0002026: xdebug.org SSL certificates depend on an untrusted root authority DST Root CA X3 - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0002026	Xdebug	Installation	public	2021-10-01 14:01	2021-10-01 16:53

Reporter	tomjn	Assigned To	derick
Priority	urgent	Severity	major	Reproducibility	N/A
Status	closed	Resolution	no change required

Summary	0002026: xdebug.org SSL certificates depend on an untrusted root authority DST Root CA X3
Description	Lets encrypts oldest root certificate expired on September 30th, and xdebug.org has a certificate that depends on this. As a result it no longer works on some environments. This article covers testing and fixing the issue: https://medium.com/geekculture/will-you-be-impacted-by-letsencrypt-dst-root-ca-x3-expiration-d54a018df257 Here is the letsencrypt notice: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
Steps To Reproduce	Run this command: openssl s_client -servername xdebug.org -showcerts -connect xdebug.org:443 Output on my machine: openssl s_client -servername xdebug.org -showcerts -connect xdebug.org:443 CONNECTED(00000005) depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3 verify error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT verify return:0 depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3 verify error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT verify return:0 depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3 verify error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT verify return:0 Certificate chain 0 s:/CN=xdebug.org i:/C=US/O=Let's Encrypt/CN=R3 -----BEGIN CERTIFICATE----- MIIGszCCBZugAwIBAgISBOj3763v4jkObyoWWxlxLgeQMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMTA5MjcwNzM2MjBaFw0yMTEyMjYwNzM2MTlaMBUxEzARBgNVBAMT CnhkZWJ1Zy5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUPmJ3 tWtSQxj81qsKPH9u4vAl7VUB4Jia8P31Ke2ukvMmny+8+lyhDNXcZeJkaIeEpZVY H0LzTgPhz/RiGkaVaFVv2LhgXT/KIR7OO8KTvfE/S07Zv8lsSeDZJgz7d7AIPpgM d2WNOgUSU4/keMCvNPaK+EM0dySgsCo5W4bZay26ZP4XT6Dmpo7Pk50IQ0AxUiq6 bXWQsY4Am6jUtlVP7M7q07Am0dkfoVV9IkUbvpyhgW1DoHaVQuNzB+2+RZ0r+3vi 79YYbOBSe0W8tCH6lkC066cimY0FoZn+vvNs/kK3U1wxoZ6ApUNfSxyRtccqtJaU eC5kOxThWINhbp93AgMBAAGjggPeMIID2jAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE FHTG+1BF3FN+js0QNjt+9Xhv0SOcMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYf r52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8u bGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMIIB rQYDVR0RBIIBpDCCAaCCDDIueGRlYnVnLm9yZ4IMMy54ZGVidWcub3Jngg9idWdz LnhkZWJ1Zy5vcmeCEGNsb3VkLnhkZWJ1Zy5jb22CEGRlcmlja3JldGhhbnMubmyC B2RyYW0uaW+CB2RyY2subWWCD21haWwueGRlYnVnLm9yZ4IVbWFwcy5kZXJpY2ty ZXRoYW5zLm5sghFtb3JhZ2dpbGxhbi5jby51a4IPcGhwZGF0ZWJvb2suY29tghFw aHBpbnRlcm5hbHMubmV3c4IPcGhwdmlraW5nZXIuY29tgg9waHB2aWtpbmdlci5v cmeCFXByZXR0eXBvcmNlbGFpbi5jby51a4IOc3ZuLnhkZWJ1Zy5vcmeCFXR1YmUu ZGVyaWNrcmV0aGFucy5ubIIQd3d3LnhkZWJ1Zy5jbG91ZIIOd3d3LnhkZWJ1Zy5j