Thanks Guillaume; your reply is very informative. I'll investigate as soon as I have a chance and get back to you.
On Mon, Feb 22, 2016 at 11:42 AM Guillaume Maudoux (Layus) < layus...@gmail.com> wrote: > Just my two cents, but could you test again your openssl command with > `-partial_chain` ? > Like in `openssl s_client -connect {HOSTNAME}:443 -partial_chain` ? > > My reasoning is that, most probably, the certificate downloaded by > chrome is an intermediate certificate, signed by some authority for your > website, and not self-signed. > Adding that certificate to the trust store does not make openssl (nor > anyone else) trust your website, unless you explicitly accept partial > chains. > This is because a intermediate certificate cannot be used as a root > (=self-signed) certificate. > > To solve the issue, you need to add the root certificate to > /etc/ssl/certs/ca-certificates.crt., > the one that is self-signed in the chain dumped by `openssl s_client > -connect {HOSTNAME}:443 -showcerts`. > Alternatively, when saving the certificate with chrome, you have an > option to dump the whole certificate chain instead of only the last > certificate in the chain. > > You must then include the root certificate (or the full chain, it does > not matter) to security.pki.certificates. > To avoid errors, typos and such, you can use > `security.pki.certificateFiles = [ /path/to/your/root-cert.pem ]` > > Then, `openssl s_client -connect {HOSTNAME}:443` should work ! > > Partial chains would be perfect for you but it is not a widely > implemented feature and there is often no option to enable it. > And that's the whole story... > > G. > > Le 22/02/16 16:13, Adam Russell a écrit : > > Here's the full output of those two commands (substituting domain name > > and IP address): > > > > $ curl --cacert /etc/ssl/certs/ca-certificates.crt -v > > https://exch1.example.com/owa/ > > * Trying 10.10.1.234... > > * Connected to exch1.example.com <http://exch1.example.com> > > (10.10.1.234) port 443 (#0) > > * Cipher selection: > > ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH > > * successfully set certificate verify locations: > > * CAfile: /etc/ssl/certs/ca-certificates.crt > > CApath: none > > * TLSv1.2 (OUT), TLS handshake, Client hello (1): > > * TLSv1.0 (IN), TLS handshake, Server hello (2): > > * TLSv1.0 (IN), TLS handshake, Certificate (11): > > * TLSv1.0 (OUT), TLS alert, Server hello (2): > > * SSL certificate problem: unable to get local issuer certificate > > * Closing connection 0 > > * TLSv1.0 (OUT), TLS alert, Client hello (1): > > curl: (60) SSL certificate problem: unable to get local issuer > certificate > > More details here: http://curl.haxx.se/docs/sslcerts.html > > > > curl performs SSL certificate verification by default, using a "bundle" > > of Certificate Authority (CA) public keys (CA certs). If the default > > bundle file isn't adequate, you can specify an alternate file > > using the --cacert option. > > If this HTTPS server uses a certificate signed by a CA represented in > > the bundle, the certificate verification probably failed due to a > > problem with the certificate (it might be expired, or the name might > > not match the domain name in the URL). > > If you'd like to turn off curl's verification of the certificate, use > > the -k (or --insecure) option. > > $ openssl x509 -in /etc/ssl/certs/ca-certificates.crt -text > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: > > 04:00:00:00:00:01:15:4b:5a:c3:94 > > Signature Algorithm: sha1WithRSAEncryption > > Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root > CA > > Validity > > Not Before: Sep 1 12:00:00 1998 GMT > > Not After : Jan 28 12:00:00 2028 GMT > > Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign > Root CA > > Subject Public Key Info: > > Public Key Algorithm: rsaEncryption > > Public-Key: (2048 bit) > > Modulus: > > 00:da:0e:e6:99:8d:ce:a3:e3:4f:8a:7e:fb:f1:8b: > > 83:25:6b:ea:48:1f:f1:2a:b0:b9:95:11:04:bd:f0: > > 63:d1:e2:67:66:cf:1c:dd:cf:1b:48:2b:ee:8d:89: > > 8e:9a:af:29:80:65:ab:e9:c7:2d:12:cb:ab:1c:4c: > > 70:07:a1:3d:0a:30:cd:15:8d:4f:f8:dd:d4:8c:50: > > 15:1c:ef:50:ee:c4:2e:f7:fc:e9:52:f2:91:7d:e0: > > 6d:d5:35:30:8e:5e:43:73:f2:41:e9:d5:6a:e3:b2: > > 89:3a:56:39:38:6f:06:3c:88:69:5b:2a:4d:c5:a7: > > 54:b8:6c:89:cc:9b:f9:3c:ca:e5:fd:89:f5:12:3c: > > 