You are not logged in.

#1 2021-01-21 01:15:03

nzec
Member
Registered: 2020-09-30
Posts: 16

Certificate expired or common name invalid on selected websites

The error seems to be there most notably on i.redd.it and any stackexchange (including stackoverflow etc.) website.

On i.reddit.com, it says the certificate is invalid and valid only for reddit.com, *.reddit.com:
SSL_ERROR_BAD_CERT_DOMAIN (in Firefox)
NET::ERR_CERT_COMMON_NAME_INVALID (in Brave)

and on stackoverflow.com, it says the certificate expired.
SEC_ERROR_EXPIRED_CERTIFICATE (in Firefox)
NET::ERR_CERT_DATE_INVALID (in Brave)
Looking at the certificate in this case, it says that the certificate expired on 1/3/2021

This is not a problem with my router/ISP because the websites do work on my other devices.
Running openssl s_client -connect stackoverflow.com:443 -showcerts also says that the certificate has expired.
Though running the same thing with i.redd.it doesn't tell me any such thing.

It is not a problem with the websites or the browser itself either.

It is "probably" not a problem with https://archlinux.org/news/nss3511-1-an … ervention/
either, because if it were it would say that the certificate authority is invalid rather than giving such specific errors on a few specific websites.


I am guessing it is a problem with my internet configuration.
Thanks for reading through this.

Last edited by nzec (2021-01-21 01:17:23)

Offline

#2 2021-01-21 01:19:46

loqs
Member
Registered: 2014-03-06
Posts: 12,949

Re: Certificate expired or common name invalid on selected websites

Is the system clock set incorrectly?

Offline

#3 2021-01-21 01:23:31

nzec
Member
Registered: 2020-09-30
Posts: 16

Re: Certificate expired or common name invalid on selected websites

loqs wrote:

Is the system clock set incorrectly?

It is not, the time is correct to the very seconds and is the correct timezone as well.

I had followed the instructions here: https://wiki.archlinux.org/index.php/Systemd-timesyncd
to synchronize my clock to the ntp pool servers about a year ago.

Offline

#4 2021-01-21 01:35:32

loqs
Member
Registered: 2014-03-06
Posts: 12,949

Re: Certificate expired or common name invalid on selected websites

What is the full output of openssl s_client -connect stackoverflow.com:443 -showcerts showing the certificate has expired?

Offline

#5 2021-01-21 01:41:09

nzec
Member
Registered: 2020-09-30
Posts: 16

Re: Certificate expired or common name invalid on selected websites

Here is the output: https://gist.githubusercontent.com/nzec … 3dc/output

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = *.stackexchange.com
verify error:num=10:certificate has expired
notAfter=Jan  3 13:02:44 2021 GMT
verify return:1
depth=0 CN = *.stackexchange.com
notAfter=Jan  3 13:02:44 2021 GMT
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = *.stackexchange.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIHJTCCBg2gAwIBAgISA/c80WOrBS1B0YKU1WnbOIwuMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDEwMDUxMzAyNDRaFw0y
MTAxMDMxMzAyNDRaMB4xHDAaBgNVBAMMEyouc3RhY2tleGNoYW5nZS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgvEf4788HVB81wIAnFbY556Qb
7BOB5IhjozLwLS9OsOAn2Dmr+P/456nysCXQAFw/Y98R+INfjTScScZa+WfKM9tk
TSLrrHuPyFQ0IEwpy59+cdnPoJQWrAu6Y0RGRv27yOOVRyeAqge2pArDiYqrc0sE
HSrBSS1wsq/nnzcaSZroL9uBqGi8hhe5GJUYk2F5EiexsYxv9jx8uLQ7vpBmk3Et
JbOlP00unQZH5Wd6swTntOhFUHSE2g3Bj3Wi/Mjhq6spTQmvjazN6+ZT6l+UEFSI
8PdlS9cH99DlPyVxiZfezobk9CGAfkhWhFRoecXKIeMGY49jUmicuZJfa5A7AgMB
AAGjggQvMIIEKzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFK+7kfNW1XVWKaiJnPL+
LA+dQ6qqMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUF
BwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZy8wggHkBgNVHREEggHbMIIB14IPKi5hc2t1YnVudHUuY29tghIqLmJs
b2dvdmVyZmxvdy5jb22CEioubWF0aG92ZXJmbG93Lm5ldIIYKi5tZXRhLnN0YWNr
ZXhjaGFuZ2UuY29tghgqLm1ldGEuc3RhY2tvdmVyZmxvdy5jb22CESouc2VydmVy
ZmF1bHQuY29tgg0qLnNzdGF0aWMubmV0ghMqLnN0YWNrZXhjaGFuZ2UuY29tghMq
LnN0YWNrb3ZlcmZsb3cuY29tghUqLnN0YWNrb3ZlcmZsb3cuZW1haWyCDyouc3Vw
ZXJ1c2VyLmNvbYINYXNrdWJ1bnR1LmNvbYIQYmxvZ292ZXJmbG93LmNvbYIQbWF0
aG92ZXJmbG93Lm5ldIIUb3BlbmlkLnN0YWNrYXV0aC5jb22CD3NlcnZlcmZhdWx0
LmNvbYILc3N0YXRpYy5uZXSCDXN0YWNrYXBwcy5jb22CDXN0YWNrYXV0aC5jb22C
EXN0YWNrZXhjaGFuZ2UuY29tghJzdGFja292ZXJmbG93LmJsb2eCEXN0YWNrb3Zl
cmZsb3cuY29tghNzdGFja292ZXJmbG93LmVtYWlsghFzdGFja3NuaXBwZXRzLm5l
dIINc3VwZXJ1c2VyLmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLf
EwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCC
AQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AJQgvB6O1Y1siHMfgosiLA3R2k1ebE+U
PWHbTi9YTaLCAAABdPkSXP4AAAQDAEYwRAIgVay70Cu9d46NEOmUt3XUu7bXIqkS
h+DQXw0Rdy5qIQ0CIH4GmNouXeCovRlx/T4B9Hh//+VvA1tBakgiq+6WEPR8AHYA
fT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF0+RJdVgAABAMARzBF
AiEAs4iZyvg1zC2zaFCs9CNuiGhkuD3cdmcuPCx1qi7rZqcCIAQIaxcyd5wkVWNj
1CeXrUriThrMyOElkNXaN34j3WqUMA0GCSqGSIb3DQEBCwUAA4IBAQA5BQYZcDBu
h1NnUYspMTFcuDjYSmZDlD9MBTSaA4alsHN2l+jsz/cLgPNZWdOhn1NPb6OU3x4J
AOz/4waQvqQ0VYhjBplLMiH3HPXHIiaHJw+p+Hdz0gi3gMcvuoz7ifu+9GemmdGV
wdpeGuZP4NQXJCnuNhwjrqFQHuoimKvm2M555fJB+ij+p3K2KhbQnq2BKnn2EqIR
OX9Euhv1TVpUz+rSSJJ89tIUAqzpHSS6CJt3Z3Ljgtyy1u0J1+UNlJ69JNEZIhsG
fcfc6rV6/wF3uRRBdJck9qyMCejg7NESyxTGnj+QcgbzEpMbGdzZ0PCyvaJWccl7
qysRzGiJF1WI
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.stackexchange.com

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3671 bytes and written 412 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: D7D598A83E566C430B89526D854D58201749AD03625A0E009B32B439C5E614F3
    Session-ID-ctx: 
    Master-Key: 0AA83D4217395D23F3898D91974A8ABC27CC46DD52AAEF2406F4CF8953A16AD056B86BD3094F9A0E51639B9A6F27E725
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - a0 6d 1d 55 1c 7b bd 63-28 57 1e dd 51 a7 64 84   .m.U.{.c(W..Q.d.
    0010 - a9 19 eb 47 49 8e ba 8e-fd cc 2f 5a d2 99 44 b9   ...GI...../Z..D.
    0020 - 1d 1d 56 a8 01 ee 80 32-f2 e9 3c 8b 04 8c 11 d0   ..V....2..<.....
    0030 - 0b 24 09 ff a1 10 fb ac-a9 b0 8e 3c 1c 77 06 ff   .$.........<.w..
    0040 - 79 89 5b 2a 7e 4d 96 09-05 23 ba 93 9c ed 3b 61   y.[*~M...#....;a
    0050 - e4 86 fd 06 92 bf 8e ba-c7 5b 37 62 de d7 b0 92   .........[7b....
    0060 - 6f 8e e2 07 97 9a a6 5c-22 09 90 6d 7c 7b 88 80   o......\"..m|{..
    0070 - 16 ce 07 0d e4 52 8a db-53 96 23 97 09 f1 75 12   .....R..S.#...u.
    0080 - 09 f1 dc 08 72 a0 38 e7-29 81 44 72 1c 56 04 c8   ....r.8.).Dr.V..
    0090 - e6 b0 76 16 21 41 f5 7f-bd 72 0c 45 50 8c d6 23   ..v.!A...r.EP..#
    00a0 - f4 19 7b db 68 42 2d 79-ba eb 45 3f 34 ec bd 86   ..{.hB-y..E?4...
    00b0 - bf 4d 4b 9e 3f 82 b3 fc-0c a5 6c b2 02 ad 31 5d   .MK.?.....l...1]

