Ad Widget

Collapse

Unable to validate repo.zabbix.com certificate

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • dynax60
    Junior Member
    • Aug 2010
    • 15
    #1

    Unable to validate repo.zabbix.com certificate

    Hi,

    Check out your SSL certificate on repo.zabbix.com, there's expired DST Root CA X3's cert on the chain.

    Some automation tools will fail to validate your certificate (for example, ansible.builtin.yum module with validate_certs=yes option by default will fail: Request failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)>).

    Code:
    # openssl s_client -connect repo.zabbix.com:443 -servername repo.zabbix.com
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
---
Certificate chain
0 s:/CN=repo.zabbix.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJDCCBAygAwIBAgISBO/PeJOq3IGWj1+UXNhJQ79AMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeX B0MQswCQYDVQQD
EwJSMzAeFw0yMjA2MjAxMTU2NDhaFw0yMjA5MTgxMTU2NDdaMB oxGDAWBgNVBAMT
D3JlcG8uemFiYml4LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADgg EPADCCAQoCggEB
AMT0mesxbKH9I7cY7Pgl3fs0ZRqWlFecNdrIQzbz3DeoUX3JxJ xhzVUE/JhuIEzq
q7YzzadJ4nVLOOIIrVfOxbE+zr9oX9JqEHcEsJN4qLL2IO7W3a SjrejRPS0mQKV/
XJKaITqcBSJDODJ5A8PFET+LHF7gSbVAcVt1CW67OUjNAy9dPC supLsptKu0jALv
aMoNM1wFV5SNsbU0Hy7Fq6LBzzMqllgbssA0QOcx3VX+XCPxlV On1qLFN82QC8OJ
sJ3PKNXfL2ikm5HbiBORReRfkGTLr2yLUPZbTmiVEkv8g3IeXy/K/rVbtB/wLLef
jsAcXJiHuDspzteNexAjv6kCAwEAAaOCAkowggJGMA4GA1UdDw EB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQ H/BAIwADAdBgNV
HQ4EFgQUhEhxKyPgqXLGqk4a2HXVq/NfvAIwHwYDVR0jBBgwFoAUFC6zF7dYVsuu
UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBz ABhhVodHRwOi8v
cjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy 5pLmxlbmNyLm9y
Zy8wGgYDVR0RBBMwEYIPcmVwby56YWJiaXguY29tMEwGA1UdIA RFMEMwCAYGZ4EM
AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dH A6Ly9jcHMubGV0
c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAH UA36Veq2iCTx9s
re64X04+WurNohKkal6OOxLAIERcKnMAAAGBgS/mXAAABAMARjBEAiASxVj4eX25
imOKpcdA7DUVanyYCpnvAxnO4MUSY+V4GQIgDzKcnJlsXpbac3 OYj4eltFkmq+Yi
t3Sq+ypS5uFCrkEAdwApeb7wnjk5IfBWc59jpXflvld9nGAK+P lNXSZcJV3HhAAA
AYGBL+ZLAAAEAwBIMEYCIQDoeQi8OtWwCj7Wy423Cs5hwynsAf wUkMZN72ikw4AZ
AgIhAJjwHKUCcod/B8WFPh7YjAWo24BaY4umtlizzTbMoliyMA0GCSqGSIb3DQEB
CwUAA4IBAQARt1qvs8kbrF6nq3IgjNUHW7RqpSsEckMxm+estz RkYnfQ4m4PFSZp
NS0Ry6lFB3bjaIAz0AvoHxFOYrueyaogQ7kjQ16MiYabhpvElS 7sdsh8CW+D/s8Q
i3QK/0CFHhJLrbSsDz4pCu2RqXpuzerpnj9YzcwK7B9MeK6TLn05Icl DltsPkggt
NnAFGZA9aT9gayQJlM7AtdwIk/IDzjoav3wMXxoG7RuC3RzOvvUmHdXYsbD48xQ7
MwTeG76GR8cD0/ZNyG48Yl1Ornd38mGwhFnh31u5tBKoxtco8GH/iTI+CwSvEV/n
AsKdtkmTQUfXRKqA9u9+8aoL8VODGHot
-----END CERTIFICATE-----
subject=/CN=repo.zabbix.com
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4519 bytes and written 439 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 9F35F81458347A64C3ADFE7D5D1F1EF78D97625EB08E2D823C 6C2B921B6610C7
Session-ID-ctx:
Master-Key: A4DCCA5C396F73386537E8594940AF9314DE8293788F0012A1 1ADC06A37F5E4CD81F43E44BD4AF26E127E66927A10345
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1655989321
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
    See also: https://letsencrypt.org/docs/dst-roo...eptember-2021/
    Tags: None
    • Atsushi
      Senior Member
      • Aug 2013
      • 2028
      #2
      If you are using an older version of OpenSSL, you may not be able to verify your certificate properly.

