I think the problem is that the ISRG_Root_X1 is still signed by DST_Root_CA_X3 and this is outdated:
~$ openssl x509 -text -noout -in /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt Certificate: Data: Version: 3 (0x2) Serial Number: 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b Signature Algorithm: sha1WithRSAEncryption Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 Validity Not Before: Sep 30 21:12:19 2000 GMT Not After : Sep 30 14:01:15 2021 GMT On 02.11.21 20:20, [email protected] wrote: > Same issue here with Focal. > > I run update-ca-certificates: > > 0 added, 0 removed; done. > > Both certs DST Root X3 and ISG Root X1 are installed: > > /etc/ssl/certs/DST_Root_CA_X3.pem -> > /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt > > /etc/ssl/certs/ISRG_Root_X1.pem -> > /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt > > > On 28.10.21 19:05, Lars Noodén wrote: >> On 10/28/21 19:56, Adrian Georgescu wrote: >>> Try this command in a Terminal: >>> >>> openssl s_client -connect proxy.sipthor.net:5061 >>> <http://proxy.sipthor.net:5061/> >> It returned the following: >> >> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 >> verify return:1 >> depth=1 C = US, O = Let's Encrypt, CN = R3 >> verify return:1 >> depth=0 CN = sip2sip.info >> verify return:1 >> CONNECTED(00000003) >> --- >> Certificate chain >> 0 s:CN = sip2sip.info >> i:C = US, O = Let's Encrypt, CN = R3 >> 1 s:C = US, O = Let's Encrypt, CN = R3 >> i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 >> 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 >> i:O = Digital Signature Trust Co., CN = DST Root CA X3 >> --- >> Server certificate >> -----BEGIN CERTIFICATE----- >> MIIFQjCCBCqgAwIBAgISBJ4BuE1hGOUGZ2rQVugrE9dkMA0GCSqGSIb3DQEBCwUA >> MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD >> EwJSMzAeFw0yMTEwMTkyMjAxMDFaFw0yMjAxMTcyMjAxMDBaMBcxFTATBgNVBAMT >> DHNpcDJzaXAuaW5mbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKjS >> td1Vm9gjozuux97+tzjgBdx+wS5h4XVnTvLn+ZbMS4f83ws1uPpl9m6mZtRja1Pz >> DruIrzExHVXyWI1miae3LZUF45AxlaW3yIL09QsfMbKO0kKsK6K9LfoT8NbhzMWG >> HDVrsZtXHeLhX3hHR1uGdEnvTa/AbezO+E7RfGaOtd+KC/zbHuxnodHd/IlFMH7v >> q8+51ZOHcYV0wBF+AiQ7jPpHGZXJz/XuS9LvpheRzpsAlKaNvvqB9ULbztirtxo5 >> 8Gh6j310vaQmP8h4OEkjPIpI/954keg0SBdBm7Xpwz1wpquzHuLjWn+aSzTZq1iA >> aKsnHdef4x9NQa/OnE8CAwEAAaOCAmswggJnMA4GA1UdDwEB/wQEAwIFoDAdBgNV >> HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E >> FgQUibj6bp60DbsM0d7XTAjsOMVABNQwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA >> 5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu >> by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w >> PAYDVR0RBDUwM4IRcHJveHkuc2lwdGhvci5uZXSCDHNpcDJzaXAuaW5mb4IQd3d3 >> LnNpcDJzaXAuaW5mbzBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEB >> ATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQMG >> CisGAQQB1nkCBAIEgfQEgfEA7wB2AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do >> 8JBilgb2AAABfJrJYKAAAAQDAEcwRQIhAJttKmhLEaYmTH0jc2xEzKWzwmmJzpUO >> NcfNRU0iN1a1AiA9tAf6DwP3U8jaQTAN7LN3LGAx7hOO9UbyxcXXm95X4gB1ACl5 >> vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABfJrJYHYAAAQDAEYwRAIg >> IyJdN94OVm97wQZWu5GxywEDAzN+6MsK4IhdP+qDpFkCIBW4maL+qCQs3P3TsCdt >> UwdQ7Ic1fnVUN2pJua3ncoZCMA0GCSqGSIb3DQEBCwUAA4IBAQBbmNZfHbjzvhux >> THLOF08Ox3adk6Jl0azlWEsSDUY/xCYeo9cnqNJJzzA3Fg7w9PCUbRrOINi+ICNe >> yprxADbHUHplmsX9oUx+s56q1+GA9yshKqoIdAk/GhzepR3VNwVr78lKE34/i0bC >> 8HTK12QMoR2CJZKOkafiP3ioz3U4P5AXzeeOZqCQdBqXHslCt0217yZFNCKcSla8 >> sn1qHZQ0RZf1iR74tcvpbgp/2IHQNp0A6KN7EVYYIQzV/KQDWUQdQJP5ZhvzDoOD >> IuXxY0SyLfV+kKt5Xb1/QYQky5+gFVb0cyLlLRVre+EVGf/MmpyDaxau2Pa8odlf >> M60CyzB1 >> -----END CERTIFICATE----- >> subject=CN = sip2sip.info >> >> issuer=C = US, O = Let's Encrypt, CN = R3 >> >> --- >> No client certificate CA names sent >> Requested Signature Algorithms: >> ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 >> >> Shared Requested Signature Algorithms: >> ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 >> >> Peer signing digest: SHA256 >> Peer signature type: RSA-PSS >> Server Temp Key: X25519, 253 bits >> --- >> SSL handshake has read 4673 bytes and written 419 bytes >> Verification: OK >> --- >> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 >> Server public key is 2048 bit >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> No ALPN negotiated >> Early data was not sent >> Verify return code: 0 (ok) >> --- >> --- >> Post-Handshake New Session Ticket arrived: >> SSL-Session: >> Protocol : TLSv1.3 >> Cipher : TLS_AES_256_GCM_SHA384 >> Session-ID: >> 48507559565B481EDF60F8822F39CD3AC13071778D475BDEA427BE9089A60AB3 >> Session-ID-ctx: >> Resumption PSK: >> 25DA4631F5DB9835B57642FE18C8264AAEE46761638972226F50395AC6FCD1E53050648DA2822DE0A670A098E7D44026 >> >> PSK identity: None >> PSK identity hint: None >> SRP username: None >> TLS session ticket lifetime hint: 7200 (seconds) >> TLS session ticket: >> 0000 - 7b c4 d5 6f 43 be 7a 88-fe 2c 16 f2 4a 25 b8 74 >> {..oC.z..,..J%.t >> 0010 - 8e 36 0a 6c 7e df c5 34-c6 65 cb b4 a9 f4 2d a2 >> .6.l~..4.e....-. >> 0020 - 56 86 94 77 f4 14 80 f7-8f 12 2f b9 3d 4a 32 6d >> V..w....../.=J2m >> 0030 - 47 7b 26 8b f4 bc 34 71-72 4b 79 9c 54 ad 80 7c >> G{&...4qrKy.T..| >> 0040 - c5 3f 85 18 1a 79 ae e6-3d 22 6f 45 13 af a5 1b >> .?...y..="oE.... >> 0050 - 64 b6 44 24 5c cc 8d e0-b4 0e 54 bf 72 3a 30 56 >> d.D$\.....T.r:0V >> 0060 - a8 cb 27 9d cc 15 cf 09-f5 cf 9e 53 7d f8 c5 55 >> ..'........S}..U >> 0070 - d8 12 9b d3 ce 64 a5 0a-ab d6 ea 7b 87 97 d8 61 >> .....d.....{...a >> 0080 - 4c 45 10 75 13 5c c6 eb-98 97 03 bf 79 13 f3 fd >> LE.u.\......y... >> 0090 - 4a df 2d 5f 7a 4c 8a 61-06 44 fb f4 3a 8e 5f d0 >> J.