DoT dns resolution stopped working - Related to Let's Encrypt Root CA Expiry

[onelittlehope]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

The root CA DST Root CA X3 expired on September 30, 2021.

See: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Ever since that date, the DNS over TLS feature of Unbound in OPNsense has stopped working for me.

My DoT servers all use a Let's Encrypt certificate and have valid certificate chains.

I believe something in OPNsense is not correctly detecting a valid certificate chain for these servers.

Certificate chain was verified using multiple methods:

• https://chainchecker.certifytheweb.com/
• https://github.com/drwetter/testssl.sh

To Reproduce

Steps to reproduce the behaviour:

1. Go to OPNsense --> Services --> Unbound DNS --> DNS over TLS
2. Click on [+] buton to ADD a DoT server with the following details:

Enabled: checked
IP Address: 145.100.185.15
Port: 853
Hostname: dnsovertls.sinodun.com

3. Click the [Apply] button and then restart Unbound service
4. On a client machine which uses the OPNsense device as a DNS server, perform a dns query

ping www.google.com

5. Go to OPNsense --> Services --> Unbound DNS --> Log file

Expected behaviour

I expect the DNS query in step 4 to work and return an IP address for the fqdn www.google.com.

Instead, I get:

~> ping www.google.com
ping: www.google.com: Temporary failure in name resolution

Describe alternatives you considered

DNS resolution works fine by using a DoT server which doesn't use a Let's Encrypt certificate, e.g. Quad9's 9.9.9.9:853 or Cloudflare's 1.1.1.1:853.

Relevant log files

Proof that certificate chain is valid for 145.100.185.15:853

~> kdig -d @145.100.185.15 +tls-ca +tls-host=dnsovertls.sinodun.com  www.google.com
;; DEBUG: Querying for owner(www.google.com.), class(1), type(1), server(145.100.185.15), port(853), protocol(TCP)
;; DEBUG: TLS, imported 512 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=dnsovertls.sinodun.com
;; DEBUG:      SHA-256 PIN: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=R3
;; DEBUG:      SHA-256 PIN: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
;; DEBUG:  #3, C=US,O=Internet Security Research Group,CN=ISRG Root X1
;; DEBUG:      SHA-256 PIN: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 63636
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 405 B

;; QUESTION SECTION:
;; www.google.com.              IN      A

;; ANSWER SECTION:
www.google.com.         243     IN      A       172.217.168.196

;; Received 468 B
;; Time 2021-10-04 14:50:57 BST
;; From 145.100.185.15@853(TCP) in 20.4 ms

Unbound log msgs:

2021-10-04T15:04:16	unbound[51738]	[51738:2] notice: ssl handshake failed 145.100.185.15 port 853
2021-10-04T15:04:16	unbound[51738]	[51738:2] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-10-04T15:04:16	unbound[51738]	[51738:3] notice: ssl handshake failed 145.100.185.15 port 853
2021-10-04T15:04:16	unbound[51738]	[51738:3] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-10-04T15:04:16	unbound[51738]	[51738:2] notice: ssl handshake failed 145.100.185.15 port 853
2021-10-04T15:04:16	unbound[51738]	[51738:2] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-10-04T15:04:16	unbound[51738]	[51738:3] notice: ssl handshake failed 145.100.185.15 port 853
2021-10-04T15:04:16	unbound[51738]	[51738:3] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-10-04T15:04:16	unbound[51738]	[51738:2] notice: ssl handshake failed 145.100.185.15 port 853
2021-10-04T15:04:16	unbound[51738]	[51738:2] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-10-04T15:04:16	unbound[51738]	[51738:2] info: 192.168.0.10 www.google.com. AAAA IN
2021-10-04T15:04:16	unbound[51738]	[51738:2] info: 192.168.0.10 www.google.com. A IN
2021-10-04T15:04:16	unbound[51738]	[51738:0] info: start of service (unbound 1.13.2).

Additional context

I've tried several DoT servers and all of them which use a Let's Encrypt certificate show the same behaviour.

• 91.239.100.100:853 - anycast.censurfridns.dk
• 145.100.185.15:853 - dnsovertls.sinodun.com
• 145.100.185.16:853 - dnsovertls1.sinodun.com
• 185.49.141.37:853 - getdnsapi.net

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 21.7.3_3-amd64
FreeBSD 12.1-RELEASE-p20-HBSD
OpenSSL 1.1.1l 24 Aug 2021

[kulikov-a]

hi
do you use\need LE certs for any service on opnsense?