b22CDnd3dy54ZGVidWcub3JnghN3d3cueGRlYnVnY2xvdWQuY29tggx4ZGVidWcu Y2xvdWSCCnhkZWJ1Zy5jb22CCnhkZWJ1Zy5vcmeCD3hkZWJ1Z2Nsb3VkLmNvbTBM BgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIB FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQE gfEA7wB1AESUZS6w7s6vxEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAABfCZl1IUA AAQDAEYwRAIgZ3OdnQQk83XmC5uhbgSks9ULc+THhrN01GDKyBh0XVcCIEdLlQy0 vEkU1OkyneMgDhIzko/Ab1CUIk2qRp45tdcZAHYAfT7y+I//iFVoJMLAyp5SiXkr xQ54CX8uapdomX4i8NcAAAF8JmXUrAAABAMARzBFAiBVRzS/FwRAUFlevxr6Z3Fx mFq/NUdIhNGFIerqg+pRxAIhAOc233+5710IQVeOLQoW/XOAxT9p75aC01NfDF9p oAARMA0GCSqGSIb3DQEBCwUAA4IBAQBmU9uLIguN5XRVIb/AmtjuGb8k3OMmliyT WXgc11bdNhJX3nY61wObGw2wYkc75RdZnFryZfv7axGpQSMajrVIlqmiLguA8WA2 l2x6+ZFOcCgSMQu/+Y71xcK4/rufnqfl6q+L+3q2N5TxmU4yKikOeNhMSAzcQ+rO u4W7QRgffbEIgWsF9jqkREdCfWPsI3CWstBffJ3kWzEUqjdfSQIpDEiL1BlDRgqN nLHbArBB3uLcK34ov11crirlX3w6v2YJVVW8uvNltV8SRo4/lGMolciLS8bFKv1p x5JfXrUu6p/pb54MyxToURModpBX20JeT1xvlmtWBs4/1whqWBkP -----END CERTIFICATE----- 1 s:/C=US/O=Let's Encrypt/CN=R3 i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 -----BEGIN CERTIFICATE----- MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX nLRbwHOoq7hHwg== -----END CERTIFICATE----- 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 -----BEGIN CERTIFICATE----- MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK 4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx +tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC 5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW 9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 -----END CERTIFICATE----- Server certificate subject=/CN=xdebug.org issuer=/C=US/O=Let's Encrypt/CN=R3 No client certificate CA names sent Server Temp Key: ECDH, P-384, 384 bits SSL handshake has read 5097 bytes and written 373 bytes New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: D2EC5D6FA92F3228840CC069BFDF4010D53D3F743594B99650D82913B1E2AC0F Session-ID-ctx: Master-Key: 71D7D6E0AA641EF126229E7437DB40E2DE22DF969347778E2646BB64109C4096BBE568E6655219C8E210156B5EA1D188 TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 7c d4 44 d7 fa 3e 9d a4-d5 24 6d 48 e2 c8 a8 a4 \|.D..>...$mH.... 0010 - 02 d3 e2 f3 f1 f6 1e 3e-7d 71 7c 03 ba fb 79 d9 .......>}q\|...y. 0020 - 42 43 8e 0b 05 25 c0 67-b9 61 e8 f6 86 34 ab 45 BC...%.g.a...4.E 0030 - b3 e0 5d af 49 9f 9f 7f-b8 23 7a 01 ce 0f f4 98 ..].I....#z..... 0040 - 54 3a 7d 47 eb 3c 6f 35-44 5f e3 45 47 6d e4 16 T:}G.<o5D_.EGm.. 0050 - e7 48 8a bc ae 9f 55 98-58 e7 ef 04 4a 99 ba 2c .H....U.X...J.., 0060 - 20 61 cd d5 13 6c 0f 28-9b 88 e3 c3 ae d2 47 70 a...l.(......Gp 0070 - 1f f7 aa 90 2f 63 a3 1d-d2 63 85 cd 8a 69 bc 7d ..../c...c...i.} 0080 - 77 9f 4e 52 f8 f8 e3 91-fe dc b9 54 7e 18 9f 8c w.NR.......T~... 0090 - eb d5 1f 5b 5b 22 11 69-6e 3c 41 17 f2 32 b0 32 ...[[".in<A..2.2 `Start Time: 1633096351 Timeout : 7200 (sec) Verify return code: 0 (ok)` closed
Tags	No tags attached.