    Start Time: 1611192985
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: yes
---

Also, I am setting the DNS servers to 1.1.1.1 and 1.0.0.1 using the steps given here: https://wiki.archlinux.org/index.php/Ne … NS_servers

Last edited by nzec (2021-01-21 01:53:29)

Offline

#6 2021-01-21 01:49:27

loqs
Member
Registered: 2014-03-06
Posts: 12,949

Re: Certificate expired or common name invalid on selected websites

For comparison

openssl s_client -connect stackoverflow.com:443 -showcerts
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.stackexchange.com
verify return:1
---
Certificate chain
 0 s:CN = *.stackexchange.com
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIG9DCCBdygAwIBAgISAwlZX3toja8spIxSXHTKF+FyMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMDEyMDMxNDAwNTJaFw0yMTAzMDMxNDAwNTJaMB4xHDAaBgNVBAMM
Eyouc3RhY2tleGNoYW5nZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCv/JcuNRZQmB5/e6vDoud+eNc/tp3Eu65I4NgLVQ28oX8ORtdpJD10pw1g
oArHnf1j9jLFZbe6B5sWZq990rNnjKOra5YksxFMYmCC0HgoPmqBnz43mrEKgBrj
JIuVCrOqVWEtia1oc2uIQSkawgIuGf5I+unQA+vspp1H9DaE70/tBtd0kpy6m5KZ
0PsibrjWGrW5leTB5q7w0e0l6Bh73hJnsfI5oKlQDx8uIJ9GThrFAfk+Xx4iZUwz
b2XJLg3RpPqqFmgBEIo9HC1Gxphn9NZbnvi1J1adFA4nfQh7uElt4dh6A3uwmWln
riPZ8Mt0T539tYl+x6j6Z6QyCRB1AgMBAAGjggQWMIIEEjAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
HQYDVR0OBBYEFKyYhPGAVlTGYHx0ErZRgwSRyek+MB8GA1UdIwQYMBaAFBQusxe3
WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0
cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j
ci5vcmcvMIIB5AYDVR0RBIIB2zCCAdeCDyouYXNrdWJ1bnR1LmNvbYISKi5ibG9n
b3ZlcmZsb3cuY29tghIqLm1hdGhvdmVyZmxvdy5uZXSCGCoubWV0YS5zdGFja2V4
Y2hhbmdlLmNvbYIYKi5tZXRhLnN0YWNrb3ZlcmZsb3cuY29tghEqLnNlcnZlcmZh
dWx0LmNvbYINKi5zc3RhdGljLm5ldIITKi5zdGFja2V4Y2hhbmdlLmNvbYITKi5z
dGFja292ZXJmbG93LmNvbYIVKi5zdGFja292ZXJmbG93LmVtYWlsgg8qLnN1cGVy
dXNlci5jb22CDWFza3VidW50dS5jb22CEGJsb2dvdmVyZmxvdy5jb22CEG1hdGhv
dmVyZmxvdy5uZXSCFG9wZW5pZC5zdGFja2F1dGguY29tgg9zZXJ2ZXJmYXVsdC5j
b22CC3NzdGF0aWMubmV0gg1zdGFja2FwcHMuY29tgg1zdGFja2F1dGguY29tghFz
dGFja2V4Y2hhbmdlLmNvbYISc3RhY2tvdmVyZmxvdy5ibG9nghFzdGFja292ZXJm
bG93LmNvbYITc3RhY2tvdmVyZmxvdy5lbWFpbIIRc3RhY2tzbmlwcGV0cy5uZXSC
DXN1cGVydXNlci5jb20wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMB
AQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEE
BgorBgEEAdZ5AgQCBIH1BIHyAPAAdwBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOU
sl7m9scOygAAAXYpHsnaAAAEAwBIMEYCIQD2BYPFaoNHxpuR7dpGPx90b2t2OFv1
oEELbqYiBWo4tAIhAKT8/8UQ6po+ONKkl4u9/hXrV424SewLQjyKuc656f/6AHUA
fT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF2KR7JpAAABAMARjBE
AiBk58dzHIsANdFi9Y305G6X1N1kGQVbZjrhIt4oQQooOAIgCi0yANzZULHUlKfF
WlNDSfKXHImI6W5vyF7XpkWt+HIwDQYJKoZIhvcNAQELBQADggEBAExNEHaf0ATu
kmLPA/FGKOi97vEieZv5QiKg2idsESsSc5XUcXjzHuz2ws+IYInd6gz6s3aua7c0
iCjwbkBuledtntKgvhBxB7ax4wcxt0vKY4yhcTifG+XpsdC2rjtIXO/Uckpn14tx
cUo4SsVqXLtxQu4qQ2DS3QGlyAwLPlPS46XkUP/ztd4D3WcyokUW72+2NMdtpgZq
NzteVkfQ5xb2akdrm2lN7/S2GBFPFzPGLUEwm0nxEPlF08kk3BWKlXfIWnCdHkrW
9mPoMo048BH4cVTwMDTR177IMxJY4p0uqsNMoPvTpvNIqbIl5bv3uABROg0Y8yLq
4CZZLJFwyL0=
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.stackexchange.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3577 bytes and written 412 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 5C08D8C20F1916008D2D6722983DBDDE5E69A8565BD4CBC4919F8FA26A3DBC89
    Session-ID-ctx: 
    Master-Key: 5629ED23CAD887D932D719910FC293F429FEC96D7FAAF811A3F0E07C4230EE713C2AC336B5C0EF87B4901432DAD96073
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - a0 6d 1d 55 1c 7b bd 63-28 57 1e dd 51 a7 64 84   .m.U.{.c(W..Q.d.
    0010 - 84 cd bf 6b a9 c3 47 2c-e7 0f 3c a1 3f 69 d9 3a   ...k..G,..<.?i.:
    0020 - f9 f8 31 0c 13 fd 02 75-17 22 3b 06 bb e1 f7 a6   ..1....u.";.....
    0030 - be 26 2f e6 f5 a7 8d e7-0c 2a 59 2d f8 09 d7 f1   .&/......*Y-....
    0040 - 0f e7 9e ae 0e ef 3b 82-9c a6 d9 5b 51 4c 79 2d   ......;....[QLy-
    0050 - de b4 76 20 dd f2 aa 4d-37 f0 7b f0 1e 18 dd d9   ..v ...M7.{.....
    0060 - 70 c9 ed a2 68 ae 08 26-c4 8b 9c ec 3a 29 78 77   p...h..&....:)xw
    0070 - 0e 37 f0 82 6e 21 5b fc-6f 79 ee 93 23 ec de e2   .7..n![.oy..#...
    0080 - ef da 7b 55 c2 05 07 19-3f e1 2d 9b 4a 1a b2 77   ..{U....?.-.J..w
    0090 - 1b 94 9c 2f d9 66 6d 39-70 3b 64 65 96 5c f2 f8   .../.fm9p;de.\..
    00a0 - 31 fd 98 b9 37 f7 71 74-37 32 98 88 d0 11 d5 7f   1...7.qt72......
    00b0 - be ba 08 4c 44 ee 8b 1c-17 08 45 a9 a4 a7 72 12   ...LD.....E...r.

