Can't connect to some trackers after certificate expired

Ask for help and report issues with the Mac OS X version of Transmission
Post Reply
jbucanek
Posts: 7
Joined: Wed Jun 29, 2011 12:54 am

Can't connect to some trackers after certificate expired

Post by jbucanek »

The DST Root CA X3 root certificate has expired, and Transmission will no longer connect to some trackers. Other trackers work just fine.

All of the affected trackers simply report "Announce error: Cannot connect to tracker"

If I try to connect to the tracker via curl, I get this:

Code: Select all

admin:~ redqueen$ curl https://the.problem.tracker.co/announce.php?passkey=96...59
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
I have tried following various suggestions for fixing this, like this one, to install new root certificates, but it hasn't fixed the problem for Transmission.

I know this isn't a Transmission problem, per se, but does anyone know how to diagnose and fix this?
jbucanek
Posts: 7
Joined: Wed Jun 29, 2011 12:54 am

Re: Can't connect to some trackers after certificate expired

Post by jbucanek »

So, I'm not expert but ... here's what I've discovered.

This appears to be an issue with the certificate chain, although a subtle one. From what I can discover, this domain is signed with the following certificate chain:

immoralseed.me --> R3 --> ISRG Root X1 --> DST Root CA X3

DST Root CA X3 has expired, but ISRG Root X1 is actually self-signed.

So it appears that some software (modern browsers, etc.) all contain code that can figure out that while DST Root CA X3 has expired, which would normally make the chain invalid, it's actually not because ISRG Root X1 is self-signed too, which makes it valid. You can see this in Safari (see attached image file -- apparently I can't attach an image, but just use Safari to go to the website and look at the certificates by clicking on the lock icon)

On the other hand, openssl (and, I suspect by extension curl) do not handle this well. When I use the openssl command to explore the certificate chain, I get this:

Code: Select all

woodland:~ james$ openssl s_client -showcerts -servername immortalseed.me -connect immortalseed.me:443
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
---
Certificate chain
 0 s:/CN=immortalseed.me
   i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=immortalseed.me
issuer=/C=US/O=Let's Encrypt/CN=R3
---
When curl/openssl perform this task, they rattle through the chain (immortalseed.me -> R3 -> ISRG Root X1 -> DST Root CA X3) and determine that the chain is expired, because DST Root CA X3 is expired.

One solution I've read about is to remove the DST Root CA X3 certificate, but in macOS that is on the System Roots keychain, which isn't editable.

Another solution would be for Transmission to perform the same kind of certificate validation that the browser does, but I won't pretend to know how that would happen.
TheBang
Posts: 25
Joined: Thu Oct 25, 2007 2:09 am

Re: Can't connect to some trackers after certificate expired

Post by TheBang »

jbucanek wrote: Fri Oct 08, 2021 5:07 pm One solution I've read about is to remove the DST Root CA X3 certificate, but in macOS that is on the System Roots keychain, which isn't editable.
This is the only part of your analysis that is wrong. The macOS Trust Store (Keychain Access) is not used by curl/libcurl on macOS, so trying to modify those certificates is a waste of time. Transmission uses curl and the CA store that it uses. You can find out where that is like so:

Code: Select all

$ curl -v https://www.google.com 2>&1 | grep CAfile
*   CAfile: /etc/ssl/cert.pem
So, the libre/openssl version on macOS Mojave and earlier apparently contains an issue where it checks the cross-signing of ISRG Root X1 to the expired DST Root CA X3, if the server is providing the ISRG Root X1 certificate, and does not accept the self-signed ISRG Root X1 in your store. So, in order to fix the issue, you have to both remove the expired DST Root CA 3 from cert.pem and also add ISRG Root X1.

You can either do that manually by editing the file, or you can just replace the entire cert.pem certificate store. Mine hadn't been updated since before 2017, so I opted to replace it with the latest Mozilla CA certificate store, like so:
  1. Download cacert.pem from https://curl.se/docs/caextract.html
  2. Backup the existing cert store:

    Code: Select all

    sudo cp -p /etc/ssl/cert.pem /etc/ssl/cert.pem.bak
  3. Install the new store:

    Code: Select all

    sudo mv ~/Downloads/cacert.pem /etc/ssl/cert.pem
No restart of Transmission is necessary. Connections will immediately start working.
Replacing the above certificate store takes care of removing the expired DST Root CA X3, and adding the new ISRG Root X1.
Clem777
Posts: 1
Joined: Fri Dec 17, 2021 6:20 pm

Re: Can't connect to some trackers after certificate expired

Post by Clem777 »

Thanks TheBang, it worked perfectly!
jbucanek
Posts: 7
Joined: Wed Jun 29, 2011 12:54 am

Re: Can't connect to some trackers after certificate expired

Post by jbucanek »

TheBang wrote: Tue Oct 19, 2021 2:39 pm This is the only part of your analysis that is wrong.
I did say I wasn't an expert. :wink:

I was able to get Transmission working again by updating the /etc/ssl/cert.pem file as described.

However, I got side-tracked a little with the instructions to locate the certificates file with

Code: Select all

$ curl -v https://www.google.com 2>&1 | grep CAfile
That code gave me a location of /opt/local/share/curl/curl-ca-bundle.crt.

Updating that file fixed curl, but not Transmission.

Thanks for the (actual) expert help. :D
TheBang
Posts: 25
Joined: Thu Oct 25, 2007 2:09 am

Re: Can't connect to some trackers after certificate expired

Post by TheBang »

jbucanek wrote: Mon Feb 21, 2022 9:00 pm That code gave me a location of /opt/local/share/curl/curl-ca-bundle.crt.

Updating that file fixed curl, but not Transmission.
Ah yes, it sounds like you probably had a Homebrew or MacPorts or similar version of curl installed? Transmission was probably still using the system libcurl though.

In any case, since my post last year, I learned that all the macOS versions use "/etc/ssl/cert.pem" by default, so you can just use that without checking.
jbucanek wrote: Mon Feb 21, 2022 9:00 pm I did say I wasn't an expert. :wink:

Thanks for the (actual) expert help. :D
Your post was actually the first one I came across that was a complete, accurate analysis of what was causing the problem, which helped me formulate the simplest solution, so thanks for that.
Post Reply