Search code examples
opensslcertificate

Openssl telling certificate has expired when it has not

I'm having an issue with curl and openssl reporting a client certificate as expired, even though it's notAfter date is in the future:

# echo | openssl s_client -showcerts -connect example.com:443 2>&1 | grep Verify
    Verify return code: 10 (certificate has expired)

But 

# echo | openssl s_client -showcerts -connect example.com:443 2>&1 | openssl x509 -noout -dates
notBefore=Oct 17 00:00:00 2011 GMT
notAfter=Oct 21 12:00:00 2014 GMT

System date is correct. Firefox is not showing any error for that site's cert either. Openssl versions I tried are OpenSSL 1.0.1e-fips 11 Feb 2013 and OpenSSL 1.0.1f 6 Jan 2014. I've found a similar-looking issue here where the author claims that the issue is missing in openssl 0.9.8, but present in 1.0.1.

Why is this happening?

Solution

  • My problem was that the certificate did expire, but not this particular one, but one in the signing chain.

    For example, for google this command openssl s_client -showcerts -connect google.com:443 </dev/null | openssl x509 -noout -dates shows:

    notBefore=Oct  6 12:37:54 2016 GMT
notAfter=Dec 29 12:28:00 2016 GMT

    However just openssl s_client -showcerts -connect google.com:443 </dev/null shows not 1, but 3 certificates (enclosed in ---BEGIN/END CERTIFICATE--- parts), the first one is of google and it is the one actually checked. To verify this, I've copied (there should probably be a less manual way) the first one to /tmp/google and the last one to /tmp/geotrust, now running openssl x509 -noout -dates < /tmp/google gives me:

    notBefore=Oct  6 12:37:54 2016 GMT
notAfter=Dec 29 12:28:00 2016 GMT

    Which matches the first command's output, and openssl x509 -noout -dates < /tmp/geotrust:

    notBefore=May 21 04:00:00 2002 GMT
notAfter=Aug 21 04:00:00 2018 GMT

    Which is different and was not shown before. So in the end my problem was that for one of the higher authority certificates was indeed outdated.

    And BTW as the comment to the question suggests upgrading OS to fix this issue - I imagine the cause is the same. OS comes with a bunch of root certificates, so if you have crazy old OS, some of those might expire, you can either upgrade those root certs, or the whole OS to fix the issue.

    Also handy to know that running without showcerts gives you a nice view of the cert chain - openssl s_client -connect google.com:443 </dev/null:

    ---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---

    All of these need not to be expired.