    Start Time: 1611193505
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

Edit:
What if you try one of the IP addresses I resolved stackoverflow.com to (other address 151.101.129.69 151.101.65.69 151.101.1.69)

openssl s_client -connect 151.101.193.69:443 -servername stackoverflow.com -showcerts

Last edited by loqs (2021-01-21 04:45:37)

Offline

#7 2021-01-21 15:31:40

nzec
Member
Registered: 2020-09-30
Posts: 16

Re: Certificate expired or common name invalid on selected websites

loqs wrote:

What if you try one of the IP addresses I resolved stackoverflow.com to (other address 151.101.129.69 151.101.65.69 151.101.1.69)

Gives the exact same thing.
The only difference being the Session Key and Session ID.
For comparison, here is the one without directly resolving it:

CONNECTED(00000003)
---
Certificate chain
 0 s:CN = *.stackexchange.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIHJTCCBg2gAwIBAgISA/c80WOrBS1B0YKU1WnbOIwuMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDEwMDUxMzAyNDRaFw0y
MTAxMDMxMzAyNDRaMB4xHDAaBgNVBAMMEyouc3RhY2tleGNoYW5nZS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgvEf4788HVB81wIAnFbY556Qb
7BOB5IhjozLwLS9OsOAn2Dmr+P/456nysCXQAFw/Y98R+INfjTScScZa+WfKM9tk
TSLrrHuPyFQ0IEwpy59+cdnPoJQWrAu6Y0RGRv27yOOVRyeAqge2pArDiYqrc0sE
HSrBSS1wsq/nnzcaSZroL9uBqGi8hhe5GJUYk2F5EiexsYxv9jx8uLQ7vpBmk3Et
JbOlP00unQZH5Wd6swTntOhFUHSE2g3Bj3Wi/Mjhq6spTQmvjazN6+ZT6l+UEFSI
8PdlS9cH99DlPyVxiZfezobk9CGAfkhWhFRoecXKIeMGY49jUmicuZJfa5A7AgMB
AAGjggQvMIIEKzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFK+7kfNW1XVWKaiJnPL+
LA+dQ6qqMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUF
BwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZy8wggHkBgNVHREEggHbMIIB14IPKi5hc2t1YnVudHUuY29tghIqLmJs
b2dvdmVyZmxvdy5jb22CEioubWF0aG92ZXJmbG93Lm5ldIIYKi5tZXRhLnN0YWNr
ZXhjaGFuZ2UuY29tghgqLm1ldGEuc3RhY2tvdmVyZmxvdy5jb22CESouc2VydmVy
ZmF1bHQuY29tgg0qLnNzdGF0aWMubmV0ghMqLnN0YWNrZXhjaGFuZ2UuY29tghMq
LnN0YWNrb3ZlcmZsb3cuY29tghUqLnN0YWNrb3ZlcmZsb3cuZW1haWyCDyouc3Vw
ZXJ1c2VyLmNvbYINYXNrdWJ1bnR1LmNvbYIQYmxvZ292ZXJmbG93LmNvbYIQbWF0
aG92ZXJmbG93Lm5ldIIUb3BlbmlkLnN0YWNrYXV0aC5jb22CD3NlcnZlcmZhdWx0
LmNvbYILc3N0YXRpYy5uZXSCDXN0YWNrYXBwcy5jb22CDXN0YWNrYXV0aC5jb22C
EXN0YWNrZXhjaGFuZ2UuY29tghJzdGFja292ZXJmbG93LmJsb2eCEXN0YWNrb3Zl
cmZsb3cuY29tghNzdGFja292ZXJmbG93LmVtYWlsghFzdGFja3NuaXBwZXRzLm5l
dIINc3VwZXJ1c2VyLmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLf
EwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCC
AQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AJQgvB6O1Y1siHMfgosiLA3R2k1ebE+U
PWHbTi9YTaLCAAABdPkSXP4AAAQDAEYwRAIgVay70Cu9d46NEOmUt3XUu7bXIqkS
h+DQXw0Rdy5qIQ0CIH4GmNouXeCovRlx/T4B9Hh//+VvA1tBakgiq+6WEPR8AHYA
fT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF0+RJdVgAABAMARzBF
AiEAs4iZyvg1zC2zaFCs9CNuiGhkuD3cdmcuPCx1qi7rZqcCIAQIaxcyd5wkVWNj
1CeXrUriThrMyOElkNXaN34j3WqUMA0GCSqGSIb3DQEBCwUAA4IBAQA5BQYZcDBu
h1NnUYspMTFcuDjYSmZDlD9MBTSaA4alsHN2l+jsz/cLgPNZWdOhn1NPb6OU3x4J
AOz/4waQvqQ0VYhjBplLMiH3HPXHIiaHJw+p+Hdz0gi3gMcvuoz7ifu+9GemmdGV
wdpeGuZP4NQXJCnuNhwjrqFQHuoimKvm2M555fJB+ij+p3K2KhbQnq2BKnn2EqIR
OX9Euhv1TVpUz+rSSJJ89tIUAqzpHSS6CJt3Z3Ljgtyy1u0J1+UNlJ69JNEZIhsG
fcfc6rV6/wF3uRRBdJck9qyMCejg7NESyxTGnj+QcgbzEpMbGdzZ0PCyvaJWccl7
qysRzGiJF1WI
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.stackexchange.com

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3671 bytes and written 412 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: D12A08B62F7C499176CA62A5A9408A212713A0B897068F94D29B3519C37EC6A5
    Session-ID-ctx: 
    Master-Key: B54581DF5F4CEE452EA39AD4C8F89DC8F047A1BCE05433FDD0CC6C4E2C5298970D8E7D83532A9C5F0249A95466C652EA
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - c0 1f 66 44 e7 75 e0 24-6a 3c ba 38 94 1d 93 53   ..fD.u.$j<.8...S
    0010 - ff fa 2f d9 dd 15 9b 2f-ec 20 93 b8 ab ef 35 5c   ../..../. ....5\
    0020 - 5c 03 1a 14 ca c4 8e 8d-df ed 71 b5 98 43 c0 e4   \.........q..C..
    0030 - c1 6d 2d 84 8c 6d 01 b7-42 7c b0 c0 89 76 a9 12   .m-..m..B|...v..
    0040 - e4 44 e4 ea 25 df 51 aa-7c 34 f1 59 83 70 73 e4   .D..%.Q.|4.Y.ps.
    0050 - 41 96 b2 d1 d0 ad 8f ab-4c 33 55 99 3c 45 27 d3   A.......L3U.<E'.
    0060 - 77 3a 8c f0 83 3f b2 e5-4c dc 61 6b 96 08 cd 91   w:...?..L.ak....
    0070 - 90 f6 c4 d3 d6 2f 40 97-80 40 c6 6c ce 1f 4b 2f   ...../@..@.l..K/
    0080 - 26 e9 3b fb 4f ad e4 bc-21 fa 07 dc d5 f9 b7 8c   &.;.O...!.......
    0090 - 44 7c f3 2c 54 14 9f 9a-76 5d c0 e5 0c 0d 17 3a   D|.,T...v].....:
    00a0 - 40 db 90 e2 9b 99 a1 18-cb 5f ee bf ae 4e 40 d5   @........_...N@.
    00b0 - 37 a6 3a f0 49 d8 56 18-f0 5b fa 73 9b 14 d8 32   7.:.I.V..[.s...2

    Start Time: 1611241247
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: yes
---

And here is the one after resolving it:

CONNECTED(00000003)
---
Certificate chain
 0 s:CN = *.stackexchange.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIHJTCCBg2gAwIBAgISA/c80WOrBS1B0YKU1WnbOIwuMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDEwMDUxMzAyNDRaFw0y
MTAxMDMxMzAyNDRaMB4xHDAaBgNVBAMMEyouc3RhY2tleGNoYW5nZS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgvEf4788HVB81wIAnFbY556Qb
7BOB5IhjozLwLS9OsOAn2Dmr+P/456nysCXQAFw/Y98R+INfjTScScZa+WfKM9tk
TSLrrHuPyFQ0IEwpy59+cdnPoJQWrAu6Y0RGRv27yOOVRyeAqge2pArDiYqrc0sE
HSrBSS1wsq/nnzcaSZroL9uBqGi8hhe5GJUYk2F5EiexsYxv9jx8uLQ7vpBmk3Et
JbOlP00unQZH5Wd6swTntOhFUHSE2g3Bj3Wi/Mjhq6spTQmvjazN6+ZT6l+UEFSI
8PdlS9cH99DlPyVxiZfezobk9CGAfkhWhFRoecXKIeMGY49jUmicuZJfa5A7AgMB
AAGjggQvMIIEKzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFK+7kfNW1XVWKaiJnPL+
LA+dQ6qqMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUF
BwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZy8wggHkBgNVHREEggHbMIIB14IPKi5hc2t1YnVudHUuY29tghIqLmJs
b2dvdmVyZmxvdy5jb22CEioubWF0aG92ZXJmbG93Lm5ldIIYKi5tZXRhLnN0YWNr
ZXhjaGFuZ2UuY29tghgqLm1ldGEuc3RhY2tvdmVyZmxvdy5jb22CESouc2VydmVy
ZmF1bHQuY29tgg0qLnNzdGF0aWMubmV0ghMqLnN0YWNrZXhjaGFuZ2UuY29tghMq
LnN0YWNrb3ZlcmZsb3cuY29tghUqLnN0YWNrb3ZlcmZsb3cuZW1haWyCDyouc3Vw
ZXJ1c2VyLmNvbYINYXNrdWJ1bnR1LmNvbYIQYmxvZ292ZXJmbG93LmNvbYIQbWF0
aG92ZXJmbG93Lm5ldIIUb3BlbmlkLnN0YWNrYXV0aC5jb22CD3NlcnZlcmZhdWx0
LmNvbYILc3N0YXRpYy5uZXSCDXN0YWNrYXBwcy5jb22CDXN0YWNrYXV0aC5jb22C
EXN0YWNrZXhjaGFuZ2UuY29tghJzdGFja292ZXJmbG93LmJsb2eCEXN0YWNrb3Zl
cmZsb3cuY29tghNzdGFja292ZXJmbG93LmVtYWlsghFzdGFja3NuaXBwZXRzLm5l
dIINc3VwZXJ1c2VyLmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLf
EwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCC
AQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AJQgvB6O1Y1siHMfgosiLA3R2k1ebE+U
PWHbTi9YTaLCAAABdPkSXP4AAAQDAEYwRAIgVay70Cu9d46NEOmUt3XUu7bXIqkS
h+DQXw0Rdy5qIQ0CIH4GmNouXeCovRlx/T4B9Hh//+VvA1tBakgiq+6WEPR8AHYA
fT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF0+RJdVgAABAMARzBF
AiEAs4iZyvg1zC2zaFCs9CNuiGhkuD3cdmcuPCx1qi7rZqcCIAQIaxcyd5wkVWNj
1CeXrUriThrMyOElkNXaN34j3WqUMA0GCSqGSIb3DQEBCwUAA4IBAQA5BQYZcDBu
h1NnUYspMTFcuDjYSmZDlD9MBTSaA4alsHN2l+jsz/cLgPNZWdOhn1NPb6OU3x4J
AOz/4waQvqQ0VYhjBplLMiH3HPXHIiaHJw+p+Hdz0gi3gMcvuoz7ifu+9GemmdGV
wdpeGuZP4NQXJCnuNhwjrqFQHuoimKvm2M555fJB+ij+p3K2KhbQnq2BKnn2EqIR
OX9Euhv1TVpUz+rSSJJ89tIUAqzpHSS6CJt3Z3Ljgtyy1u0J1+UNlJ69JNEZIhsG
fcfc6rV6/wF3uRRBdJck9qyMCejg7NESyxTGnj+QcgbzEpMbGdzZ0PCyvaJWccl7
qysRzGiJF1WI
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.stackexchange.com

