Letsencrypt.org frontpage "NET::ERR_CERT_INVALID"

Help
1

Hi,

I’m getting a certificate error when visiting letsencrypt.org using my Chrome and Safari on my Mac. It’s working fine using Firefox, and command line curl (using anaconda3).

The same error has been observed on other sites having LE certificates (https://www.finn.no/ being amongst them).

However, there are many sites having LE certificates that works just fine (from both Chrome and Safari, on the same Mac), for example https://fn.is/ .

The strange part is that, on a site that complains about bad certificate, if I bypass the warning, and inspect the certificate chain, it looks just fine (i.e. it says “This certificate is valid” for both root, intermediate and issued).

dump_2020-03-18_21.30.43
dump_2020-03-18_21.30.43921×583 34.7 KB

dump_2020-03-18_21.31.02
dump_2020-03-18_21.31.02921×775 255 KB

dump_2020-03-18_21.33.25
dump_2020-03-18_21.33.25923×806 87 KB

2

It works just fine for community.letsencrypt.org as well;

image
image1114×896 168 KB

3

To clarify; this used to work just fine, and has happened during the last couple of weeks (I’ve been traveling a bit, so have not noticed before now), without any (relevant) changes on my computer (that I know of).

4

I’m unable to replicate your findings…
Neither by IPv4 nor IPv6.

5

Hi @jockek

never seen such a combination.

Click on

NET::ERR_CERT_INVALID

then you see the certificate directly.

Looks like a Man-in-the-middle-certificate from a Firewall or an AV-software.

1 Like
6

Can you check if your MacOS is up to date?
I just thought it might be a bug…

Firefox and curl on Mac seems to use their own trust store, so that might be the reason it wasn’t impacted. (Or there are browser issues?)

7

@JuergenAuer, see below. It seems to be the correct chain (after copying them into three separate files, and inspecting them via openssl).

@stevenzhu, I’m using Mac OS 10.14.6 with all security updates. I can see the (valid) root cert in my “System Roots” in Keychain.

Also keep in mind that this worked just fine a couple of weeks ago. My first thought was wrong time on local machine (since I’ve been traveling multiple timezones), but that is not the case (and would not explain why it worked in Firefox).

dump_2020-03-18_22.01.26
dump_2020-03-18_22.01.26931×640 125 KB 

NET::ERR_CERT_INVALID
Subject: www.finn.no

Issuer: Let's Encrypt Authority X3

Expires on: 27 May 2020

Current date: 18 Mar 2020

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIGTTCCBTWgAwIBAgISAzL3bx6QE4Hbe1Q7TAejQNyLMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDAyMjcwMDQ3MjNaFw0y
MDA1MjcwMDQ3MjNaMBYxFDASBgNVBAMTC3d3dy5maW5uLm5vMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEA3dfnfFh8BlecSNJO7RKUTRddXlFIcsWGxgar
d2hF2/vO4MfXph3yIWqpCYTXMCCyTvpKCw+HcFe4SiUGgJGoygqt8OkJ2vfrCaT1
weI9tDDGBXerkPpaGowe51SUIma7Vve9e4wHBejMtVI1c2jOUfx2yYMnl2gs1xVd
YeSMBt9ujUHNJacWYvSL8kE0E2Eq8eaaFnXhJqQM6/3CfyX3ffmkwawGAVwvz9wp
mS8k2h2kMc2Uk/3sGvkHV0QirDVkZXwFMTQfJdBGUC+ieBilNqscKbH6lBYIBQPW
M3PHCCnYSLRdOJZBEfMhVJ/XCjz5nBcFvL7rH+hgobXEA63nhrU3lsIaHQt5rCTt
neCwbnHQRgyb2KVKx+y9vVbddGu2orfZV7/v19I1PXq6J5qFxH37CbsA17UAR+Eu
ZLOUqI5YISeHJNJ9ggvCdFOPgsfNdjzgSSnPLtXB4tyZv9uIeodnXnBKVGaFTz11
BEfHGrl3lXFp5jzNJSXfeGE0g2TTBx9vAPESTyN0Wq+wfRgOvwTGClNHYVQme0lM
JSrTuduN8mHQqtoHcHV8wtvh2UnWx0uVQkAHcBzVz03MHtG/WEUU10XLCTXzJdxo
NWY1ozMufUjvyumhyWOVYNIrMYuR7C7irt6TPRfPoz4NZ3XGlqqWObUU7/qD3y8n
VkY0BjcCAwEAAaOCAl8wggJbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUn4dU2+0a
ui0el7rFh3WeenW6BZQwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEw
bwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMu
bGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMu
bGV0c2VuY3J5cHQub3JnLzAWBgNVHREEDzANggt3d3cuZmlubi5ubzBMBgNVHSAE
RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw
Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1
AOcS8rA3fhpi+47JDGGE8ep7N8tWHREmW/Pg80vyQVRuAAABcIRTtkwAAAQDAEYw
RAIgWtI7tEgCU3bMY/G/e6fttXAHtU0KSWpQb+XYydTwpSICICjmGPvQNLm8yNFS
IUE6qIJJfHLwjQXTZiy32LdMYbbaAHYAsh4FzIuizYogTodm+Su5iiUgZ2va+nDn
sklTLe+LkF4AAAFwhFO2KgAABAMARzBFAiAXz3p8fyJPclNdVoK5fY1RCBYew/KR
yZ0C21vrCNzc/QIhAMddOxFa4QeYm7YkfhEbmKGb2ySPkbtASg33S0JUWxGJMA0G
CSqGSIb3DQEBCwUAA4IBAQCcmP1Qt0V1jGIhEhngolDyFs62egWPx5/Uj5tz55vx
YyvFVw00bQGiTc7iI/Q5aaNu6bNvp3ame0lMljMmweXuh8t+1RukuFW5f1aKS2Uc
ZYqRkg12l852QDiFQu4v3WYKcaPOzV+aybEOmXocLahivIJpFM3FbhhRj9Lz4Pj1
V4OaS83I4hXh9z5nB9nLnaXHznGrezO5vXBClU72CpNztRVCAfJWKOhVw4FzZQZF
ZNNGrMPv+5NcjgWRo5ek5x+JPdF7soXmtDyCOmSE3EuMzKVXAThLVL64JZ+eiTeu
Ku8nwp5SiTRGIYsXyoqKMTb/pZMhzBm3FxuIUbu3IoAd
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
8

I would check for MITM:

image
image868×546 57.1 KB

go through the steps to “connect” then immediately check the cert in use,

If cert is correct and valid…
Then it may be an OCSP connectivity, or other verification, problem.

9

@rg305, I already did that; look at screenshot in first post, showing valid certificate chain for letsencrypt.org (i.e. all certificates are marked with “This certificate is valid”). It still complains (-:

10

If the popup is the cert in use, then that seems to be the correct cert.
Leading to “other issues”… like OCSP, etc.

11

Even if it was OCSP, it would not explain why “letsencrypt.org” does NOT work, while “community.letsencrypt.org” works, from the SAME browser, on the SAME machine.

I found some more interesting info now, as Safari actually lets you preview the certificate before “loading” the page. It says “letsencrypt.org certificate is not standards compliant”, whatever that means.

dump_2020-03-18_22.46.33
dump_2020-03-18_22.46.33761×547 173 KB

12

OK now we’re getting somewhere,

13

they are hosted on completely different cdns, with different certs, different webserver, and very different ssl configurations

14

Now that is a question for Safari (and Chrome),
What does is mean when?:
"certificate is not standards compliant"

15

The cert uses SHA-1 signed certs?
The cert must contain an ExtendedKeyUsage (EKU) extention containing the id-kp-serverAuth OID ?

16

@rg305, I’m thinking it might be related to this update; https://support.apple.com/en-us/HT210176 (and somehow it was backported to 10.14 as well, without explicitly stating so in any of the 10.14 security updates).

edit: Root is actually SHA-1, but intermediate (issuing CA) is SHA-2. The “Apple defined rule” as per the list above, only states “issuing CA”, so I guess root CAs are not counted, depending on how one looks at it?

The id-kp-serverAuth OID is present (1.3.6.1.5.5.7.3.1 = “Server Authentication”).

17

It seems,
The community cert was issued on Jan 21; while the LE.org cert was issued on March 7.
So it seems something changed (is now being enforced) between those two dates.

18

correct - they are explicitly trusted.

May be nothing but...
"ExtendedKeyUsage" and "EnhancedKeyUsage"
don't seem to be spelled the same to me.

19

@9peppe, the OCSP-config for them is equal, though. Could be server config related, but it seems somewhat random so far. I'm about to try enforce same ciphers on a server that has working LE certificates, to use the same as a non-working one, to see if it's related to that.

That or a combination of that and SSL-config on server.

Except it's the same on the working vs. non-working certificate;

dump_2020-03-18_23.07.57
dump_2020-03-18_23.07.571184×543 159 KB

20

So then maybe the negotiated cipher has something to do with this problem:

LE.org =

image
image904×635 38.3 KB

image
image783×337 35.5 KB

Comminuty.LE.org =

image
image900×367 32 KB

image
image806×337 30.2 KB