-_zL.a.D..:._. >> 00a0 - 9b 08 e7 e7 fe e3 5e cd-e4 ba 8c d0 7f ba 40 cb >> ......^.......@. >> 00b0 - 3b 44 ba 05 f8 1b 22 b8-c3 e7 89 47 8b f4 80 7f >> ;D...."....G.... >> 00c0 - 65 60 96 e5 32 ce ba 9c-a3 9c 77 69 4e 07 e5 cc >> e`..2.....wiN... >> 00d0 - f5 7a a5 b3 54 58 2b 90-f5 34 9f 18 32 5d 4d b3 >> .z..TX+..4..2]M. >> 00e0 - ae fe 53 b8 ac 8c 5c b8-34 fc 6c e7 7a a8 74 59 >> ..S...\.4.l.z.tY >> >> Start Time: 1635440532 >> Timeout : 7200 (sec) >> Verify return code: 0 (ok) >> Extended master secret: no >> Max Early Data: 0 >> --- >> read R BLOCK >> --- >> Post-Handshake New Session Ticket arrived: >> SSL-Session: >> Protocol : TLSv1.3 >> Cipher : TLS_AES_256_GCM_SHA384 >> Session-ID: >> F849BFA3AB6D2F53BC6476767E5BF5694069592513A404CF23F0ADC5672EFBF4 >> Session-ID-ctx: >> Resumption PSK: >> B2A3158EBCBC425C2A3E0A6357B123EB571CFA0C09A28823CC307540453517D39F03E5CD856D554FA6A9D3F2314BD1F9 >> >> PSK identity: None >> PSK identity hint: None >> SRP username: None >> TLS session ticket lifetime hint: 7200 (seconds) >> TLS session ticket: >> 0000 - 7b c4 d5 6f 43 be 7a 88-fe 2c 16 f2 4a 25 b8 74 >> {..oC.z..,..J%.t >> 0010 - c1 40 70 5d 4d 72 fc dd-1c 7f 38 4d ae 47 a6 e5 >> .@p]Mr....8M.G.. >> 0020 - de 55 8c 34 c2 10 87 23-cb 95 e5 e1 4a 1e 38 f7 >> .U.4...#....J.8. >> 0030 - 76 d4 95 65 fc f3 14 47-68 8f 95 c3 2d 43 73 26 >> v..e...Gh...-Cs& >> 0040 - 5a 05 19 d4 a6 85 94 19-c1 59 5e e4 d4 75 3b 01 >> Z........Y^..u;. >> 0050 - d5 76 aa 10 8c 08 78 10-46 e2 48 f4 1c 9b ee ac >> .v....x.F.H..... >> 0060 - 2f 1d 69 5a 1d 86 c7 63-b5 c0 84 d1 b1 d2 33 42 >> /.iZ...c......3B >> 0070 - 8e 42 6c f1 56 91 63 5e-13 a7 fa e6 a1 10 7f b3 >> .Bl.V.c^........ >> 0080 - 74 24 a7 86 38 8b cd 48-3d 2a 7c 6c 9c 51 18 ed >> t$..8..H=*|l.Q.. >> 0090 - b0 04 e4 0b 38 54 0c d5-b3 dd f7 45 71 fc 82 0a >> ....8T.....Eq... >> 00a0 - 44 c0 4a 61 2c 9b 1c 5f-1f 13 19 cb 24 47 bd 1a >> D.Ja,.._....$G.. >> 00b0 - be cb 87 97 9e cc 53 44-48 49 59 af 51 f3 f8 44 >> ......SDHIY.Q..D >> 00c0 - 4d 7f 44 1e ce 5a 7d 34-5d e6 36 05 35 b2 65 28 >> M.D..Z}4].6.5.e( >> 00d0 - d7 f3 cf db 38 db a3 e9-61 93 83 27 14 46 94 42 >> ....8...a..'.F.B >> 00e0 - b7 ad 3c 83 a7 28 ac dc-2c cd d1 e9 d8 21 e3 c5 >> ..<..(..,....!.. >> >> Start Time: 1635440532 >> Timeout : 7200 (sec) >> Verify return code: 0 (ok) >> Extended master secret: no >> Max Early Data: 0 >> --- >> read R BLOCK >> closed >> _______________________________________________ >> Blink mailing list >> [email protected] >> https://lists.ag-projects.com/mailman/listinfo/blink > _______________________________________________ > Blink mailing list > [email protected] > https://lists.ag-projects.com/mailman/listinfo/blink _______________________________________________ Blink mailing list [email protected] https://lists.ag-projects.com/mailman/listinfo/blink