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3671 bytes and written 412 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: E3C420EFD0025BA770A4FD6BEC941139D0EF597C7E12780C5464869CE22641E4
    Session-ID-ctx: 
    Master-Key: 64860148724ACC34F15867FB52CB65E8B023788A25602C1BACBB534548747D5E011CA408D2B5EDF47BB852E1831BB9DC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - c0 1f 66 44 e7 75 e0 24-6a 3c ba 38 94 1d 93 53   ..fD.u.$j<.8...S
    0010 - da bd b3 49 6a a0 1a d8-a4 ed b6 f0 92 92 b6 cc   ...Ij...........
    0020 - 30 9c d7 a3 2d b3 fd 28-a4 e4 20 3c 8d 60 72 93   0...-..(.. <.`r.
    0030 - f5 54 dc aa 50 76 d1 71-24 bb af 1c 25 ba bd 39   .T..Pv.q$...%..9
    0040 - 8e ff 4e 31 e1 b9 a4 0c-1d 7e 16 85 95 58 8e 6d   ..N1.....~...X.m
    0050 - 0a 17 13 46 ee 9b e6 a5-14 78 b3 b1 b7 1d 5a 61   ...F.....x....Za
    0060 - c1 6c c7 b4 a4 ce b9 ab-4c 71 f5 4e 5d 40 90 e4   .l......Lq.N]@..
    0070 - 0d 59 00 d1 16 20 f4 ff-d7 90 86 e5 80 98 c8 b2   .Y... ..........
    0080 - 87 78 4b 70 c7 50 ce 1b-2a 56 cd 17 e5 59 44 ee   .xKp.P..*V...YD.
    0090 - f3 47 18 e2 cb 5c e4 dd-7d 78 82 b3 cd f3 72 66   .G...\..}x....rf
    00a0 - 45 01 59 ac 12 c9 4d 96-c8 73 8b 7f 38 75 af 75   E.Y...M..s..8u.u
    00b0 - d9 0b d6 88 8b 54 62 7f-06 ba 46 a4 07 ef 8c 29   .....Tb...F....)

    Start Time: 1611241160
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: yes
---

I did some more testing, and found that checking the same from another Arch install on a separate hard drive, works fine,

I tested the same with testssl.sh which is really nice because it gives the most amount of output. It gives the following:

running testssl -oA output stackoverflow.com, here is the output.html (expired):
https://gistcdn.rawgit.org/nzec/a7d3a09 … rflow.html
running testssl -oA output i.redd.it, here is the output.html (certificate does not match supplied URI):
https://gistcdn.rawgit.org/nzec/a7d3a09 … eddit.html

I uninstalled NetworkManager and chrooted from the separate hard drive and installed NetworkManager again, and the problem persisted.
I am guessing it is not a problem with DNS because it resolves correctly and even if I manually resolve it, the problem still persists.

The same problem exists with all the reddit cdn websites. I also found a few other websites with the same problem.
I read https://wiki.archlinux.org/index.php/Tr … r_Security and tried reinstalling ca-certificates and did update-ca-trust but that didn't do anything.
The bizarre thing is that, the problem isn't with the installed CA certs, the problem is that somehow, I am getting the wrong certificate from the websites themselves (which work fine on all other devices).

This is driving me crazy. I might just do a fresh install.

Offline

#8 2021-01-21 16:59:39

seth
Member
Registered: 2012-09-03
Posts: 18,781

Re: Certificate expired or common name invalid on selected websites

pacman -Qikk openssl ca-certificates-utils ca-certificates ca-certificates-mozilla

Online

#9 2021-01-21 17:37:45

nzec
Member
Registered: 2020-09-30
Posts: 16

Re: Certificate expired or common name invalid on selected websites

seth wrote:
pacman -Qikk openssl ca-certificates-utils ca-certificates ca-certificates-mozilla

Here is the output:

Name            : openssl
Version         : 1.1.1.i-2
Description     : The Open Source toolkit for Secure Sockets Layer and Transport Layer Security
Architecture    : x86_64
URL             : https://www.openssl.org
Licenses        : custom:BSD
Groups          : None
Provides        : None
Depends On      : glibc
Optional Deps   : ca-certificates [installed]
                  perl [installed]
Required By     : bind  castor-git  coreutils  cryptsetup  curl  dog  dotnet-runtime  git  gnustep-base  hexchat  kmod  kristall  ldns  lib32-openssl  libarchive  libevent  libsasl  libshout  libssh  libssh2  lynx  mariadb-libs  nmap  openssh  perl-net-ssleay  pypy3  python  python-pyopenssl  python2  rsync  srt  systemd  testssl.sh  tor  unarchiver  vde2  w3m  wpa_supplicant  xmlsec
Optional For    : mit-scheme
Conflicts With  : None
Replaces        : openssl-perl  openssl-doc
Installed Size  : 7.31 MiB
Packager        : Pierre Schmitz <pierre@archlinux.de>
Build Date      : Sat 12 Dec 2020 12:04:39 PM IST
Install Date    : Tue 15 Dec 2020 01:34:40 PM IST
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

openssl: 4112 total files, 0 altered files
Name            : ca-certificates-utils
Version         : 20181109-4
Description     : Common CA certificates (utilities)
Architecture    : any
URL             : https://src.fedoraproject.org/rpms/ca-certificates
Licenses        : GPL2
Groups          : None
Provides        : ca-certificates  ca-certificates-java
Depends On      : bash  coreutils  findutils  p11-kit>=0.23.19
Optional Deps   : None
Required By     : ca-certificates-mozilla  curl  jre-openjdk-headless  neon  qca
Optional For    : lib32-openssl  openssl  wget
Conflicts With  : ca-certificates-java
Replaces        : ca-certificates-java
Installed Size  : 6.04 KiB
Packager        : Jan Alexander Steffens (heftig) <heftig@archlinux.org>
Build Date      : Tue 28 Jul 2020 10:06:01 PM IST
Install Date    : Thu 21 Jan 2021 08:23:19 PM IST
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

ca-certificates-utils: 26 total files, 0 altered files
Name            : ca-certificates
Version         : 20181109-4
Description     : Common CA certificates (default providers)
Architecture    : any
URL             : https://src.fedoraproject.org/rpms/ca-certificates
Licenses        : GPL2
Groups          : None
Provides        : None
Depends On      : ca-certificates-mozilla
Optional Deps   : None
Required By     : curl  neon  qca
Optional For    : lib32-openssl  openssl  wget
Conflicts With  : ca-certificates-cacert<=20140824-4
Replaces        : ca-certificates-cacert<=20140824-4
Installed Size  : 0.00 B
Packager        : Jan Alexander Steffens (heftig) <heftig@archlinux.org>
Build Date      : Tue 28 Jul 2020 10:06:01 PM IST
Install Date    : Thu 21 Jan 2021 06:02:02 AM IST
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

ca-certificates: 0 total files, 0 altered files
Name            : ca-certificates-mozilla
Version         : 3.60.1-1
Description     : Mozilla's set of trusted CA certificates
Architecture    : x86_64
URL             : https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
Licenses        : MPL  GPL
Groups          : None
Provides        : None
Depends On      : ca-certificates-utils>=20181109-3
Optional Deps   : None
Required By     : ca-certificates
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 875.00 KiB
Packager        : Jan Alexander Steffens (heftig) <heftig@archlinux.org>
Build Date      : Thu 07 Jan 2021 08:12:37 PM IST
Install Date    : Thu 21 Jan 2021 06:02:02 AM IST
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

ca-certificates-mozilla: 5 total files, 0 altered files

Offline

#10 2021-01-21 22:55:42

seth
Member
Registered: 2012-09-03
Posts: 18,781

Re: Certificate expired or common name invalid on selected websites

Those look ok, so the retired cert comes from a 3rd file?