      Code:
      # openssl s_client -connect repo.zabbix.com:443 -servername repo.zabbix.com
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = repo.zabbix.com
verify return:1
---
Certificate chain
0 s:CN = repo.zabbix.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJDCCBAygAwIBAgISBO/PeJOq3IGWj1+UXNhJQ79AMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeX B0MQswCQYDVQQD
EwJSMzAeFw0yMjA2MjAxMTU2NDhaFw0yMjA5MTgxMTU2NDdaMB oxGDAWBgNVBAMT
D3JlcG8uemFiYml4LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADgg EPADCCAQoCggEB
AMT0mesxbKH9I7cY7Pgl3fs0ZRqWlFecNdrIQzbz3DeoUX3JxJ xhzVUE/JhuIEzq
q7YzzadJ4nVLOOIIrVfOxbE+zr9oX9JqEHcEsJN4qLL2IO7W3a SjrejRPS0mQKV/
XJKaITqcBSJDODJ5A8PFET+LHF7gSbVAcVt1CW67OUjNAy9dPC supLsptKu0jALv
aMoNM1wFV5SNsbU0Hy7Fq6LBzzMqllgbssA0QOcx3VX+XCPxlV On1qLFN82QC8OJ
sJ3PKNXfL2ikm5HbiBORReRfkGTLr2yLUPZbTmiVEkv8g3IeXy/K/rVbtB/wLLef
jsAcXJiHuDspzteNexAjv6kCAwEAAaOCAkowggJGMA4GA1UdDw EB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQ H/BAIwADAdBgNV
HQ4EFgQUhEhxKyPgqXLGqk4a2HXVq/NfvAIwHwYDVR0jBBgwFoAUFC6zF7dYVsuu
UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBz ABhhVodHRwOi8v
cjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy 5pLmxlbmNyLm9y
Zy8wGgYDVR0RBBMwEYIPcmVwby56YWJiaXguY29tMEwGA1UdIA RFMEMwCAYGZ4EM
AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dH A6Ly9jcHMubGV0
c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAH UA36Veq2iCTx9s
re64X04+WurNohKkal6OOxLAIERcKnMAAAGBgS/mXAAABAMARjBEAiASxVj4eX25
imOKpcdA7DUVanyYCpnvAxnO4MUSY+V4GQIgDzKcnJlsXpbac3 OYj4eltFkmq+Yi
t3Sq+ypS5uFCrkEAdwApeb7wnjk5IfBWc59jpXflvld9nGAK+P lNXSZcJV3HhAAA
AYGBL+ZLAAAEAwBIMEYCIQDoeQi8OtWwCj7Wy423Cs5hwynsAf wUkMZN72ikw4AZ
AgIhAJjwHKUCcod/B8WFPh7YjAWo24BaY4umtlizzTbMoliyMA0GCSqGSIb3DQEB
CwUAA4IBAQARt1qvs8kbrF6nq3IgjNUHW7RqpSsEckMxm+estz RkYnfQ4m4PFSZp
NS0Ry6lFB3bjaIAz0AvoHxFOYrueyaogQ7kjQ16MiYabhpvElS 7sdsh8CW+D/s8Q
i3QK/0CFHhJLrbSsDz4pCu2RqXpuzerpnj9YzcwK7B9MeK6TLn05Icl DltsPkggt
NnAFGZA9aT9gayQJlM7AtdwIk/IDzjoav3wMXxoG7RuC3RzOvvUmHdXYsbD48xQ7
MwTeG76GR8cD0/ZNyG48Yl1Ornd38mGwhFnh31u5tBKoxtco8GH/iTI+CwSvEV/n
AsKdtkmTQUfXRKqA9u9+8aoL8VODGHot
-----END CERTIFICATE-----
subject=CN = repo.zabbix.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4490 bytes and written 406 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: DB2B138B5A0C6FFCA10860E24A9094E0E557D81CD84BD23FEB C9BB85358BA83D
Session-ID-ctx:
Master-Key: ABA4838500839C2954F2DB48BB1D4AD5A517273E5216A65B92 7AA4F5E5418C754B43454E78CC200E4E030CBE5E059DB3
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1656041119
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
closed
#
      What OS or OpenSSL version are you using? Depending on the OS you are using, updating the ca-certificates package will allow you to successfully check the certificate.

        Comment

        • dynax60
          #2.1
          dynax60 commented
          28-06-2022, 14:58
          Editing a comment
          OpenSSL 1.1.1f 31 Mar 2020. Haven't tried updating yet. Thanks for the tip.
        Previous template Next
        Working...