92:78:96:d6:dc:74:6e:93:44:61:d1:8d:c7:46:b2: > > 75:0e:86:e8:19:8a:d5:6d:6c:d5:78:16:95:a2:e9: > > c8:0a:38:eb:f2:24:13:4f:73:54:93:13:85:3a:1b: > > bc:1e:34:b5:8b:05:8c:b9:77:8b:b1:db:1f:20:91: > > ab:09:53:6e:90:ce:7b:37:74:b9:70:47:91:22:51: > > 63:16:79:ae:b1:ae:41:26:08:c8:19:2b:d1:46:aa: > > 48:d6:64:2a:d7:83:34:ff:2c:2a:c1:6c:19:43:4a: > > 07:85:e7:d3:7c:f6:21:68:ef:ea:f2:52:9f:7f:93: > > 90:cf > > Exponent: 65537 (0x10001) > > X509v3 extensions: > > X509v3 Key Usage: critical > > Certificate Sign, CRL Sign > > X509v3 Basic Constraints: critical > > CA:TRUE > > X509v3 Subject Key Identifier: > > > 60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B > > Signature Algorithm: sha1WithRSAEncryption > > d6:73:e7:7c:4f:76:d0:8d:bf:ec:ba:a2:be:34:c5:28:32:b5: > > 7c:fc:6c:9c:2c:2b:bd:09:9e:53:bf:6b:5e:aa:11:48:b6:e5: > > 08:a3:b3:ca:3d:61:4d:d3:46:09:b3:3e:c3:a0:e3:63:55:1b: > > f2:ba:ef:ad:39:e1:43:b9:38:a3:e6:2f:8a:26:3b:ef:a0:50: > > 56:f9:c6:0a:fd:38:cd:c4:0b:70:51:94:97:98:04:df:c3:5f: > > 94:d5:15:c9:14:41:9c:c4:5d:75:64:15:0d:ff:55:30:ec:86: > > 8f:ff:0d:ef:2c:b9:63:46:f6:aa:fc:df:bc:69:fd:2e:12:48: > > 64:9a:e0:95:f0:a6:ef:29:8f:01:b1:15:b5:0c:1d:a5:fe:69: > > 2c:69:24:78:1e:b3:a7:1c:71:62:ee:ca:c8:97:ac:17:5d:8a: > > c2:f8:47:86:6e:2a:c4:56:31:95:d0:67:89:85:2b:f9:6c:a6: > > 5d:46:9d:0c:aa:82:e4:99:51:dd:70:b7:db:56:3d:61:e4:6a: > > e1:5c:d6:f6:fe:3d:de:41:cc:07:ae:63:52:bf:53:53:f4:2b: > > e9:c7:fd:b6:f7:82:5f:85:d2:41:18:db:81:b3:04:1c:c5:1f: > > a4:80:6f:15:20:c9:de:0c:88:0a:1d:d6:66:55:e2:fc:48:c9: > > 29:26:69:e0 > > -----BEGIN CERTIFICATE----- > > MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG > > A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv > > b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw > > MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i > > YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT > > aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ > > jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp > > xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp > > 1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG > > snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ > > U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8 > > 9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E > > BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B > > AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz > > yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE > > 38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP > > AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad > > DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME > > HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== > > -----END CERTIFICATE----- > > > > > > On Fri, Feb 19, 2016 at 5:59 PM zimbatm <zimb...@zimbatm.com > > <mailto:zimb...@zimbatm.com>> wrote: > > > > I am starting to think that the installed certificate is not the > > right-one. > > What if you run `curl --cacert /path/to/cert.pem -v > > https://yourservi <https://yourservie>ce` ? It would be useful to > > get the full output to make sure we didn't miss anything. And also > > the output of `openssl x509 -in /path/to/cert.pem -text`. > > > > On Fri, 19 Feb 2016 at 22:28 Adam Russell <adam...@gmail.com > > <mailto:adam...@gmail.com>> wrote: > > > > Using that page as reference, I ran this command: > > > > certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n DEV.LOCAL -i > > /etc/ssl/certs/ca-certificates.crt > > > > That page did lead me to some other pages that might be helpful: > > > https://wiki.archlinux.org/index.php/Chromium/Tips_and_tricks#Adding_CAcert_certificates_for_self-signed_certificates > > http://blog.xelnor.net/firefox-systemcerts/ > > > https://chromium.googlesource.com/chromium/src/+/master/docs/linux_cert_management.md > > > > And in particular, http://superuser.com/a/719047/73086 > > > > However, things still don't work, and running the openssl > > command as recommended in the last link doesn't give me the > > expected "verify return code" of 0 (ok). Instead, it's 21 > > (unable to verify the first certificate). > > > > This is all way over my head. I have some more reading to do. > > Once I do figure it out, I think I will suggest having the NixOS > > module take care of whatever steps are necessary to fix this, > > assuming it can be done in a reproducible manner. > > > > On Fri, Feb 19, 2016 at 11:42 AM zimbatm <zimb...