strace openssl s_client -connect stackoverflow.com:443 -showcerts  2>&1 | grep open

Online

#11 2021-01-22 00:04:35

nzec
Member
Registered: 2020-09-30
Posts: 16

Re: Certificate expired or common name invalid on selected websites

seth wrote:
strace openssl s_client -connect stackoverflow.com:443 -showcerts  2>&1 | grep open

Here:

execve("/usr/bin/openssl", ["openssl", "s_client", "-connect", "stackoverflow.com:443", "-showcerts"], 0x7ffe2e11faa0 /* 60 vars */) = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/ssl/openssl.cnf", O_RDONLY) = 3
openat(AT_FDCWD, "/etc/ssl/ct_log_list.cnf", O_RDONLY) = 3
openat(AT_FDCWD, "/etc/ssl/cert.pem", O_RDONLY) = 3
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libnss_mymachines.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/run/systemd/machines/stackoverflow.com", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libnss_myhostname.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/libnss_resolve.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/gai.conf", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 4

Offline

#12 2021-01-22 00:41:18

loqs
Member
Registered: 2014-03-06
Posts: 12,949

Re: Certificate expired or common name invalid on selected websites

In a browser can you visit https://letsencrypt.org/certificates/ then the valid and expired links?
Edit:
Also check what root certificate firefox shows as signing the expired reddit certificate.

Last edited by loqs (2021-01-22 00:47:00)

Offline

#13 2021-01-22 01:10:38

nzec
Member
Registered: 2020-09-30
Posts: 16

Re: Certificate expired or common name invalid on selected websites

The valid one works fine while the expired one gives SEC_ERROR_EXPIRED_CERTIFICATE (expired on 2/15/2017)
The i.redd.it gives SSL_ERROR_BAD_CERT_DOMAIN(only valid for reddit.com, *.reddit.com) and shows the "*.reddit.com" issued by "DigiCert TLS RSA SHA256 2020 CA1"  issued by "DigiCert Global Root CA".

Offline

#14 2021-01-22 01:13:30

Scimmia
Bug Wrangler
Registered: 2012-09-01
Posts: 8,315

Re: Certificate expired or common name invalid on selected websites

as i.redd.it isn't reddit.com, that makes perfect sense.

Offline

#15 2021-01-22 01:22:53

nzec
Member
Registered: 2020-09-30
Posts: 16

Re: Certificate expired or common name invalid on selected websites

Scimmia wrote:

as i.redd.it isn't reddit.com, that makes perfect sense.

But i.redd.it does give a certificate that is valid. Somehow, this computer manages to get a certificate that isn't.
The same problem is with about.gitlab.com which is giving SSL_ERROR_BAD_CERT_DOMAIN (is not valid for about.gitlab.com. The certificate is only valid for c.sni.fastly.net).

This is starting to make me think that the problem is indeed with DNS.

Here is the output of openssl s_client -connect about.gitlab.com:443 -showcerts

CONNECTED(00000003)
---
Certificate chain
 0 s:C = US, ST = California, L = San Francisco, O = "Fastly, Inc.", CN = c.sni.fastly.net
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
MIIGvTCCBaWgAwIBAgIMGuhp/5zh7zXcDMQWMA0GCSqGSIb3DQEBCwUAMGYxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNH
bG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
RzIwHhcNMTkwMTI1MDU0MTA4WhcNMjEwMzEwMjI0MTA0WjBsMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEV
MBMGA1UEChMMRmFzdGx5LCBJbmMuMRkwFwYDVQQDExBjLnNuaS5mYXN0bHkubmV0
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsG4taXQT3YoED+Y1jtZf
T3JFzB3KnrfIzZp5ETJ2YnL/p7ECfDnnkZ83J9IPhmgmaV6DWcR7AwJZGI57pJ3Q
5bg7C18QKF7XcFKgBk2sItwbsaeItIMxXd6Dsy8l93gPJWUNO7eJwieElD07I1Ip
5kfDFQjDyjhL3IwYzvEJ2hmBECPIbe4xlO6/LmRjykQ7Qj0rL4ZU7883OnwfHhZf
gffpG8ySVGS6HBYCDG0PMMfoIcd1ZGLe7udaU2vlbgBwF1F8fqym8hDiBU1/QPZp
GebOWTsrJbw9ywYqFI1qT4Y6wFHnx0wV8nLULCvfeMufbpM/QKgkHjDQXYDpEtOQ
mwIDAQABo4IDYzCCA18wDgYDVR0PAQH/BAQDAgWgMIGgBggrBgEFBQcBAQSBkzCB
kDBNBggrBgEFBQcwAoZBaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNl
cnQvZ3Nvcmdhbml6YXRpb252YWxzaGEyZzJyMS5jcnQwPwYIKwYBBQUHMAGGM2h0
dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9nc29yZ2FuaXphdGlvbnZhbHNoYTJn
MjBWBgNVHSAETzBNMEEGCSsGAQQBoDIBFDA0MDIGCCsGAQUFBwIBFiZodHRwczov
L3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgIwCQYDVR0T
BAIwADBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29t
L2dzL2dzb3JnYW5pemF0aW9udmFsc2hhMmcyLmNybDAbBgNVHREEFDASghBjLnNu
aS5mYXN0bHkubmV0MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNV
HQ4EFgQUBqgP28GTYBuUdFcGqFp3xZx6LY8wHwYDVR0jBBgwFoAUlt5h8b0cFilT
HMDMfTuDAEDmGnwwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB1AId1v+dZfPiM
Q5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABaIOGs0wAAAQDAEYwRAIgBB4EguXm
MoGexIEszm+TkIQl+OYGeiw8R2o8UchjpeMCIG3cAO0vStpEL84sJo4tz2LMYT2g
d6ZOomm0Tlu0yJ9/AHcAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwA
AAFog4azigAABAMASDBGAiEA86Ugny9vql5aTnhD/rodFN5YwZTss8DYMEJlxo4J
lgMCIQDqIsdU0mqq57xtD8pcmuUm1vmy9uQumt2B3q17j95/nQB2ALvZ37wfinG1
k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaIOGsx8AAAQDAEcwRQIhAMfydFsz
2Udsu7vblLrHEJHFEum30xziNeU+N3vLeFQIAiAVajH1IEYXgtlqtMF2qZANSI5f
viJobXBtPYkld2NWwDANBgkqhkiG9w0BAQsFAAOCAQEAvaaxpSXm1ePCpR6j7IS7
6VkJfDdadqONVHsR6jO0EGQga5Svo6xClfMwdl8AiSM/PipECJH1JcPp9uv+KIdt
Ezu5QltFM5CH5MoLXJsrmysiysbaK2+HEr/9c/SX1xV75O0Bv18IxrES7Lb9hkCi
iOOYABbo1GcwUfnu+rczkd3v+k2mksQYSyyQsrMgrerW+dK9WQp1RkOnzqBUp3Pc
K+E00yetzedOXqKZQsrpDhBtT3achV0nQeFjrRJgiKk8LShmyOm9xsqQv4Mi0lpC
IgUsPuYwxJwp9BdO0lV2stOOy9OYvbjeVwwtpsjTm5D8RvvEWDo8InDeMW5jO+Li
Qw==
-----END CERTIFICATE-----
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
-----BEGIN CERTIFICATE-----
MIIEaTCCA1GgAwIBAgILBAAAAAABRE7wQkcwDQYJKoZIhvcNAQELBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw
MDBaFw0yNDAyMjAxMDAwMDBaMGYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMTwwOgYDVQQDEzNHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBW
YWxpZGF0aW9uIENBIC0gU0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDHDmw/I5N/zHClnSDDDlM/fsBOwphJykfVI+8DNIV0yKMCLkZc
C33JiJ1Pi/D4nGyMVTXbv/Kz6vvjVudKRtkTIso21ZvBqOOWQ5PyDLzm+ebomchj
SHh/VzZpGhkdWtHUfcKc1H/hgBKueuqI6lfYygoKOhJJomIZeg0k9zfrtHOSewUj
mxK1zusp36QUArkBpdSmnENkiN74fv7j9R7l/tyjqORmMdlMJekYuYlZCa7pnRxt
Nw9KHjUgKOKv1CGLAcRFrW4rY6uSa2EKTSDtc7p8zv4WtdufgPDWi2zZCHlKT3hl
2pK8vjX5s8T5J4BO/5ZS5gIg4Qdz6V0rvbLxAgMBAAGjggElMIIBITAOBgNVHQ8B
Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUlt5h8b0cFilT
HMDMfTuDAEDmGnwwRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0
dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCow
KKAmoCSGImh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYB
BQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNv
bS9yb290cjEwHwYDVR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZI
hvcNAQELBQADggEBAEYq7l69rgFgNzERhnF0tkZJyBAW/i9iIxerH4f4gu3K3w4s
32R1juUYcqeMOovJrKV3UPfvnqTgoI8UV6MqX+x+bRDmuo2wCId2Dkyy2VG7EQLy
XN0cvfNVlg/UBsD84iOKJHDTu/B5GqdhcIOKrwbFINihY9Bsrk8y1658GEV1BSl3
30JAZGSGvip2CTFvHST0mdCF/vIhCPnG9vHQWe3WVjwIKANnuvD58ZAWR65n5ryA
SOlCdjSXVWkkDoPWoC209fN5ikkodBpBocLTJIg1MGCUF7ThBCIxPTsvFwayuJ2G
K1pp74P1S8SqtCr4fKGxhZSM9AyHDPSsQPhZSZg=
-----END CERTIFICATE-----
---
Server certificate
subject=C = US, ST = California, L = San Francisco, O = "Fastly, Inc.", CN = c.sni.fastly.net

issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3526 bytes and written 411 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 5CF1432A3E6143D9907DDD38360EB9A601824821733933A7576259AD5D50188C
    Session-ID-ctx: 
    Master-Key: EAF1BC1928131722A45A13DD3197358ACC1CCA53ED7D3AC175142531EA9B449265FAEA4CBFE70F496F01EA8F1355BA9A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 70 df 65 f2 e7 d9 c8 eb-63 10 87 94 0f cf 6e 1f   p.e.....c.....n.
    0010 - 05 72 1d be bc b6 93 9f-a3 f4 34 cc 83 04 26 da   .r........4...&.
    0020 - ef c1 1c b0 ea c1 fa c0-de 7d 3e f9 92 0d fa 3f   .........}>....?
    0030 - 3b 80 e2 a9 39 eb 77 8e-15 35 71 b8 8a 36 ac 8b   ;...9.w..5q..6..
    0040 - 49 8e 72 14 15 9d 37 3a-24 f2 75 04 25 bc 69 40   I.r...7:$.u.%.i@
    0050 - 2e 45 9c 5f 1b 72 8a 09-8e 55 4a 3d 82 b6 2f 42   .E._.r...UJ=../B
    0060 - dc f5 9d ad 9c 8a 28 58-95 7c 7e 15 fe 31 b6 51   ......(X.|~..1.Q
    0070 - 20 63 49 d8 b3 94 4c ff-21 65 f1 33 96 09 cd 30    cI...L.!e.3...0
    0080 - c7 7a 38 80 ff b1 aa 30-11 95 f6 f2 04 f9 38 fa   .z8....0......8.
    0090 - 96 36 88 1b 83 34 0f 9c-1f 10 46 c2 ad 4f a0 29   .6...4....F..O.)
    00a0 - 12 f5 e1 30 45 e7 6a f9-db f6 7c 03 56 c3 4f ba   ...0E.j...|.V.O.
    00b0 - 6e 29 d9 1f 0d 76 ea 12-00 2c 45 dc f1 98 94 9c   n)...v...,E.....

    Start Time: 1611278451
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

Offline

#16 2021-01-22 01:26:50

loqs
Member
Registered: 2014-03-06
Posts: 12,949

Re: Certificate expired or common name invalid on selected websites

From the testssl -oA output i.redd.it

  Server Certificate #1
   Signature Algorithm          SHA256 with RSA
   Server key size              RSA 2048 bits
   Server key usage             Digital Signature, Key Encipherment
   Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
   Serial / Fingerprints        09DDA42AA78542EE63F5A35A236D7005 / SHA1 8EF057BDBA1557EE62E5E9DF5E7CE56972624897
                                SHA256 C672061C951927F7E71F0F62F7E10CF85113A1CF2D02EC3416E1C0C1F4880B92
   Common Name (CN)             *.reddit.com 
   subjectAltName (SAN)         reddit.com *.reddit.com 
   Issuer                       DigiCert TLS RSA SHA256 2020 CA1 (DigiCert Inc from US)
   Trust (hostname)             certificate does not match supplied URI (same w/o SNI)
   Chain of trust               Ok   
   EV cert (experimental)       no 
   ETS/"eTLS", visibility info  not present
   Certificate Validity (UTC)   166 >= 60 days (2021-01-08 05:30 --> 2021-07-07 05:29)
   # of certificates provided   2
   Certificate Revocation List  http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl
                                http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl
   OCSP URI                     http://ocsp.digicert.com
   OCSP stapling                offered, not revoked
   OCSP must staple extension   --
   DNS CAA RR (experimental)    not offered
   Certificate Transparency     yes (certificate extension)

  Server Certificate #2
   Signature Algorithm          SHA256 with RSA
   Server key size              RSA 2048 bits
   Server key usage             Digital Signature, Key Encipherment
   Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
   Serial / Fingerprints        082E507A95B08C0449B76DD200729C81 / SHA1 FCFD32D7B8502B7B2D00D94D76CD7AF5A98EBEDF
                                SHA256 58870B23D90F2DF2EB1894ED46397409CC2E2608EABC4EB3A571944A28AC61CA
   Common Name (CN)             *.redd.it  (CN in response to request w/o SNI: *.reddit.com )
   subjectAltName (SAN)         redd.it *.redd.it 
   Issuer                       DigiCert TLS RSA SHA256 2020 CA1 (DigiCert Inc from US)
   Trust (hostname)             Ok via SAN wildcard (SNI mandatory)
   Chain of trust               Ok   
   EV cert (experimental)       no 
   ETS/"eTLS", visibility info  not present
   Certificate Validity (UTC)   166 >= 60 days (2021-01-08 05:30 --> 2021-07-07 05:29)
   # of certificates provided   2
   Certificate Revocation List  http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl
                                http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl
   OCSP URI                     http://ocsp.digicert.com
   OCSP stapling                offered, not revoked
   OCSP must staple extension   --
   DNS CAA RR (experimental)    not offered
   Certificate Transparency     yes (certificate extension)

Two certificates are served one matching the SNI domina and one not,  there was an issue with an older version of I think nss which could not resolve the good chain to a root in the presence of a bad chain.
Is the nss package up to date?

Offline

#17 2021-01-22 01:34:17

nzec
Member
Registered: 2020-09-30
Posts: 16

Re: Certificate expired or common name invalid on selected websites

Yes nss is up to date (and so is the entire system) and I had updated it with pacman -Syu nss --overwrite /usr/lib\*/p11-kit-trust.so.

Offline

#18 2021-01-22 01:54:00

loqs
Member
Registered: 2014-03-06
Posts: 12,949

Re: Certificate expired or common name invalid on selected websites

From testssl i.redd.it

 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "renegotiation info" "server name"
                              "EC point formats" "session ticket"
                              "status request" "max fragment length"
                              "application layer protocol negotiation"
                              "encrypt-then-mac"
                              "extended master secret"
 Session Ticket RFC 5077 hint 7200 seconds, session tickets keys seems to be rotated < daily
 SSL Session ID support       yes
 Session Resumption           Tickets: yes, ID: yes
 TLS clock skew               Random values, no fingerprinting possible 
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
 Serial / Fingerprints        082E507A95B08C0449B76DD200729C81 / SHA1 FCFD32D7B8502B7B2D00D94D76CD7AF5A98EBEDF
                              SHA256 58870B23D90F2DF2EB1894ED46397409CC2E2608EABC4EB3A571944A28AC61CA
 Common Name (CN)             *.redd.it  (CN in response to request w/o SNI: *.reddit.com )
 subjectAltName (SAN)         redd.it *.redd.it 
 Issuer                       DigiCert TLS RSA SHA256 2020 CA1 (DigiCert Inc from US)
 Trust (hostname)             Ok via SAN wildcard (SNI mandatory)
 Chain of trust               Ok   
 EV cert (experimental)       no 
 ETS/"eTLS", visibility info  not present
 Certificate Validity (UTC)   165 >= 60 days (2021-01-08 00:00 --> 2021-07-07 00:59)
 # of certificates provided   2
 Certificate Revocation List  http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1.crl
                              http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1.crl
 OCSP URI                     http://ocsp.digicert.com
 OCSP stapling                offered, not revoked
 OCSP must staple extension   --
 DNS CAA RR (experimental)    not offered
 Certificate Transparency     yes (certificate extension)

Only one certificate chain is considered or is only one offered compared to the two for nzec?

