Server cert for www.pivccu.de is invalid

Question

Server cert for www.pivccu.de is invalid

hprotzek opened this issue 2 years ago · 2 comments

Apt update failed today and as far as I can see, the server cert for www.pivccu.de is invalid, or maybe something in the chain is missing?

openssl s_client -showcerts -servername www.pivccu.de -connect www.pivccu.de:443 </dev/null

CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.pivccu.de
verify return:1
---
Certificate chain
 0 s:/CN=www.pivccu.de
   i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
MIIFHjCCBAagAwIBAgISA9WYzt0xQWuLJeZP9a4kPs0rMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEyMjkwODE3MzdaFw0yMjAzMjkwODE3MzZaMBgxFjAUBgNVBAMT
DXd3dy5waXZjY3UuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDX
Eujue0OHlhFhHf/Fx9zvF86oirP9TXMVeyC/tC5QjO2cadywHOSB1KQ6pvmESJvY
BgMfdd0wjI8hOyt9rN2LRZZAN0PDI1zx+z7HcIEGB/BH3vzNzJi+4YlsUTbw3zTN
TeIDju3d3ILNyC9yka484D+WWysiPBIAjtZbl+NgYWp08yJaUTtBwHR0c8+oWW6H
yfCYF0Th4C9jgXLkpWIraVPvKsVDGJSDwm3leO0budeYwj9LX/GID2fTzP8nPRpF
tjscx3V7Qek8eGcMh5u/LTH4QyrdJXQuZoYptndP2v9EV+i20sR05nPp/HfFj+At
7v74ziqkB9Ducd0rweGPAgMBAAGjggJGMIICQjAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
BBYEFISOkX4vLWSUBYSkbUcWedgOLr6zMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJ
QOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3Iz
Lm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcv
MBgGA1UdEQQRMA+CDXd3dy5waXZjY3UuZGUwTAYDVR0gBEUwQzAIBgZngQwBAgEw
NwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5j
cnlwdC5vcmcwggECBgorBgEEAdZ5AgQCBIHzBIHwAO4AdQBGpVXrdfqRIDC1oolp
9PN9ESxBdL79SbiFq/L8cP5tRwAAAX4Few46AAAEAwBGMEQCIEmMFUzmPjeOvL4u
t1X7GYOwhGGzGYnOxAFYynt0BWtIAiAnyjzxb9YDngjEQIFeArWENf7CjpKbrUiY
+e9oA5peoAB1AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABfgV7
D+sAAAQDAEYwRAIgB7JKAveL54PsomboLoUsLGOVmLkIG/7Uz0U8BUlvqI4CIHoK
1BtcGoa6fe7esLiAhFTrLenqKDJe29HJ6U3VVFBuMA0GCSqGSIb3DQEBCwUAA4IB
AQCM0gT1cpu534tGnUCG/XwAYO276wRjlwkZSbdPvlGnSzmElGpFhfxH3+8w42Go
JYGmJyf1Pn6bNpCot460E2rsFOSXE3kHrWtoA3TNPyEH/ynFqe8oBFL0Te3DDzda
A8Ac5n0XmhwgBQCecXBUYQf2/fFhnXCRnb4K7psC2iMzRQWR8YlSKdeVKjVAMCbA
jGfh0DnIxiVaRR+MmV/Ss7DiMpcLsqLb8oyFj81yKb4KkR6CT/GMhshDQpAT93jc
LED7tgOn+v3DYxDvgspA/IdUBo8477L8lNh94l1h/2aOSErihfIZy1XHtvXth+A9
eO5W6myvNnbqiP+YBPMDMTxu
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=www.pivccu.de
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 4663 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 770CE4CD6F0A762ABDAE1231849B76BF49DBCB80F36E3CAB12A43712B330A91A
    Session-ID-ctx:
    Master-Key: 058CE99AC8120348818BF2A4F945EB496F1D8604AE397C3B950E76E44323F4C4605C2DD2B2A398EC45BBB6202F62B77C
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - ef a9 a3 c6 81 e6 c4 0a-ef 37 06 50 77 26 53 17   .........7.Pw&S.
    0010 - 84 30 c2 5b 9b dd ad 77-8b b4 4d 83 b7 76 96 cf   .0.[...w..M..v..
    0020 - 82 38 fd 9d 62 a4 a4 f5-b9 97 fb 4b 5b 9f a2 20   .8..b......K[..
    0030 - 49 91 81 f4 72 90 e9 e8-e5 44 11 c4 d0 62 0f b3   I...r....D...b..
    0040 - 95 f3 0d 2b 35 27 13 88-d9 31 de 86 1c f2 8f 7e   ...+5'...1.....~
    0050 - 8c 62 9f 3f dd c4 9c fd-72 8a 10 e4 fa a0 53 dc   .b.?....r.....S.
    0060 - aa 05 9c 21 95 48 ad 4b-27 28 25 e3 c1 c5 49 a0   ...!.H.K'(%...I.
    0070 - aa 00 9e ca cf 25 a9 b1-a8 ee 9b 0e 71 f8 86 80   .....%......q...
    0080 - f7 85 22 0a 5a aa 3a b1-07 b3 df bf a9 35 2b 2b   ..".Z.:......5++
    0090 - ff c7 6d f6 c4 95 93 cc-0d 8b 8a ed ff 79 4a 56   ..m..........yJV
    00a0 - 9b f5 8c 7e e0 d3 d9 6f-d7 35 ea be 17 41 a8 eb   ...~...o.5...A..
    00b0 - 67 91 60 4b 85 a1 66 12-02 93 60 b2 cc 28 42 b5   g.`K..f...`..(B.

    Start Time: 1643389411
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

Quick and dirty workaround was to ignore that :-(

echo 'Acquire::https::www.pivccu.de::Verify-Peer "false";' > /etc/apt/apt.conf.d/99pivccu-cert

Answer 1 · 2022-01-28T19:29:22.000Z

Your Let's Encrypt Root Certificate is outdates, see e.g. #401 or #404

Answer 2 · 2022-01-29T17:31:28.000Z

Thank you, was confused, because Chrome also failed with that.