Skip to content

Older Let's Encrypt certificates are not recognized

Description of problem:

It seems like certificates signed by the old Let's Encrypt CA certificate "Let's Encrypt Authority X3", are not being recognized as valid by gnutls. The same certificate is recorded as valid when I use OpenSSL.

Version of gnutls used:

3.7.0

Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Arch Linux Official repository package

How reproducible:

Always

Steps to Reproduce:

  • gnutls-cli translatationproject.org

Actual results:

Processed 139 CA certificate(s).
Resolving 'translationproject.org:443'...
Connecting to '2a01:7c8:c037:6::20:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=stats.vrijschrift.org', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x04f78efb758d89606ce87baa6471c832d949, RSA key 4096 bits, signed using RSA-SHA256, activated `2020-11-01 10:34:36 UTC', expires `2021-01-30 10:34:36 UTC', pin-sha256="g+cvDmsK+CiS5TfMiasFm7RqsMly8J+yamG+VbKehIM="
        Public Key ID:
                sha1:3a6a632ee02dacea20b66789fbfc9bf58dc46b27
                sha256:83e72f0e6b0af82892e537cc89ab059bb46ab0c972f09fb26a61be55b29e8483
        Public Key PIN:
                pin-sha256:g+cvDmsK+CiS5TfMiasFm7RqsMly8J+yamG+VbKehIM=

- Certificate[1] info:
 - subject `CN=stats.vrijschrift.org', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x04f78efb758d89606ce87baa6471c832d949, RSA key 4096 bits, signed using RSA-SHA256, activated `2020-11-01 10:34:36 UTC', expires `2021-01-30 10:34:36 UTC', pin-sha256="g+cvDmsK+CiS5TfMiasFm7RqsMly8J+yamG+VbKehIM="
- Certificate[2] info:
 - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

Expected results:

The certificate is recognized as valid. On Firefox I don't see any problems as it recognizes it just fine. As does openssl s_client. Other websites using Let's Encrypt, but with the newer signing certificate have no problems.