[onelittlehope]

Yes, I use the os-acme-client plugin to request a Let's Encrypt certificate for use by the OPNsense administration web interface. (i.e. OPNsense > System > Settings > Administration > Protocol is set to HTTPS and OPNsense > System > Settings > Administration > SSL Certificate is set to a Let's Encrypt certificate.)

[kulikov-a]

i think there is no official solution yet.
if you dont use old Andriod devices for GUI access you can try to make LE chain short and thus get rid of cross-chaind intermediate cert from trusted store.

please keep in mind that this is not an official solution
at your own risk
(and I only tested it for 20.7 although the idea itself should definitely work)
and be careful - if you accidentally delete the R3 certificate, you will need to reissue LE cert:

you need to go to the System: Trust: Authorities page,
edit R3 (Let's Encrypt) certificate
in the Certificate data section, you will see two certificates. You need to remove the bottom one:

-----BEGIN CERTIFICATE----- 
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

only the top should remain:

-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

This leaves only a short chain.

[onelittlehope]

Thank you so much.

That worked.

The bottom cert which I removed was:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            40:01:77:21:37:d4:e9:42:b8:ee:76:aa:3c:64:0a:b7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
        Validity
            Not Before: Jan 20 19:14:03 2021 GMT
            Not After : Sep 30 18:14:03 2024 GMT
        Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c:
                    87:be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7:
                    75:c2:a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86:
                    6c:44:93:b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31:
                    9b:21:7e:d1:33:3c:ba:48:f5:dd:79:df:b3:b8:ff:
                    12:f1:21:9a:4b:c1:8a:86:71:69:4a:66:66:6c:8f:
                    7e:3c:70:bf:ad:29:22:06:f3:e4:c0:e6:80:ae:e2:
                    4b:8f:b7:99:7e:94:03:9f:d3:47:97:7c:99:48:23:
                    53:e8:38:ae:4f:0a:6f:83:2e:d1:49:57:8c:80:74:
                    b6:da:2f:d0:38:8d:7b:03:70:21:1b:75:f2:30:3c:
                    fa:8f:ae:dd:da:63:ab:eb:16:4f:c2:8e:11:4b:7e:
                    cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a:e0:4c:12:25:
                    0c:70:8d:03:29:a0:e1:53:24:ec:13:d9:ee:19:bf:
                    10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07:94:f4:
                    63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79:6c:
                    76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10:
                    e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02:
                    07:98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb:
                    0e:72:b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4:
                    2a:d6:41:e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12:
                    1f:35:2f:28:17:6c:d2:98:c1:a8:09:64:77:6e:47:
                    37:ba:ce:ac:59:5e:68:9d:7f:72:d6:89:c5:06:41:
                    29:3e:59:3e:dd:26:f5:24:c9:11:a7:5a:a3:4c:40:
                    1f:46:a1:99:b5:a7:3a:51:6e:86:3b:9e:7d:72:a7:
                    12:05:78:59:ed:3e:51:78:15:0b:03:8f:8d:d0:2f:
                    05:b2:3e:7b:4a:1c:4b:73:05:12:fc:c6:ea:e0:50:
                    13:7c:43:93:74:b3:ca:74:e7:8e:1f:01:08:d0:30:
                    d4:5b:71:36:b4:07:ba:c1:30:30:5c:48:b7:82:3b:
                    98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd:83:04:1b:
                    a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8:7c:86:
                    3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5:3d:
                    19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db:
                    e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88:
                    ad:4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5:
                    33:43:4f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            Authority Information Access: 
                CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c

            X509v3 Authority Key Identifier: 
                keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10

            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.root-x1.letsencrypt.org

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl

            X509v3 Subject Key Identifier: 
                79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
    Signature Algorithm: sha256WithRSAEncryption
         0a:73:00:6c:96:6e:ff:0e:52:d0:ae:dd:8c:e7:5a:06:ad:2f:
         a8:e3:8f:bf:c9:0a:03:15:50:c2:e5:6c:42:bb:6f:9b:f4:b4:
         4f:c2:44:88:08:75:cc:eb:07:9b:14:62:6e:78:de:ec:27:ba:
         39:5c:f5:a2:a1:6e:56:94:70:10:53:b1:bb:e4:af:d0:a2:c3:
         2b:01:d4:96:f4:c5:20:35:33:f9:d8:61:36:e0:71:8d:b4:b8:
         b5:aa:82:45:95:c0:f2:a9:23:28:e7:d6:a1:cb:67:08:da:a0:
         43:2c:aa:1b:93:1f:c9:de:f5:ab:69:5d:13:f5:5b:86:58:22:
         ca:4d:55:e4:70:67:6d:c2:57:c5:46:39:41:cf:8a:58:83:58:
         6d:99:fe:57:e8:36:0e:f0:0e:23:aa:fd:88:97:d0:e3:5c:0e:
         94:49:b5:b5:17:35:d2:2e:bf:4e:85:ef:18:e0:85:92:eb:06:
         3b:6c:29:23:09:60:dc:45:02:4c:12:18:3b:e9:fb:0e:de:dc:
         44:f8:58:98:ae:ea:bd:45:45:a1:88:5d:66:ca:fe:10:e9:6f:
         82:c8:11:42:0d:fb:e9:ec:e3:86:00:de:9d:10:e3:38:fa:a4:
         7d:b1:d8:e8:49:82:84:06:9b:2b:e8:6b:4f:01:0c:38:77:2e:
         f9:dd:e7:39
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

