa 52 c8 99 43-2b 9a e8 ee 62 7f 6c 85   ....R..C+...b.l.

    Start Time: 1647448361
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: no
    Max Early Data: 0
---

Everything except the pvr.interlinx.bc.ca cert looks expired.

Interesting that Chrome on Linux is not complaining about it though.

7

Because it's probably getting the intermediate from somewhere else. You are using a fresh chain provided by certbot, you haven't saved an old one, have you?

Maybe try with

    openssl pkcs12 -export                               \
                   -out $RENEWED_LINEAGE/certificate.pfx \
                   -inkey $RENEWED_LINEAGE/privkey.pem   \
                   -in $RENEWED_LINEAGE/fullchain.pem    \
                   -password [redacted]

(unless your destination software needs a password, you can probably avoid using one)

2 Likes
8

That R3 intermediate is ancient. Please heed @9peppe's comment and note that you should NEVER hardcode an intermediate certificate, as intermediates can change at any time at any notice and without any warning. You should always have a mechanism to use the intermediate provided by the ACME server.

4 Likes
9

TTBOMK, I am not hard-coding anything myself. I am using everything that comes from the update ($RENEWED_LINEAGE) of the cert as you can see above in my openssl pkcs12 command.

So if something is out-of-date, it's being sent to me as out-of-date from LE.

Or correct me if I am wrong in some way that I am not aware of.

You are using a fresh chain provided by certbot, you haven't saved an old one, have you?

As you can see, I am referencing everything from $RENEWED_LINEAGE in my deploy hook. certbot sets the value of that to the path to the new cert files from the renew request.

10

With 2 million certificates issued per day such an error would have been noticed much earlier and with much more threads on this Community than your single thread :wink: I'm afraid it probably has something to do with how you're building your PKCS12 file.

You can check the difference between $RENEWED_LINEAGE/chain.pem and the actual chain contained in the PKCS12 file with openssl commands.

3 Likes
11

Is it the same when using -chain?

Have you tried with -in $RENEWED_LINEAGE/fullchain.pem ?

(Please know that the hook does not run if the certificate isn't actually renewed. You have to run the openssl command by itself.)

1 Like
12

I am by no means even familiar enough with x509 and certificates and openssl, etc. I did some googling on how to display the full chain of certs in fullchain.pem and my resulting certificate.pfx but only found lots of question and no answers, so I don't really know how to do the verification you suggest. Any clues?

13

That worked. To be clear, the final result is:

$ openssl pkcs12 -export
                -out $RENEWED_LINEAGE/certificate.pfx
                -inkey $RENEWED_LINEAGE/privkey.pem
                -in $RENEWED_LINEAGE/fullchain.pem
                -password [redacted]

Thanks much for all of your help and patience everyone!

2 Likes
14

I must say the man pkcs12 from OpenSSL doesn't really help me much:

-certfile filename

A filename to read additional certificates from.

And:

-in filename

The filename to read certificates and private keys from, standard input by default. They must all be in PEM format. The order doesn't matter but one private key and its corresponding certificate should be present. If additional certificates are present they will also be included in the PKCS#12 file.

I don't really see the difference between using -in with fullchain.pem vs. -in with cert.pem and -certfile with chain.pem. But apparently OpenSSL does. And @9peppe luckily knew and suggested as much :smiley:

Glad it's fixed, but I'm rather baffled.

3 Likes
15

There are two options that don't have a very clear difference, -chain and -certfile.

Now, I don't really know why they're different, but I suppose pkcs12 saves chains as an object and if you just throw the intermediate inside it's not used with the leaf.

1 Like
16

But -chain is never used in this thread?

2 Likes
17

I suggested it, once.

1 Like
18

Yes, suggested, but not used as far as I can tell, so I'm not sure why you bring it up again in response to my post regarding the difference between -in and -certfile :roll_eyes:

2 Likes
19

Because -certfile doesn't look like it does what we expect.

-in fullchain.pem

and

-in cert.pem -chain chain.pem

should be equivalent.

As for what -certfile does or why it's useful, I don't know.

According to the manpage, -certfile just adds the certificates, while -chain actually uses those certificates to build a chain.

(It probably depends on the hot mess that pkcs12 is: multiple keys, certificates and CRLs in a single file?)

1 Like
20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.