Last edited by loqs (2021-01-22 01:54:28)

Offline

#19 2021-01-22 08:33:42

seth
Member
Registered: 2012-09-03
Posts: 18,781

Re: Certificate expired or common name invalid on selected websites

He's using https://crt.sh/?caid=16418 which should™ still be good for a couple of months but also should™ be replaced by https://crt.sh/?caid=183267
https://letsencrypt.org/2020/09/17/new- … iates.html
So he's getting the "wrong" certificate and it has the wrong expiration date…

This all smells like a (not necessarily malign) MitM or bad tiemstamps, so I'd challenge those assertions…
1. Time

TZ=UTC date

2. about the MitM, which certificate is used on "other devices"? X3 or R3?
- do you use
* a virtual machine
* some form of local firewall/pihole/…
* a vpn
* anything else to harden the environment?
- can you move the system into a different network (away from yoru router and ideally ISP)

Online

#20 2021-01-22 20:43:44

nzec
Member
Registered: 2020-09-30
Posts: 16

Re: Certificate expired or common name invalid on selected websites

1. TZ=UTC date gives the correct time (<> at the time of writing this)
2. On my "other devices" (running on the same network), it gives R3 correctly,
Here is the output of openssl s_client -connect stackoverflow.com:443 -showcerts (on a different device, same network):

CONNECTED(00000003)
---
Certificate chain
 0 s:CN = *.stackexchange.com
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIG9DCCBdygAwIBAgISAwlZX3toja8spIxSXHTKF+FyMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMDEyMDMxNDAwNTJaFw0yMTAzMDMxNDAwNTJaMB4xHDAaBgNVBAMM
Eyouc3RhY2tleGNoYW5nZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCv/JcuNRZQmB5/e6vDoud+eNc/tp3Eu65I4NgLVQ28oX8ORtdpJD10pw1g
oArHnf1j9jLFZbe6B5sWZq990rNnjKOra5YksxFMYmCC0HgoPmqBnz43mrEKgBrj
JIuVCrOqVWEtia1oc2uIQSkawgIuGf5I+unQA+vspp1H9DaE70/tBtd0kpy6m5KZ
0PsibrjWGrW5leTB5q7w0e0l6Bh73hJnsfI5oKlQDx8uIJ9GThrFAfk+Xx4iZUwz
b2XJLg3RpPqqFmgBEIo9HC1Gxphn9NZbnvi1J1adFA4nfQh7uElt4dh6A3uwmWln
riPZ8Mt0T539tYl+x6j6Z6QyCRB1AgMBAAGjggQWMIIEEjAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
HQYDVR0OBBYEFKyYhPGAVlTGYHx0ErZRgwSRyek+MB8GA1UdIwQYMBaAFBQusxe3
WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0
cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j
ci5vcmcvMIIB5AYDVR0RBIIB2zCCAdeCDyouYXNrdWJ1bnR1LmNvbYISKi5ibG9n
b3ZlcmZsb3cuY29tghIqLm1hdGhvdmVyZmxvdy5uZXSCGCoubWV0YS5zdGFja2V4
Y2hhbmdlLmNvbYIYKi5tZXRhLnN0YWNrb3ZlcmZsb3cuY29tghEqLnNlcnZlcmZh
dWx0LmNvbYINKi5zc3RhdGljLm5ldIITKi5zdGFja2V4Y2hhbmdlLmNvbYITKi5z
dGFja292ZXJmbG93LmNvbYIVKi5zdGFja292ZXJmbG93LmVtYWlsgg8qLnN1cGVy
dXNlci5jb22CDWFza3VidW50dS5jb22CEGJsb2dvdmVyZmxvdy5jb22CEG1hdGhv
dmVyZmxvdy5uZXSCFG9wZW5pZC5zdGFja2F1dGguY29tgg9zZXJ2ZXJmYXVsdC5j
b22CC3NzdGF0aWMubmV0gg1zdGFja2FwcHMuY29tgg1zdGFja2F1dGguY29tghFz
dGFja2V4Y2hhbmdlLmNvbYISc3RhY2tvdmVyZmxvdy5ibG9nghFzdGFja292ZXJm
bG93LmNvbYITc3RhY2tvdmVyZmxvdy5lbWFpbIIRc3RhY2tzbmlwcGV0cy5uZXSC
DXN1cGVydXNlci5jb20wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMB
AQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEE
BgorBgEEAdZ5AgQCBIH1BIHyAPAAdwBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOU
sl7m9scOygAAAXYpHsnaAAAEAwBIMEYCIQD2BYPFaoNHxpuR7dpGPx90b2t2OFv1
oEELbqYiBWo4tAIhAKT8/8UQ6po+ONKkl4u9/hXrV424SewLQjyKuc656f/6AHUA
fT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF2KR7JpAAABAMARjBE
AiBk58dzHIsANdFi9Y305G6X1N1kGQVbZjrhIt4oQQooOAIgCi0yANzZULHUlKfF
WlNDSfKXHImI6W5vyF7XpkWt+HIwDQYJKoZIhvcNAQELBQADggEBAExNEHaf0ATu
kmLPA/FGKOi97vEieZv5QiKg2idsESsSc5XUcXjzHuz2ws+IYInd6gz6s3aua7c0
iCjwbkBuledtntKgvhBxB7ax4wcxt0vKY4yhcTifG+XpsdC2rjtIXO/Uckpn14tx
cUo4SsVqXLtxQu4qQ2DS3QGlyAwLPlPS46XkUP/ztd4D3WcyokUW72+2NMdtpgZq
NzteVkfQ5xb2akdrm2lN7/S2GBFPFzPGLUEwm0nxEPlF08kk3BWKlXfIWnCdHkrW
9mPoMo048BH4cVTwMDTR177IMxJY4p0uqsNMoPvTpvNIqbIl5bv3uABROg0Y8yLq
4CZZLJFwyL0=
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.stackexchange.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3577 bytes and written 412 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 9572C4EF6784298FDC2F5CAC16C18AA4F5EA68D164D9940FCA9817D64884A66B
    Session-ID-ctx: 
    Master-Key: 92DDCED70C63CEC5857F719B93FAF2A96D0555FF9F732C9A09ACCBD883D79230BF58F34B2112B9A53F07518F419D88B5
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 73 66 d7 18 1f 4f 10 f2-ef f5 4d 54 d7 c2 37 62   sf...O....MT..7b
    0010 - 05 b1 3d d6 92 de 69 f3-cf 03 3b 40 d9 c3 7c de   ..=...i...;@..|.
    0020 - a2 83 68 80 11 b6 f9 39-f2 be a8 7f c0 c5 81 4c   ..h....9.......L
    0030 - 77 8e 0d e7 a4 82 19 ed-68 57 de e6 88 f7 7f e1   w.......hW......
    0040 - 72 08 62 3c 80 19 11 83-3d 4c 18 6f 56 88 f8 e4   r.b<....=L.oV...
    0050 - 56 a1 23 7b d0 76 37 40-df 6a eb 15 3d d5 09 1f   V.#{.v7@.j..=...
    0060 - f4 15 22 0f 8c a5 eb 6e-6c 5f 36 bb 24 a6 4d 23   .."....nl_6.$.M#
    0070 - f1 a1 6f f4 4e 09 53 41-3d b0 ae 0d a4 7c c4 dc   ..o.N.SA=....|..
    0080 - 91 67 ee a4 68 6e 8c 6c-0b 91 52 c4 3a 15 43 37   .g..hn.l..R.:.C7
    0090 - 63 77 61 16 fb 28 dc 32-17 79 ce bd 5b 58 b9 3b   cwa..(.2.y..[X.;
    00a0 - 68 e3 c1 7b 85 28 ec 1b-78 2f 15 35 da b2 a2 20   h..{.(..x/.5... 
    00b0 - 39 f3 cd 62 67 ea 0c 62-53 bb 0c de 3b b9 e6 19   9..bg..bS...;...

    Start Time: 1611345720
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

I am not running Arch on a Virtual Machine.
I don't have any firewall or pihole or VPN that I have installed (though the router is configured by my ISP and they might be doing some shady things).

