OpenSSL OpenSSL - User

Format error in certificate´s notAfter field

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Raúl Uría Elices
Reply | Threaded
Open this post in threaded view
|

Format error in certificate´s notAfter field

Raúl Uría Elices

Hi,

I´m trying to connect to my vpn server, using tunnelblick, but thinking this is a openssl stuff... may be I am wrong.


When connecting I got (XX is a placeholder) : 

2020-12-22 17:32:49.423703 VERIFY ERROR: depth=0, error=format error in certificate's notAfter field: C=es, L=PXXXX, O=XX, CN=XX, emailAddress=XX, serial=17702460327850242852

I have checked this: https://mta.openssl.org/pipermail/openssl-users/2019-March/010018.html , but seems to be something different.

When checking UTC field for server CA cert, I got:

% openssl asn1parse -in ca.crt  | grep UTC
  207:d=3  hl=2 l=  13 prim: UTCTIME           :170908154452Z
  222:d=3  hl=2 l=  13 prim: UTCTIME           :360718151218Z

Why 'format error in certicate´s notAfter field' error?


thx

--

 
Matt Caswell-2
Reply | Threaded
Open this post in threaded view
|

Re: Format error in certificate´s notAfter field

Matt Caswell-2


On 22/12/2020 17:43, Raúl Uría Elices wrote:

> Hi,
>
> I´m trying to connect to my vpn server, using tunnelblick, but thinking
> this is a openssl stuff... may be I am wrong.
>
>
> When connecting I got (XX is a placeholder) : 
>
> 2020-12-22 17:32:49.423703 VERIFY ERROR: depth=0, error=format error in
> certificate's notAfter field: C=es, L=PXXXX, O=XX, CN=XX,
> emailAddress=XX, serial=17702460327850242852
>
> I have checked this:
> https://mta.openssl.org/pipermail/openssl-users/2019-March/010018.html ,
> but seems to be something different.
>
> When checking UTC field for server CA cert, I got:
>
> % openssl asn1parse -in ca.crt  | grep UTC
>   207:d=3  hl=2 l=  13 prim: UTCTIME           :170908154452Z
>   222:d=3  hl=2 l=  13 prim: UTCTIME           :360718151218Z

I don't see anything obviously wrong with those encodings. Are you
willing to share the actual certificate?

Matt

Raúl Uría Elices
Reply | Threaded
Open this post in threaded view
|

Re: Format error in certificate´s notAfter field

Raúl Uría Elices
Here it is:

-----BEGIN CERTIFICATE-----
MIIESjCCA7OgAwIBAgIJAN4eHpcYq8eMMA0GCSqGSIb3DQEBCwUAMIGjMQswCQYD
VQQGEwJlczEVMBMGA1UEBxMMUGVuYWNhc3RpbGxvMSYwJAYDVQQKEx1OT1JCRVJU
IERFTlRSRVNTQU5HTEUgR0VSUE9TQTEyMDAGA1UEAxMpTk9SQkVSVCBERU5UUkVT
U0FOR0xFIEdFUlBPU0EgV2ViQWRtaW4gQ0ExITAfBgkqhkiG9w0BCQEWEmFkbWlu
QGFzdGFyby5sb2NhbDAeFw0xNzA5MDgxNTQ0NTJaFw0zNjA3MTgxNTEyMThaMGsx
CzAJBgNVBAYTAmVzMRUwEwYDVQQHDAxQZW5hY2FzdGlsbG8xJjAkBgNVBAoMHU5P
UkJFUlQgREVOVFJFU1NBTkdMRSBHRVJQT1NBMR0wGwYDVQQDDBRhc2cyMjAuZ2Vy
cG9zYS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+gNXRC
WtsP9LANPgFJ1vj1/6naVUiHBq+AKgPePwOK6qbUczG+E8Zh8xr/JpcCjdrTLZNF
rllVoEodthSvKnlaMI7qIgDWQE3MtVot5ARAZHFMob2uy3zeZ/uJniheYmj7BNy2
d6pkFzlZyPiNh65KIBbEuZEKAgKQwRAduYWk+689p2Jnujj13yodpOuGPSjr9inz
qLTK1GIkTf51O6GMGiu5erj27LHKAJojAVSjMDJ1AeDAsNg+RLLDP/q+Fi0wLUwL
MPq2rhiXZvVPjU/iukiwrzNHqwZTIwpayNatjoskKE/KS+ldEIhMlythOiPVWgYs
zAUdD1G3HL4cQgECAwEAAaOCATcwggEzMB0GA1UdDgQWBBQqUYZktt2XccSH1Sp2
g8y8zwZ3nzCB2AYDVR0jBIHQMIHNgBSXppMhHL+r08UaJqK9kW36GvpusaGBqaSB
pjCBozELMAkGA1UEBhMCZXMxFTATBgNVBAcTDFBlbmFjYXN0aWxsbzEmMCQGA1UE
ChMdTk9SQkVSVCBERU5UUkVTU0FOR0xFIEdFUlBPU0ExMjAwBgNVBAMTKU5PUkJF
UlQgREVOVFJFU1NBTkdMRSBHRVJQT1NBIFdlYkFkbWluIENBMSEwHwYJKoZIhvcN
AQkBFhJhZG1pbkBhc3Rhcm8ubG9jYWyCCQDeHh6XGKvHijAfBgNVHREEGDAWghRh
c2cyMjAuZ2VycG9zYS5sb2NhbDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DANBgkq
hkiG9w0BAQsFAAOBgQAqsvoAFxWEWSxZHtEgDHEBfflBJEm3QqAl8bMb3O4rOnIV
ufq/dkAx6AYzmtFZhWMIJnh4ZTU8ULjuAkqC2yXEBktpSR9VQFKabToLSuAW9QC7
Db2ELKw8kXQgFxS0nkDhEgAitukcJ8TuVq7hlvRVwC6vnRRdKYaaT5cERZbDOg==
-----END CERTIFICATE-----



Thomas Dwyer III
Reply | Threaded
Open this post in threaded view
|

Re: Format error in certificate´s notAfter field

Thomas Dwyer III
This certificate is not the same one causing the error message in your original email. The error message you provided earlier included "serial=17702460327850242852" (or f5:ab:c5:e0:63:f5:73:24 in hex) but the certificate you provided here has serial=16005263760024127372 (de:1e:1e:97:18:ab:c7:8c).


Tom.III


On Sun, Dec 27, 2020 at 11:50 PM Raúl Uría Elices <[hidden email]> wrote:
Here it is:

-----BEGIN CERTIFICATE-----
MIIESjCCA7OgAwIBAgIJAN4eHpcYq8eMMA0GCSqGSIb3DQEBCwUAMIGjMQswCQYD
VQQGEwJlczEVMBMGA1UEBxMMUGVuYWNhc3RpbGxvMSYwJAYDVQQKEx1OT1JCRVJU
IERFTlRSRVNTQU5HTEUgR0VSUE9TQTEyMDAGA1UEAxMpTk9SQkVSVCBERU5UUkVT
U0FOR0xFIEdFUlBPU0EgV2ViQWRtaW4gQ0ExITAfBgkqhkiG9w0BCQEWEmFkbWlu
QGFzdGFyby5sb2NhbDAeFw0xNzA5MDgxNTQ0NTJaFw0zNjA3MTgxNTEyMThaMGsx
CzAJBgNVBAYTAmVzMRUwEwYDVQQHDAxQZW5hY2FzdGlsbG8xJjAkBgNVBAoMHU5P
UkJFUlQgREVOVFJFU1NBTkdMRSBHRVJQT1NBMR0wGwYDVQQDDBRhc2cyMjAuZ2Vy
cG9zYS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+gNXRC
WtsP9LANPgFJ1vj1/6naVUiHBq+AKgPePwOK6qbUczG+E8Zh8xr/JpcCjdrTLZNF
rllVoEodthSvKnlaMI7qIgDWQE3MtVot5ARAZHFMob2uy3zeZ/uJniheYmj7BNy2
d6pkFzlZyPiNh65KIBbEuZEKAgKQwRAduYWk+689p2Jnujj13yodpOuGPSjr9inz
qLTK1GIkTf51O6GMGiu5erj27LHKAJojAVSjMDJ1AeDAsNg+RLLDP/q+Fi0wLUwL
MPq2rhiXZvVPjU/iukiwrzNHqwZTIwpayNatjoskKE/KS+ldEIhMlythOiPVWgYs
zAUdD1G3HL4cQgECAwEAAaOCATcwggEzMB0GA1UdDgQWBBQqUYZktt2XccSH1Sp2
g8y8zwZ3nzCB2AYDVR0jBIHQMIHNgBSXppMhHL+r08UaJqK9kW36GvpusaGBqaSB
pjCBozELMAkGA1UEBhMCZXMxFTATBgNVBAcTDFBlbmFjYXN0aWxsbzEmMCQGA1UE
ChMdTk9SQkVSVCBERU5UUkVTU0FOR0xFIEdFUlBPU0ExMjAwBgNVBAMTKU5PUkJF
UlQgREVOVFJFU1NBTkdMRSBHRVJQT1NBIFdlYkFkbWluIENBMSEwHwYJKoZIhvcN
AQkBFhJhZG1pbkBhc3Rhcm8ubG9jYWyCCQDeHh6XGKvHijAfBgNVHREEGDAWghRh
c2cyMjAuZ2VycG9zYS5sb2NhbDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DANBgkq
hkiG9w0BAQsFAAOBgQAqsvoAFxWEWSxZHtEgDHEBfflBJEm3QqAl8bMb3O4rOnIV
ufq/dkAx6AYzmtFZhWMIJnh4ZTU8ULjuAkqC2yXEBktpSR9VQFKabToLSuAW9QC7
Db2ELKw8kXQgFxS0nkDhEgAitukcJ8TuVq7hlvRVwC6vnRRdKYaaT5cERZbDOg==
-----END CERTIFICATE-----
Raúl Uría Elices
Reply | Threaded
Open this post in threaded view
|

Re: Format error in certificate´s notAfter field

Raúl Uría Elices
In reply to this post by Raúl Uría Elices
I'm sorry, but can't figure out which cert is the one with
serial=16005263760024127372. Getting certs from server (openssl s_client
-connect x.y.z.w:443 -showcerts) neither of two certs showed have this
serial number.

I asked on tunnelblick group, but no luck at the moment (
https://groups.google.com/g/tunnelblick-discuss/c/7xKiioIZw34 )


Free forum by Nabble Edit this page