Operating System
PHP Version	8.0.5-8.0.9

derick 2021-10-01 14:27 administrator ~0006065	That works just fine for me: derick@gargleblaster:~$ openssl s_client -servername xdebug.org -showcerts -connect xdebug.org:443 CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = xdebug.org verify return:1 Certificate chain 0 s:CN = xdebug.org i:C = US, O = Let's Encrypt, CN = R3 -----BEGIN CERTIFICATE----- MIIGszCCBZugAwIBAgISBOj3763v4jkObyoWWxlxLgeQMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMTA5MjcwNzM2MjBaFw0yMTEyMjYwNzM2MTlaMBUxEzARBgNVBAMT CnhkZWJ1Zy5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUPmJ3 tWtSQxj81qsKPH9u4vAl7VUB4Jia8P31Ke2ukvMmny+8+lyhDNXcZeJkaIeEpZVY H0LzTgPhz/RiGkaVaFVv2LhgXT/KIR7OO8KTvfE/S07Zv8lsSeDZJgz7d7AIPpgM d2WNOgUSU4/keMCvNPaK+EM0dySgsCo5W4bZay26ZP4XT6Dmpo7Pk50IQ0AxUiq6 bXWQsY4Am6jUtlVP7M7q07Am0dkfoVV9IkUbvpyhgW1DoHaVQuNzB+2+RZ0r+3vi 79YYbOBSe0W8tCH6lkC066cimY0FoZn+vvNs/kK3U1wxoZ6ApUNfSxyRtccqtJaU eC5kOxThWINhbp93AgMBAAGjggPeMIID2jAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l … x5JfXrUu6p/pb54MyxToURModpBX20JeT1xvlmtWBs4/1whqWBkP -----END CERTIFICATE----- 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 -----BEGIN CERTIFICATE----- MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw … MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX nLRbwHOoq7hHwg== -----END CERTIFICATE----- 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3 -----BEGIN CERTIFICATE----- MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT … Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 -----END CERTIFICATE----- Server certificate subject=CN = xdebug.org issuer=C = US, O = Let's Encrypt, CN = R3 No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: ECDH, P-384, 384 bits SSL handshake has read 5129 bytes and written 749 bytes Verification: OK New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)

tomjn 2021-10-01 15:03 reporter ~0006066	It seems the results are inconsistent, I get the same as you from a digital ocean VPS, yet an AWS environment gives me this: $ openssl s_client -servername xdebug.org -showcerts -connect xdebug.org:443 CONNECTED(00000003) depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3 verify error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT has DNS or provisioning recently changed for xdebug.org? A colleague had a theory that it may be a DNS propagation issue with an old server running the outdated certificate

tomjn 2021-10-01 15:05 reporter ~0006067	It also looks like your machine trusts the root CA certificate in question. Have you installed the ca-certificates apt package on your machine?

derick 2021-10-01 15:18 administrator ~0006068	I haven't changed anything for a long time. I should have had this double root since Let's Encrypt added it. And yes, I do have that package installed, and I will indeed have that "new" ISRG Root X1 too trusted: $ sudo apt install ca-certificates ca-certificates is already the newest version (20210119). $ dpkg -L ca-certificates \| grep ISRG /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt I don't think there is anything wrong on the Xdebug side here, but rather that you either have an outdated openssl, or not a trust chain for the ISRG Root X1.

Date Modified	Username	Field	Change
2021-10-01 14:01	tomjn	New Issue
2021-10-01 14:27	derick	Note Added: 0006065
2021-10-01 15:03	tomjn	Note Added: 0006066
2021-10-01 15:05	tomjn	Note Added: 0006067
2021-10-01 15:18	derick	Note Added: 0006068
2021-10-01 16:53	derick	Assigned To	=> derick
2021-10-01 16:53	derick	Status	new => closed
2021-10-01 16:53	derick	Resolution	open => no change required