I tried openssl s_client -connect stackoverflow.com:443 -showcerts on a different network (cellular internet) on the same computer and it gave the X3 certificate which was expired.
Here is the output

CONNECTED(00000003)
---
Certificate chain
 0 s:CN = *.stackexchange.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIHJTCCBg2gAwIBAgISA/c80WOrBS1B0YKU1WnbOIwuMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDEwMDUxMzAyNDRaFw0y
MTAxMDMxMzAyNDRaMB4xHDAaBgNVBAMMEyouc3RhY2tleGNoYW5nZS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgvEf4788HVB81wIAnFbY556Qb
7BOB5IhjozLwLS9OsOAn2Dmr+P/456nysCXQAFw/Y98R+INfjTScScZa+WfKM9tk
TSLrrHuPyFQ0IEwpy59+cdnPoJQWrAu6Y0RGRv27yOOVRyeAqge2pArDiYqrc0sE
HSrBSS1wsq/nnzcaSZroL9uBqGi8hhe5GJUYk2F5EiexsYxv9jx8uLQ7vpBmk3Et
JbOlP00unQZH5Wd6swTntOhFUHSE2g3Bj3Wi/Mjhq6spTQmvjazN6+ZT6l+UEFSI
8PdlS9cH99DlPyVxiZfezobk9CGAfkhWhFRoecXKIeMGY49jUmicuZJfa5A7AgMB
AAGjggQvMIIEKzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFK+7kfNW1XVWKaiJnPL+
LA+dQ6qqMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUF
BwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZy8wggHkBgNVHREEggHbMIIB14IPKi5hc2t1YnVudHUuY29tghIqLmJs
b2dvdmVyZmxvdy5jb22CEioubWF0aG92ZXJmbG93Lm5ldIIYKi5tZXRhLnN0YWNr
ZXhjaGFuZ2UuY29tghgqLm1ldGEuc3RhY2tvdmVyZmxvdy5jb22CESouc2VydmVy
ZmF1bHQuY29tgg0qLnNzdGF0aWMubmV0ghMqLnN0YWNrZXhjaGFuZ2UuY29tghMq
LnN0YWNrb3ZlcmZsb3cuY29tghUqLnN0YWNrb3ZlcmZsb3cuZW1haWyCDyouc3Vw
ZXJ1c2VyLmNvbYINYXNrdWJ1bnR1LmNvbYIQYmxvZ292ZXJmbG93LmNvbYIQbWF0
aG92ZXJmbG93Lm5ldIIUb3BlbmlkLnN0YWNrYXV0aC5jb22CD3NlcnZlcmZhdWx0
LmNvbYILc3N0YXRpYy5uZXSCDXN0YWNrYXBwcy5jb22CDXN0YWNrYXV0aC5jb22C
EXN0YWNrZXhjaGFuZ2UuY29tghJzdGFja292ZXJmbG93LmJsb2eCEXN0YWNrb3Zl
cmZsb3cuY29tghNzdGFja292ZXJmbG93LmVtYWlsghFzdGFja3NuaXBwZXRzLm5l
dIINc3VwZXJ1c2VyLmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLf
EwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCC
AQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AJQgvB6O1Y1siHMfgosiLA3R2k1ebE+U
PWHbTi9YTaLCAAABdPkSXP4AAAQDAEYwRAIgVay70Cu9d46NEOmUt3XUu7bXIqkS
h+DQXw0Rdy5qIQ0CIH4GmNouXeCovRlx/T4B9Hh//+VvA1tBakgiq+6WEPR8AHYA
fT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF0+RJdVgAABAMARzBF
AiEAs4iZyvg1zC2zaFCs9CNuiGhkuD3cdmcuPCx1qi7rZqcCIAQIaxcyd5wkVWNj
1CeXrUriThrMyOElkNXaN34j3WqUMA0GCSqGSIb3DQEBCwUAA4IBAQA5BQYZcDBu
h1NnUYspMTFcuDjYSmZDlD9MBTSaA4alsHN2l+jsz/cLgPNZWdOhn1NPb6OU3x4J
AOz/4waQvqQ0VYhjBplLMiH3HPXHIiaHJw+p+Hdz0gi3gMcvuoz7ifu+9GemmdGV
wdpeGuZP4NQXJCnuNhwjrqFQHuoimKvm2M555fJB+ij+p3K2KhbQnq2BKnn2EqIR
OX9Euhv1TVpUz+rSSJJ89tIUAqzpHSS6CJt3Z3Ljgtyy1u0J1+UNlJ69JNEZIhsG
fcfc6rV6/wF3uRRBdJck9qyMCejg7NESyxTGnj+QcgbzEpMbGdzZ0PCyvaJWccl7
qysRzGiJF1WI
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.stackexchange.com

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3671 bytes and written 412 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 0F5B794195308F4452CCA5F9732ADF81C7B4DF35F793FC88472BF96081D38907
    Session-ID-ctx: 
    Master-Key: AF8BE8AE3AA15B4627C6549B8F08E36491D8DBDF3810853A5FBF77B6DEC0A41DEEAB467C694E4DA795847EFC23987033
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 7e 48 82 cf 6e c6 b4 29-44 61 31 00 99 36 82 5d   ~H..n..)Da1..6.]
    0010 - 38 29 fa 21 d2 88 bf 57-44 c4 c2 52 ae 4b fe b0   8).!...WD..R.K..
    0020 - 25 53 dc ac 66 06 c1 c7-ea 05 f9 22 36 d0 cc 80   %S..f......"6...
    0030 - 07 cd fa 7d 61 a5 26 ca-2d ca 8c aa 19 4c 76 b1   ...}a.&.-....Lv.
    0040 - cf ca 1b 70 d2 4f 30 a7-74 74 0c 8e 2d ec be dd   ...p.O0.tt..-...
    0050 - e1 34 f7 90 e0 51 52 24-72 f0 8a 86 e5 27 e3 cd   .4...QR$r....'..
    0060 - cb 2b d1 3b be ea 87 2e-86 db 7a 7f 4d b3 9e fe   .+.;......z.M...
    0070 - 47 80 c4 74 26 0b f2 30-31 84 95 0f 4d 3c a4 f1   G..t&..01...M<..
    0080 - d6 53 1d e2 19 f6 47 8c-34 52 ec b9 82 b4 24 ee   .S....G.4R....$.
    0090 - 1e 30 6f 84 17 b8 93 c0-07 a1 84 d8 9d fe 9c 62   .0o............b
    00a0 - bc 64 34 0c 03 c1 3a 99-c1 08 9b c2 e5 5d 97 c2   .d4...:......]..
    00b0 - 07 a6 a9 51 1e 93 83 7c-b1 67 0d 11 ce 4a 6f 2e   ...Q...|.g...Jo.

    Start Time: 1611347402
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: yes
---

The problem seems to be with this very arch setup only.

Offline

#21 2021-01-22 21:15:26

loqs
Member
Registered: 2014-03-06
Posts: 12,949

Re: Certificate expired or common name invalid on selected websites

Not sure if /etc/ca-certificates/extracted/tls-ca-bundle.pem is reproducible so start with a count of how many certificates it contains then the checksum I have

$ grep -rF -- '-----BEGIN CERTIFICATE-----' /etc/ca-certificates/extracted/tls-ca-bundle.pem | wc -l
129
$ sha256sum /etc/ca-certificates/extracted/tls-ca-bundle.pem
63bd9286d63ba7bc25671757fb382b41b4489a8b5ea54e5bd01266e8e7be2e2c  /etc/ca-certificates/extracted/tls-ca-bundle.pem

Offline

#22 2021-01-22 21:19:19

seth
Member
Registered: 2012-09-03
Posts: 18,781

Re: Certificate expired or common name invalid on selected websites

Same here.

Online

#23 2021-01-22 22:05:27

nzec
Member
Registered: 2020-09-30
Posts: 16

Re: Certificate expired or common name invalid on selected websites

Got the exact same output.

I think I'll just re-install Arch and call it a day.

Offline

#24 2021-01-22 22:07:14

seth
Member
Registered: 2012-09-03
Posts: 18,781

Re: Certificate expired or common name invalid on selected websites

I'd first use the install iso to check which certificate you get there.

Online

#25 2021-01-22 22:25:44

nzec
Member
Registered: 2020-09-30
Posts: 16

Re: Certificate expired or common name invalid on selected websites

Just finished a clean install on the root partition and everything works well.

I got the correct certificate from the install iso.
I chroot'ed into the old install and got the correct certificate as well.

This was extremely bizarre.
It might have been fun to get to the bottom of the problem but I need to use this machine.

Thanks for the your time and the help.
Should I mark this as solved?

Offline

Board footer

Powered by FluxBB