cockpit-certificate-ensure: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed.
Description of problem:
Cockpit (which uses gnuTLS) rejects certificate chain with distributed trust.
The provided certificate file contains the certificate C for the TLS endpoint, followed by 3 chains of trust (Interm 2A, Interm 1A, Root A). The three roots cross-signed each other.
Chain looks like so in PEM format:
C
Interm 2A
Interm 1A
Interm 2B
Interm 1B
Interm 2C
Interm 1C
KeyRootA_SignedB
KeyRootA_SignedC
KeyRootB_SignedA
KeyRootB_SignedC
KeyRootC_SignedA
KeyRootC_SignedB
Root A
Root B
Root C
This is not a public chain.
Version of gnutls used:
gnutls-3.8.2-2.fc39.x86_64
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Fedora 39
How reproducible:
Steps to Reproduce: If I run (checks the certificates that will be used by cockpit): $ sudo /usr/libexec/cockpit-certificate-ensure --check with the above chain, I get the following error from gnuTLS cockpit-certificate-ensure: ../../../lib/x509/common.c:1756: _gnutls_sort_clist: Assertion `k == clist_size' failed.
If I delete the cross-signed certifications of the roots from the chain, i.e.:
KeyRootA_SignedB
KeyRootA_SignedC
KeyRootB_SignedA
KeyRootB_SignedC
KeyRootC_SignedA
KeyRootC_SignedB
then there is no error. Sorting this list of certificates should not cause an assertion.