Finally solved by installing Let's Encrypt R3 cert manually: sudo wget --no-check-certificate https://letsencrypt.org/certs/lets-encrypt-r3.pem -O /usr/local/share/ca-certificates/lets-encrypt-r3.crt
sudo update-ca-certificates On 02.11.21 20:42, [email protected] wrote: > I think the problem is that the ISRG_Root_X1 is still signed by > DST_Root_CA_X3 and this is outdated: > > ~$ openssl x509 -text -noout -in > /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b > Signature Algorithm: sha1WithRSAEncryption > Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 > Validity > Not Before: Sep 30 21:12:19 2000 GMT > Not After : Sep 30 14:01:15 2021 GMT > > On 02.11.21 20:20, [email protected] wrote: >> Same issue here with Focal. >> >> I run update-ca-certificates: >> >> 0 added, 0 removed; done. >> >> Both certs DST Root X3 and ISG Root X1 are installed: >> >> /etc/ssl/certs/DST_Root_CA_X3.pem -> >> /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt >> >> /etc/ssl/certs/ISRG_Root_X1.pem -> >> /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt >> >> >> On 28.10.21 19:05, Lars Noodén wrote: >>> On 10/28/21 19:56, Adrian Georgescu wrote: >>>> Try this command in a Terminal: >>>> >>>> openssl s_client -connect proxy.sipthor.net:5061 >>>> <http://proxy.sipthor.net:5061/> >>> It returned the following: >>> >>> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 >>> verify return:1 >>> depth=1 C = US, O = Let's Encrypt, CN = R3 >>> verify return:1 >>> depth=0 CN = sip2sip.info >>> verify return:1 >>> CONNECTED(00000003) >>> --- >>> Certificate chain >>> 0 s:CN = sip2sip.info >>> i:C = US, O = Let's Encrypt, CN = R3 >>> 1 s:C = US, O = Let's Encrypt, CN = R3 >>> i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 >>> 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 >>> i:O = Digital Signature Trust Co., CN = DST Root CA X3 >>> --- >>> Server certificate >>> -----BEGIN CERTIFICATE----- >>> MIIFQjCCBCqgAwIBAgISBJ4BuE1hGOUGZ2rQVugrE9dkMA0GCSqGSIb3DQEBCwUA >>> MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD >>> EwJSMzAeFw0yMTEwMTkyMjAxMDFaFw0yMjAxMTcyMjAxMDBaMBcxFTATBgNVBAMT >>> DHNpcDJzaXAuaW5mbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKjS >>> td1Vm9gjozuux97+tzjgBdx+wS5h4XVnTvLn+ZbMS4f83ws1uPpl9m6mZtRja1Pz >>> DruIrzExHVXyWI1miae3LZUF45AxlaW3yIL09QsfMbKO0kKsK6K9LfoT8NbhzMWG >>> HDVrsZtXHeLhX3hHR1uGdEnvTa/AbezO+E7RfGaOtd+KC/zbHuxnodHd/IlFMH7v >>> q8+51ZOHcYV0wBF+AiQ7jPpHGZXJz/XuS9LvpheRzpsAlKaNvvqB9ULbztirtxo5 >>> 8Gh6j310vaQmP8h4OEkjPIpI/954keg0SBdBm7Xpwz1wpquzHuLjWn+aSzTZq1iA >>> aKsnHdef4x9NQa/OnE8CAwEAAaOCAmswggJnMA4GA1UdDwEB/wQEAwIFoDAdBgNV >>> HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E >>> FgQUibj6bp60DbsM0d7XTAjsOMVABNQwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA >>> 5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu >>> by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w >>> PAYDVR0RBDUwM4IRcHJveHkuc2lwdGhvci5uZXSCDHNpcDJzaXAuaW5mb4IQd3d3 >>> LnNpcDJzaXAuaW5mbzBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEB >>> ATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQMG >>> CisGAQQB1nkCBAIEgfQEgfEA7wB2AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do >>> 8JBilgb2AAABfJrJYKAAAAQDAEcwRQIhAJttKmhLEaYmTH0jc2xEzKWzwmmJzpUO >>> NcfNRU0iN1a1AiA9tAf6DwP3U8jaQTAN7LN3LGAx7hOO9UbyxcXXm95X4gB1ACl5 >>> vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABfJrJYHYAAAQDAEYwRAIg >>> IyJdN94OVm97wQZWu5GxywEDAzN+6MsK4IhdP+qDpFkCIBW4maL+qCQs3P3TsCdt >>> UwdQ7Ic1fnVUN2pJua3ncoZCMA0GCSqGSIb3DQEBCwUAA4IBAQBbmNZfHbjzvhux >>> THLOF08Ox3adk6Jl0azlWEsSDUY/xCYeo9cnqNJJzzA3Fg7w9PCUbRrOINi+ICNe >>> yprxADbHUHplmsX9oUx+s56q1+GA9yshKqoIdAk/GhzepR3VNwVr78lKE34/i0bC >>> 8HTK12QMoR2CJZKOkafiP3ioz3U4P5AXzeeOZqCQdBqXHslCt0217yZFNCKcSla8 >>> sn1qHZQ0RZf1iR74tcvpbgp/2IHQNp0A6KN7EVYYIQzV/KQDWUQdQJP5ZhvzDoOD >>> IuXxY0SyLfV+kKt5Xb1/QYQky5+gFVb0cyLlLRVre+EVGf/MmpyDaxau2Pa8odlf >>> M60CyzB1 >>> -----END CERTIFICATE----- >>> subject=CN = sip2sip.info >>> >>> issuer=C = US, O = Let's Encrypt, CN = R3 >>> >>> --- >>> No client certificate CA names sent >>> Requested Signature Algorithms: >>> ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 >>> >>> Shared Requested Signature Algorithms: >>> ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 >>> >>> Peer signing digest: SHA256 >>> Peer signature type: RSA-PSS >>> Server Temp Key: X25519, 253 bits >>> --- >>> SSL handshake has read 4673 bytes and written 419 bytes >>> Verification: OK >>> --- >>> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 >>> Server public key is 2048 bit >>> Secure Renegotiation IS NOT supported >>> Compression: NONE >>> Expansion: NONE >>> No ALPN negotiated >>> Early data was not sent >>> Verify return code: 0 (ok) >>> --- >>> --- >>> Post-Handshake New Session Ticket arrived: >>> SSL-Session: >>> Protocol : TLSv1.3 >>> Cipher : TLS_AES_256_GCM_SHA384 >>> Session-ID: >>> 48507559565B481EDF60F8822F39CD3AC13071778D475BDEA427BE9089A60AB3 >>> Session-ID-ctx: >>> Resumption PSK: >>> 25DA4631F5DB9835B57642FE18C8264AAEE46761638972226F50395AC6FCD1E53050648DA2822DE0A670A098E7D44026 >>> >>> PSK identity: None >>> PSK identity hint: None >>> SRP username: None >>> TLS session ticket lifetime hint: 7200 (seconds) >>> TLS session ticket: >>> 0000 - 7b c4 d5 6f 43 be 7a 88-fe 2c 16 f2 4a 25 b8 74 >>> {..oC.z..,..J%.t >>> 0010 - 8e 36 0a 6c 7e df c5 34-c6 65 cb b4 a9 f4 2d a2 >>> .6.l~..4.e....-. >>> 0020 - 56 86 94 77 f4 14 80 f7-8f 12 2f b9 3d 4a 32 6d >>> V..w....../.=J2m >>> 0030 - 47 7b 26 8b f4 bc 34 71-72 4b 79 9c 54 ad 80 7c >>> G{&...4qrKy.T..| >>> 0040 - c5 3f 85 18 1a 79 ae e6-3d 22 6f 45 13 af a5 1b >>> .?...y..="oE.... >>> 0050 - 64 b6 44 24 5c cc 8d e0-b4 0e 54 bf 72 3a 30 56 >>> d.D$\.....T.r:0V >>> 0060 - a8 cb 27 9d cc 15 cf 09-f5 cf 9e 53 7d f8 c5 55 >>> ..'........S}..U >>> 0070 - d8 12 9b d3 ce 64 a5 0a-ab d6 ea 7b 87 97 d8 61 >>> .....d.....{...a >>> 0080 - 4c 45 10 75 13 5c c6 eb-98 97 03 bf 79 13 f3 fd >>> LE.u.\......y... >>> 0090 - 4a df 2d 5f 7a 4c 8a 61-06 44 fb f4 3a 8e 5f d0 >>> J.