@zimbatm.com > > <mailto:zimb...@zimbatm.com>> wrote: > > > > Found this which might be useful to > > you: > http://mindref.blogspot.co.uk/2011/02/nssdb-add-ca-certificate.html > > > > > > On Fri, 19 Feb 2016 at 17:36 zimbatm <zimb...@zimbatm.com > > <mailto:zimb...@zimbatm.com>> wrote: > > > > curl should work just fine then. Can you paste the > > output of `curl -v https://yoursite.com` ? > > > > Chromium uses NSS which has another mechanism for it's > > PKI which I don't know. Can you confirm that your cert > > is also in /etc/pki/tls/certs/ca-bundle.crt ? > > Also do you have anything under ~/.pki ? > > > > > > On Fri, 19 Feb 2016 at 16:47 Adam Russell > > <adam...@gmail.com <mailto:adam...@gmail.com>> wrote: > > > > The output is: > > > > $ echo $SSL_CERT_FILE > > /etc/ssl/certs/ca-certificates.crt > > $ echo $CURL_CA_BUNDLE > > > > $ > > > > And yes, the certificates are in that file. Is there > > another step that needs to happen for curl and > > Chromium to be able to use them? > > > > On Fri, Feb 19, 2016 at 9:26 AM zimbatm > > <zimb...@zimbatm.com <mailto:zimb...@zimbatm.com>> > > wrote: > > > > What is the output of `echo $SSL_CERT_FILE` and > > `echo $CURL_CA_BUNDLE` ? > > If one of those is set, look in the pointed file > > if you can find your certificate. > > > > On Fri, 19 Feb 2016 at 15:12 Adam Russell > > <adam...@gmail.com <mailto:adam...@gmail.com>> > > wrote: > > > > Thomas, I've not used the openssl > > command-line tool before, and looking at its > > documentation I'm not sure what command I > > would run in order to test it, or what > > output to look for. I can tell you that curl > > doesn't work against the domains in > > question, though (at least without the > > insecure flag). > > > > Regardless, with or without the "comment" > > with the equal signs separator, adding > > things to security.pki.certificates has no > > effect for me. Is there a bug, or am I doing > > something wrong? > > > > On Thu, Feb 18, 2016 at 1:31 PM Thomas > > Hunger <tehun...@gmail.com > > <mailto:tehun...@gmail.com>> wrote: > > > > Hi Adam, > > > > Can you make the TLS call work with a > > command line tool like openssl? I'm not > > 100% sure but I think that Chrome might > > use a different set of trusted certs > > (based on the Mozilla ones) [1]. > > > > ~ > > > > [1] > > > https://www.chromium.org/Home/chromium-security/root-ca-policy > > > > On 18 February 2016 at 13:53, Adam > > Russell <adam...@gmail.com > > <mailto:adam...@gmail.com>> wrote: > > > > Hello Nix-Dev, > > > > I'm trying to understand how to > > install CA certificates in NixOS. > > > > If I visit my work's webmail in > > Chromium, I get an indicator that my > > connection is not private. Clicking > > the padlock icon in the address bar, > > then the "Certificate information" > > link in the Connection tab, going to > > the "Details" tab, and clicking > > "Export" allows me to download a > > certificate. > > > > The text in this export is what I am > > supposed to put in the array in > > `security.pki.certificates` option > > of `/etc/nixos/configuration.nix`, > > correct? Am I missing something? > > > > The documentation I am using is > > at: > https://github.com/NixOS/nixpkgs/blob/6e6a96d42cf56cfcd042bbeab89e37f442f0cfcc/nixos/modules/security/ca.nix#L39-L45 > > > > Does the text above the equal signs > > have any significance ("NixOS.org" > > in the example), or is it just a > > comment? > > > > Thanks, > > -Adam > > > > > _______________________________________________ > > nix-dev mailing list > > nix-dev@lists.science.uu.nl > > <mailto:nix-dev@lists.science.uu.nl> > > > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > > > > _______________________________________________ > > nix-dev mailing list > > nix-dev@lists.science.uu.nl > > <mailto:nix-dev@lists.science.uu.nl> > > > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > > > > > > > _______________________________________________ > > nix-dev mailing list > > nix-dev@lists.science.uu.nl > > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > > _______________________________________________ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev >
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev