search

coreos / fedora-coreos-tracker

Issue tracker for Fedora CoreOS
https://fedoraproject.org/coreos/
264 stars 59 forks source link

Certification Expired when accesing coreos.com #1603

Closed xanpaco closed 1 year ago

xanpaco commented 1 year ago

Describe the bug

I'm using a Virtual Appliance for one major IDM Solution Provider, the VA uses a script to connect to coreos.com, when validating the error, following message appears: Verify return code: 10 (certificate has expired)

Reproduction steps

1.-Connect to coreos.com using openssl client.

Expected behavior

A succesful connection (with a non-expired certificate)

Actual behavior

openssl s_client -connect coreos.com:443
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
---
Certificate chain
 0 s:/CN=redirects.redhat.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE9DCCA9ygAwIBAgISA66gXX2t1FV0jmd70B/oEBHIMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA5MTIyMzA4MzBaFw0yMzEyMTEyMzA4MjlaMB8xHTAbBgNVBAMT
FHJlZGlyZWN0cy5yZWRoYXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAtHdeCYA6N9SAcy//M/OxabU6XZgabtiFCo+eVeyfGLmo2g81t/SOU9XL
6wL0t5wkqa4uAOsuAQNx1Hu/09lDkwSeMx7a5fQ7lwuU/MjEQm5VQd73V2sHEffu
mcr/PLTPQzEaV59xa5TV8M8v4GjJ8w1u+uLCG+CkvWaemvCuKAXdL66YqGMRWs6a
zLRhrq2FGJzsiZOXdvCwSUiH2Ia9WkYPiY9VZ1PUlUQAgjOYw7NvHAGYy9yVwxeN
rq3LLgU8J7mgeCF+41xlIJmStwdI21DIGLJFcADNBRRTTQdfTurXxyOdmghcI7/2
Ce8W2gp00C/YbcuN0N1xk8qczScsKQIDAQABo4ICFTCCAhEwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBQTR6eCpt1ypPdSv5o0UaIQnVUlHDAfBgNVHSMEGDAWgBQULrMX
t1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0
dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVu
Y3Iub3JnLzAfBgNVHREEGDAWghRyZWRpcmVjdHMucmVkaGF0LmNvbTATBgNVHSAE
DDAKMAgGBmeBDAECATCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2ALc++yTfnE26
dfI5xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAABioveNUkAAAQDAEcwRQIhAK9cNQev
phrZoM+xw+DEl3PeYJhR67Th2Bk39u0tUnM7AiBIpJebeJpnLlmnMbrC/2ezSNMS
Qh50I3l8WRz2qIK9MgB1AK33vvp8/xDIi509nB4+GGq0Zyldz7EMJMqFhjTr3IKK
AAABioveNYEAAAQDAEYwRAIgQzkvjaUzRmLuzLfdFXFLV9u3UhCyoaTGTdN01LCL
0+wCIHsBY/BZOSK5vNgtcwWNtCuU4Yqkx/0CVaBBC4+E23eNMA0GCSqGSIb3DQEB
CwUAA4IBAQCym33YGqGrXYbqRBxz3I7cQkvQrY1SzWnc05oTeQFQRQVlCTaVVZCK
FNfiEWWdYwK7mV1JZsB0E6I8EivvbJbw1Xx5z/6gdBlkXy8gwlZHCuJU+gQDm6RD
tx9d3BTKatni65Hgy/ssIh21JelF6bA6ujpA7eCLOtbWRzpR3vmkbVNYtFrORkGx
oOkYYYQdXMqReJcKLW5P0U4/If+QjJdUBCNecFX8FuhlVGyZmKyxFObjWtNTH5JF
AwUAYqcAqLessdISr6V3N4tO35tUSNSCY2XwHOIryIShTmsPADvpZEkh/QFlBgUX
ktn2wuAOLTdHD0TW6O6ZdlR4VVlcRzrc
-----END CERTIFICATE-----
subject=/CN=redirects.redhat.com
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4650 bytes and written 416 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 15E03D63FFDF14006BE7C4835BEC988888D7056BEC887E86B890030D15267C84
    Session-ID-ctx:
    Master-Key: FFCA32A455AFFBA26444B54FC207501CD2CC77D670D5474860104AC3B59C5FCF133BED6ED2875D383BEBFDC64C7BE1F8
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 91 c2 b5 17 61 e7 38 92-66 f8 f7 0f 48 9a f8 bb   ....a.8.f...H...
    0010 - 3b d8 d9 d6 2a 97 bb dc-6f 78 a5 ad 82 aa 10 d9   ;...*...ox......
    0020 - ea a2 01 e9 c5 06 f5 e8-f7 0f 11 77 6f 07 28 d4   ...........wo.(.
    0030 - 38 a7 3b a7 8b 7a 19 0b-cd d3 26 3c 27 a6 00 4c   8.;..z....&<'..L
    0040 - 69 aa 02 dc fe af a3 48-b8 97 4a 9b 43 4e c8 d5   i......H..J.CN..
    0050 - b8 5a b2 01 f5 1b 7d 98-78 8f f0 60 63 f5 c1 47   .Z....}.x..`c..G
    0060 - f9 b6 f0 9b 61 00 4f 2d-13 8f 33 ac 4f e0 26 12   ....a.O-..3.O.&.
    0070 - c3 18 54 90 0c 98 7b 71-7e d2 44 27 30 f1 c0 85   ..T...{q~.D'0...
    0080 - 13 51 c6 ff 54 29 41 4d-ca 06 41 a7 02 a0 5a 08   .Q..T)AM..A...Z.
    0090 - 0e 16 de a6 29 26 f5 fe-90 06 e7 7d 6b c8 90 83   ....)&.....}k...
    00a0 - 76 25 e7 f6 5e 9c 33 0e-ce 24 bd ad 95 30 1f ce   v%..^.3..$...0..
    00b0 - ea 61 04 e0 22 55 b5 1b-90 f1 ae c1 21 7f df 83   .a.."U......!...

    Start Time: 1698965750
    Timeout   : 300 (sec)
    Verify return code: 10 (certificate has expired)
---

System details

Hyper-V

cat /etc/os-release
NAME="Flatcar Container Linux by Kinvolk"
ID=flatcar
ID_LIKE=coreos
VERSION=2345.3.1
VERSION_ID=2345.3.1
BUILD_ID=2020-03-26-2026
PRETTY_NAME="Flatcar Container Linux by Kinvolk 2345.3.1 (Rhyolite)"
ANSI_COLOR="38;5;75"
HOME_URL="https://flatcar-linux.org/"
BUG_REPORT_URL="https://issues.flatcar-linux.org"
FLATCAR_BOARD="amd64-usr"

Butane or Ignition config

No response

Additional information

No response

dustymabe commented 1 year ago

Sorry this is the Fedora CoreOS issue tracker. It seems like you are running Flatcar please report issues at https://github.com/flatcar/Flatcar/issues