-_zL.a.D..:._. >>> 00a0 - 9b 08 e7 e7 fe e3 5e cd-e4 ba 8c d0 7f ba 40 cb >>> ......^.......@. >>> 00b0 - 3b 44 ba 05 f8 1b 22 b8-c3 e7 89 47 8b f4 80 7f >>> ;D...."....G.... >>> 00c0 - 65 60 96 e5 32 ce ba 9c-a3 9c 77 69 4e 07 e5 cc >>> e`..2.....wiN... >>> 00d0 - f5 7a a5 b3 54 58 2b 90-f5 34 9f 18 32 5d 4d b3 >>> .z..TX+..4..2]M. >>> 00e0 - ae fe 53 b8 ac 8c 5c b8-34 fc 6c e7 7a a8 74 59 >>> ..S...\.4.l.z.tY >>> >>> Start Time: 1635440532 >>> Timeout : 7200 (sec) >>> Verify return code: 0 (ok) >>> Extended master secret: no >>> Max Early Data: 0 >>> --- >>> read R BLOCK >>> --- >>> Post-Handshake New Session Ticket arrived: >>> SSL-Session: >>> Protocol : TLSv1.3 >>> Cipher : TLS_AES_256_GCM_SHA384 >>> Session-ID: >>> F849BFA3AB6D2F53BC6476767E5BF5694069592513A404CF23F0ADC5672EFBF4 >>> Session-ID-ctx: >>> Resumption PSK: >>> B2A3158EBCBC425C2A3E0A6357B123EB571CFA0C09A28823CC307540453517D39F03E5CD856D554FA6A9D3F2314BD1F9 >>> >>> PSK identity: None >>> PSK identity hint: None >>> SRP username: None >>> TLS session ticket lifetime hint: 7200 (seconds) >>> TLS session ticket: >>> 0000 - 7b c4 d5 6f 43 be 7a 88-fe 2c 16 f2 4a 25 b8 74 >>> {..oC.z..,..J%.t >>> 0010 - c1 40 70 5d 4d 72 fc dd-1c 7f 38 4d ae 47 a6 e5 >>> .@p]Mr....8M.G.. >>> 0020 - de 55 8c 34 c2 10 87 23-cb 95 e5 e1 4a 1e 38 f7 >>> .U.4...#....J.8. >>> 0030 - 76 d4 95 65 fc f3 14 47-68 8f 95 c3 2d 43 73 26 >>> v..e...Gh...-Cs& >>> 0040 - 5a 05 19 d4 a6 85 94 19-c1 59 5e e4 d4 75 3b 01 >>> Z........Y^..u;. >>> 0050 - d5 76 aa 10 8c 08 78 10-46 e2 48 f4 1c 9b ee ac >>> .v....x.F.H..... >>> 0060 - 2f 1d 69 5a 1d 86 c7 63-b5 c0 84 d1 b1 d2 33 42 >>> /.iZ...c......3B >>> 0070 - 8e 42 6c f1 56 91 63 5e-13 a7 fa e6 a1 10 7f b3 >>> .Bl.V.c^........ >>> 0080 - 74 24 a7 86 38 8b cd 48-3d 2a 7c 6c 9c 51 18 ed >>> t$..8..H=*|l.Q.. >>> 0090 - b0 04 e4 0b 38 54 0c d5-b3 dd f7 45 71 fc 82 0a >>> ....8T.....Eq... >>> 00a0 - 44 c0 4a 61 2c 9b 1c 5f-1f 13 19 cb 24 47 bd 1a >>> D.Ja,.._....$G.. >>> 00b0 - be cb 87 97 9e cc 53 44-48 49 59 af 51 f3 f8 44 >>> ......SDHIY.Q..D >>> 00c0 - 4d 7f 44 1e ce 5a 7d 34-5d e6 36 05 35 b2 65 28 >>> M.D..Z}4].6.5.e( >>> 00d0 - d7 f3 cf db 38 db a3 e9-61 93 83 27 14 46 94 42 >>> ....8...a..'.F.B >>> 00e0 - b7 ad 3c 83 a7 28 ac dc-2c cd d1 e9 d8 21 e3 c5 >>> ..<..(..,....!.. >>> >>> Start Time: 1635440532 >>> Timeout : 7200 (sec) >>> Verify return code: 0 (ok) >>> Extended master secret: no >>> Max Early Data: 0 >>> --- >>> read R BLOCK >>> closed >>> _______________________________________________ >>> Blink mailing list >>> [email protected] >>> https://lists.ag-projects.com/mailman/listinfo/blink >> _______________________________________________ >> Blink mailing list >> [email protected] >> https://lists.ag-projects.com/mailman/listinfo/blink > _______________________________________________ > Blink mailing list > [email protected] > https://lists.ag-projects.com/mailman/listinfo/blink _______________________________________________ Blink mailing list [email protected] https://lists.ag-projects.com/mailman/listinfo/blink