Am happy to close this issue unless it needs to be left open until an official solution is put in place.

[fichtner]

Eventually trust store updates will fix this so there is nothing else to to from our point but wait for their updates and release it along with the next 21.7.x.

Cheers,
Franco

[kulikov-a]

@fichtner hi, sorry for repeating, but I would not rely on the trusts update (opnsense/plugins#2554 (comment)). there is a feeling that it still have to do something with the system_trust_configure() so as not to force the openssl to choose a long chain

[fichtner]

We could exclude expired certs from system: trust: authorities in system_trust_configure() ? Personally I don't see the point of OpenSSL wanting to trust an expired chain but ok :)

[kulikov-a]

As far as I understand, the problem is not in the presence of an expired root certificate in the store, but in the presence of a valid intermediate certificate signed by this root CA in the store (acme plugin puts the ISRG cross-signed intermediate cert in the config, and the system_trust_configure() puts it in the store). the absence of the root certificate will only change the error (instead of complaining about the certificate's dates, there will be a complaint about its absence), but will not change the choice of the chain (because ISRG cross-signed intermediate cert is valid).

[fichtner]

Oh right I misread:

Not After : Sep 30 18:14:03 2024 GMT

Honestly it's difficult ship anything that is self-correcting in this case. Non-self-signed DST Root CA X3 is defunct and needs to be removed manually and ignored from acme-client during registering certificates in config.xml.

How this was signed knowing that the root expires 3 years beforehand is... err... reckless.

[kulikov-a]

ignored from acme-client during registering certificates in config.xml

acme plugin not registering DST Root cert in config. but it registers ISRG Root X1 intermediate (this is great: the intermediate cert has "Root" in the subject and confuses everyone) (signed by DST Root) since it requests the long-chain cert by default.
if we force acme plugin to request short-chain certs only then we lose compatibility of opnsense services (HAProxy\nginx etc.) with old androids (they will not be able to build their long chains from the config.xml data)

[AdSchellevis]

@kulikov-a can you try d8ddef4 ?

[kulikov-a]

@AdSchellevis Hi! thanks for joining!
Perhaps this is how I explain or translate ... the matter is not in the validity period of the certificate:
acme plugin gets a long chain certificate (ensuring compatibility with older androids) by default. the chain consists entirely of valid certificates with no expired date (leaf cert -> R3 CA -> ISRG Root X1). in this deafult chain ISRG Root X1 is the valid intermediate CAs cert (signed by old non-valid DST Root CA X3).
short chain does not contain ISRG Root X1 intermediate cert and thus, when checking, it closes not at the old DST root, but at the ISRG Root X1 root (true self-signed root, that is already contained in the /usr/local/share/certs/ca-root-nss.crt)
https://community.letsencrypt.org/t/providing-a-longer-certificate-chain-by-default/148738

so imho the key is that system_trust_configure puts the intermediate CA's cert (ISRG "Root" X1) from long chain in trusts thus forcing the openssl to select a long chain (ending in an expired DST root)

it seems to me that the solution would be to add (along with your changes) a certificate issuer check. and only import self-signed certificates (root). (since I don't know why it was previously decided to import all certificates, I limited to the option of selectively refusing to import in my proposal at opnsense/plugins#2554 (comment))

I apologize if it is difficult to understand me sometimes )

[AdSchellevis]

hi @kulikov-a,

acme plugin gets a long chain certificate (ensuring compatibility with older androids) by default. the chain consists entirely of valid certificates with no expired date (leaf cert -> R3 CA -> ISRG Root X1). in this deafult chain ISRG Root X1 is the valid intermediate CAs cert (signed by old non-valid DST Root CA X3).

