certificate issuer unknown on duplicate certificates in chain
Description of problem:
When a root certificate appears twice in the certificate chain, it is marked as untrusted. I suppose there's no reason why duplicate certificates should be in the chain, but these do appear in the wild, e.g. gitlab.nic.cz
(as of 2020-12-07).
Version of gnutls used:
3.7.0 (the same certificate chain works fine with 3.6.15)
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Archlinux
How reproducible: 100%
Steps to Reproduce:
$ gnutls-cli gitlab.nic.cz
Processed 149 CA certificate(s).
Resolving 'gitlab.nic.cz:443'...
Connecting to '217.31.192.133:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `CN=gitlab.labs.nic.cz', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x043d7d8a63166e0368df867d4c584791ae65, RSA key 4096 bits, signed using RSA-SHA256, activated `2020-11-16 08:03:24 UTC', expires `2021-02-14 08:03:24 UTC', pin-sha256="7NBmA2/dDjJ3o6SHLLbhoP6nTu95BhIMlOQG/FGTTMs="
Public Key ID:
sha1:1bb89b72e0dfd583e5cc970030310e38f7740ffa
sha256:ecd066036fdd0e3277a3a4872cb6e1a0fea74eef7906120c94e406fc51934ccb
Public Key PIN:
pin-sha256:7NBmA2/dDjJ3o6SHLLbhoP6nTu95BhIMlOQG/FGTTMs=
- Certificate[1] info:
- subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Certificate[2] info:
- subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
In case the service cert gets fixed in the mean time, I'm also attaching a copy of the certificate. gitlab.nic.cz.pem
Actual results:
certificate verification fails
Expected results:
certificate verification succeeds