>From the openssl s_client log it looks like the server is not sending the >whole certificate chain. You should be seeing something like: <root cert> <intermediate cert> <your cert>
I am not familiar with apache, but from the documentation at http://www.apache-ssl.org/docs.html#SSLCACertificateFile, my guess is that you have not added all the intermediate roots to the CACertificatesFile, hence apache is having trouble assembling the certificate chain. I recommend adding all the intermediate certs and the root into the CA file and give it a try. Looking at the web site, you should add the following: Thawte SSL CA, thawte Primary Root CA, Thawte Premium Server CA. You should be able to find these certs on Thawte's web site: https://www.thawte.com/roots/index.html Ashish. -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Paul B. Henson Sent: Monday, September 13, 2010 12:58 PM To: openssl-users@openssl.org Subject: Intermediate root CA's -- lost and confused :( We just installed our first Thawte cert that uses their intermediate CA's, and it's not going as smoothly as I'd like. It's installed on an Apache server with mod_ssl, and I added the intermediate root CA's to the apache config with the SSLCACertificateFile directive. Web browsers seem happy with it, they validate the cert with no errors. I'm having trouble with command line tools under Linux though, including openssl itself. openssl won't correctly validate the cert: ------------------------------------------------------------------------ $ openssl s_client -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem -connect strategic.wiki.csupomona.edu:443 CONNECTED(00000003) depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic University, Pomona/OU=I(ampersand)IT Systems/CN=strategic.wiki.csupomona.edu verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic University, Pomona/OU=I(ampersand)IT Systems/CN=strategic.wiki.csupomona.edu verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic University, Pomona/OU=I(ampersand)IT Systems/CN=strategic.wiki.csupomona.edu verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Pomona/O=California State Polytechnic University, Pomona/OU=I(ampersand)IT Systems/CN=strategic.wiki.csupomona.edu i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA --- Server certificate -----BEGIN CERTIFICATE----- [...] ------------------------------------------------------------------------ It works fine, OTOH, with a cert signed directly by the Thawte Premium Server CA: ------------------------------------------------------------------------ $ openssl s_client -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem -connect www.csupomona.edu:443 CONNECTED(00000003) depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailaddress=premium-ser...@thawte.com verify return:1 depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic University, Pomona/CN=www.csupomona.edu verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Pomona/O=California State Polytechnic University, Pomona/CN=www.csupomona.edu i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailaddress=premium-ser...@thawte.com 1 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailaddress=premium-ser...@thawte.com i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailaddress=premium-ser...@thawte.com --- Server certificate -----BEGIN CERTIFICATE----- [...] ------------------------------------------------------------------------ As I mentioned, web browsers work fine, and I think the server is configured correctly. Also, gnutls-cli works fine on the same box: ------------------------------------------------------------------------ $ gnutls-cli --x509cafile /etc/ssl/certs/Thawte_Premium_Server_CA.pem strategic.wiki.csupomona.edu -p 443 Processed 1 CA certificate(s). Resolving 'strategic.wiki.csupomona.edu'... Connecting to '134.71.247.55:443'... - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1021 bits - Peer's public key: 1024 bits - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `C=US,ST=California,L=Pomona,O=California State Polytechnic University\, Pomona,OU=I(ampersand)IT Systems,CN=strategic.wiki.csupomona.edu', issuer `C=US,O=Thawte\, Inc.,CN=Thawte SSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2010-09-10 00:00:00 UTC', expires `2011-09-10 23:59:59 UTC', SHA-1 fingerprint `57292bcd7541c56c7b664705f0192b43a927056c' - Certificate[1] info: - subject `C=US,O=Thawte\, Inc.,CN=Thawte SSL CA', issuer `C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2010-02-08 00:00:00 UTC', expires `2020-02-07 23:59:59 UTC', SHA-1 fingerprint `73e42686657aece354fbf685712361658f2f4357' - Certificate[2] info: - subject `C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA', issuer `C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA,email=premium-ser...@thawte.com', RSA key 2048 bits, signed using RSA-SHA1, activated `2006-11-17 00:00:00 UTC', expires `2020-12-30 23:59:59 UTC', SHA-1 fingerprint `1fa490d1d4957942cd23545f6e823d0000796ea2' - The hostname in the certificate matches 'strategic.wiki.csupomona.edu'. - Peer's certificate is trusted ------------------------------------------------------------------------ Why won't openssl verify the cert? It seems to stop and give up right after seeing the server cert, rather than downloading the rest of the certs in the chain. I'm assuming this is why all of the tools built on top of openssl (wget, ldapsearch, etc) are all failing: ------------------------------------------------------------------------ $ wget https://strategic.wiki.csupomona.edu/ --2010-09-13 12:55:57-- https://strategic.wiki.csupomona.edu/ Resolving strategic.wiki.csupomona.edu... 134.71.247.55 Connecting to strategic.wiki.csupomona.edu|134.71.247.55|:443... connected. ERROR: cannot verify strategic.wiki.csupomona.edus certificate, issued by /C=US/O=Thawte, Inc./CN=Thawte SSL CA: Unable to locally verify the issuers authority. ------------------------------------------------------------------------ But again, a server with a directly signed cert works fine: ------------------------------------------------------------------------ $ wget https://www.csupomona.edu/ --2010-09-13 12:57:27-- https://www.csupomona.edu/ Resolving www.csupomona.edu... 134.71.177.148 Connecting to www.csupomona.edu|134.71.177.148|:443... connected. HTTP request sent, awaiting response... 200 OK ------------------------------------------------------------------------ Any help much appreciated, thanks... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