That is annoying indeed, but not something we can fix from our end. Ideally openssl only considers the valid path, in which case it will omit the expired /O=Digital Signature Trust Co./CN=DST Root CA X3 in ca-root-nss.crt as there is a shorter valid path available... unless someone imports an expired R3 (https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.txt) into the list, which is what I assume happened (as part of one of the other certs).

short chain does not contain ISRG Root X1 intermediate cert and thus, when checking, it closes not at the old DST root, but at the ISRG Root X1 root (true self-signed root, that is already contained in the /usr/local/share/certs/ca-root-nss.crt)
https://community.letsencrypt.org/t/providing-a-longer-certificate-chain-by-default/148738

It shouldn't as far as I know as /C=US/O=Internet Security Research Group/CN=ISRG Root X1 is included in ca-root-nss.crt and considered a valid trust path.

so imho the key is that system_trust_configure puts the intermediate CA's cert (ISRG "Root" X1) from long chain in trusts thus forcing the openssl to select a long chain (ending in an expired DST root)

yes, it does, hence the expired /O=Digital Signature Trust Co./CN=DST Root CA X3 would be better omitted from ca-root-nss.crt, although it doesn't appear to be the root of the issue either. If you only imported the connecting parts heading to the expired cert (R3 and Root X1 also in opnsense/plugins#2554 (comment)) there shouldn't be an issue. both fetch from base and curl from ports seem to be doing the right thing (at least on my end) when both paths are available.

it seems to me that the solution would be to add (along with your changes) a certificate issuer check. and only import self-signed certificates (root). (since I don't know why it was previously decided to import all certificates, I limited to the option of selectively refusing to import in my proposal at opnsense/plugins#2554 (comment))

I simply can't agree at the moment, I wasn't able to replicate the issue either when only the proper non expired certificates are included. can you please first check my commit and reload the certificates using the standard ca-root-nss.crt file supplied in core? Currently I can only assume that a single ca in Trust/Authorities in fact contains a bundle including the expired R3, in which case it rightfully concludes there is no valid path to verify the cert.

I apologize if it is difficult to understand me sometimes )

No problem, I know you're only trying to help here.

[kulikov-a]

can you please first check my commit and reload the certificates using the standard ca-root-nss.crt file supplied in core?

of course )
VM without acme, patch applied, only two CAs added:

root@OPNsense:~ # openssl s_client -showcerts -connect letsencrypt.org:443

CONNECTED(00000003)
---
Certificate chain
 0 s:CN = lencr.org
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIEpzCCA4+gAwIBAgISBMff2AS5U7mN971AhkDus6r5MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA4MDYwMTAzNTNaFw0yMTExMDQwMTAzNTFaMBQxEjAQBgNVBAMT
CWxlbmNyLm9yZzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGAIroBByIgrWT2F
adrQy+3btzYAKt7V2ep47RnGFwG6wd/omfBM0gaCo6YXzghEGwXgXOx5vlMLPAFz
VtcSfP2jggKeMIICmjAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFIzrTi7BxcB8Y/rp
ReVhXCVCRm02MB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsG
AQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIG
CCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMG8GA1UdEQRoMGaCCWxl
bmNyLm9yZ4IPbGV0c2VuY3J5cHQuY29tgg9sZXRzZW5jcnlwdC5vcmeCDXd3dy5s
ZW5jci5vcmeCE3d3dy5sZXRzZW5jcnlwdC5jb22CE3d3dy5sZXRzZW5jcnlwdC5v
cmcwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQC
BIH0BIHxAO8AdgBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAXsZ
M9loAAAEAwBHMEUCIQCEJTV3b44aXbZJSxgqkK8IGuMuKIQCWvqufLh/QjhvFQIg
RzU/QIe9OXtDVaMKH0LLWEv9xcmjlJ1Ha7fcNhpjLVoAdQB9PvL4j/+IVWgkwsDK
nlKJeSvFDngJfy5ql2iZfiLw1wAAAXsZM9mHAAAEAwBGMEQCICB6EbB3cKSVPLx0
m/sJqrRZXz7ooNnWy937KiFszQzEAiB4wnuAGsayeY9YZd5DLcfEDThS+N71KZwk
OQ0GnrUCqjANBgkqhkiG9w0BAQsFAAOCAQEAQ4BullNkh9RE+FsvRyYrCrC3YqKB
JCluHEzW0k4oqhWH+TSsJ4o/rGZNQMj2HturmALDKCPpKQ34+e6opi6JiWUwNKu8
6+Lo627nexD50THrqnrBhPD6o4iDD8GODpoNxmZm9JuieQiaJkSMIhb7+mbCzFla
h+EjmE3+2HuBEi/lDqFlzcVtqt64pjemCFnaqoHKcG7x6P3rwttvavDHlcfHM7KI
f5wpJbUNmmAz/ByjV34eNFxaeNhyReSb2tItRGm4J9VS09iUPJuAjjfkKmLCwy8j
WSa9qCoN6IpMkfTmbuWu59tcXjMUWCTKM2D9aXGlPQha4CyJLoLKsoGdSQ==
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = lencr.org

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4331 bytes and written 399 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---

Ideally openssl only considers the valid path, in which case it will omit the expired /O=Digital Signature Trust Co./CN=DST Root CA X3 in ca-root-nss.crt as there is a shorter valid path available...

and so it happens. if there are no intermediate certificates from the chain in the trusted store. in this case (since trusted_first is now always enabled) the chain in which this trusted intermediate certificate is included to store is forced. in our case, this is a valid ISRG Root X1 intermediate certificate (that forcec openssl to use long chain).

It shouldn't as far as I know as /C=US/O=Internet Security Research Group/CN=ISRG Root X1 is included in ca-root-nss.crt and considered a valid trust path

there is two /C=US/O=Internet Security Research Group/CN=ISRG Root X1 certs: one is included in ca-root-nss.crt and is self-signed (root). and the other is "cross-signed" by expired /O=Digital Signature Trust Co./CN=DST Root CA X3 (https://letsencrypt.org/certificates/#root-certificates).
and system_trust_configure() adds this "cross-signed" cert to ca-root-nss.crt (this is where the problem begin).

I'm glad that we seem to understand each other, we just don't agree )

[AdSchellevis]

@kulikov-a it could be the case that we don't agree, my question is can you break fetch and/or curl when using my patch? My assumption so far is that having the path to the expired certificate doesn't cause issues, it doesn't on my end. If it does, I really want to know exactly what's being imported into the Authorities section in OPNsense so I can replicate the same behaviour on my end (without configuring acme-client).

EDIT never mind, I managed to replicate your behaviour on my end, importing X1 with serial 85078200265644417569109389142156118711. Other than removing the expired cert from nss I don't see a simple and valid option to be honest.

-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

[kulikov-a]

@AdSchellevis yes, fetch "stops working" with this ISRG Root cert in store. curl still works but i think that this is because of
https://github.com/curl/curl/blob/2ac10a9ea08c2bf46da02d867b76d42b1fb94cf1/lib/vtls/openssl.c#L3151-L3164

so curl just treats this intermediate CA cert in store as anchor cert

Other than removing the expired cert from nss I don't see a simple and valid option to be honest

Oh (
it means I still can't formulate my thought correctly..
can you try to manually remove this expired DST Root CA X3 certificate from the /usr/local/share/certs/ca-root-nss.crt and check it? my opinion: this shouldn't and will not help (and I checked))
and can you please explain why you think that the suggestion not to put intermediate certificates in the store (or better yet, just not to do it by default) will not work?

[AdSchellevis]

@kulikov-a the code reference looks reasonable to explain the difference between fetch and curl indeed

Oh (
it means I still can't formulate my thought correctly..

I wouldn't go that far, it's just complicated and it looks like not all of the reported cases relate to the same issue, it's easy to get confused.

can you try to manually remove this expired DST Root CA X3 certificate from the /usr/local/share/certs/ca-root-nss.crt and check it? my opinion: this shouldn't and will not help (and I checked))

Right, my assumption on this topic was wrong, but I'm finally able to reproduce the exact same issue as we're talking about here, so that's progress.

and can you please explain why you think that the suggestion not to put intermediate certificates in the store (or better yet, just not to do it by default) will not work?

I can't for the same reason :) Since their can be side affects (like the webserver not feeding the chain and installs trusting the local intermediates), it would probably be safest to be able to disable the new "default" behaviour.

Let me think about this a bit tomorrow and see what we can come up with

[kulikov-a]

Let me think about this a bit tomorrow and see what we can come up with

Sure! Thanks a lot!

[AdSchellevis]

@kulikov-a this 5b9d7ba should be it then. Exclude intermediates by default, optionally enable via System->Settings->General

[kulikov-a]

@AdSchellevis
like a charm!
Thank you!)
may i suggest adding a system_trust_configure() call to the system_general page? and add a dot after "to be used in the local trust store"?
thanks again!

[AdSchellevis]

@kulikov-a yes you may :) here you go 56e66ec, the general page reload actions isn't too great flushing every item unconditionally, but this will do.

[kulikov-a]

Thanks again!)

[mayerthomas]

Thanks for the solution!
Maybe a stupid question (sorry for that): will those patches be integrated into the next opnsense update?

[AdSchellevis]

@mayerthomas not a stupid question, I do expect we will ship these as part of 21.7.4 as well. (their already queued https://github.com/opnsense/core/commits/stable/21.7/src)