On 10/08/14 10:18, Igor Cicimov wrote:
On Wed, Oct 8, 2014 at 2:27 PM, dE <de.tec...@gmail.com
<mailto:de.tec...@gmail.com>> wrote:
On 10/08/14 05:18, Igor Cicimov wrote:
On Wed, Oct 8, 2014 at 1:59 AM, dE <de.tec...@gmail.com
<mailto:de.tec...@gmail.com>> wrote:
On 10/07/14 18:12, Igor Cicimov wrote:
On Tue, Oct 7, 2014 at 2:51 AM, dE <de.tec...@gmail.com
<mailto:de.tec...@gmail.com>> wrote:
Hi.
I'm in a situation where I got 3 certificates
server.pem -- the end user certificate which's sent by
the server to the client.
intermediate.pem -- server.pem is signed by
intermediate.pem's private key.
issuer.pem -- intermediate.pem is signed by issuer.pem's
private key.
combined.pem is created by --
cat server.pem intermediate.pem > combined.pem
Issuer.pem is installed in the web browser.
The chain is working, I can verify this via the SSL
command --
cat intermediate.pem issuer.pem > cert_bundle.pem
openssl verify -CAfile cert_bundle.pem server.pem
server.pem: OK
However the browsers (FF, Chrome, Konqueror and wget)
fail authentication, claiming there are no certificates
to verity server.pem's signature.
I'm using Apache 2.4.10 with the following --
SSLCertificateFile /tmp/combined.pem
SSLCertificateKeyFile /tmp/server.key
Try this:
$ cat issuer.pem intermediate.pem > CA_chain.pem
SSLCertificateFile server.pem
SSLCertificateKeyFile server.key
SSLCertificateChainFile CA_chain.pem
Tried this on Apache 2.2 (SSLCertificateChainFile does not
work with 2.4) with the same issue.
Hmm in that case you have something mixed up or simply this can
not work for self signed certificates since this is exactly what
I'm using on Apache 2.2.24/26 on all our company web sites: a
certificate signed by CA authority and a chain certificate file
where the authorities CA and Intermediate certs have been
concatenated.
Can you show us the output of:
openssl x509 -noout -in cert.pem -text
for all your sertificates?
$ openssl x509 -noout -in server.pem -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 13192573755114198537 (0xb7156feedab91609)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
Validity
Not Before: Oct 7 08:43:42 2014 GMT
Not After : Oct 2 08:43:42 2015 GMT
Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18:
6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a:
81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb:
b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80:
e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e:
7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8:
44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84:
3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f:
26:3f:36:cc:29:f0:69:2b:79
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6:
b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a:
33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea:
a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb:
c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13:
b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c:
ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c:
7c:fe
$ openssl x509 -noout -in intermediate.pem -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 11894061023072807904 (0xa510317ba912ebe0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
Validity
Not Before: Oct 7 08:42:05 2014 GMT
Not After : Oct 2 08:42:05 2015 GMT
Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8:
f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a:
df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6:
2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82:
df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40:
14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d:
78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69:
f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9:
3a:fd:f3:d1:f0:27:49:f4:c3
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d:
0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29:
5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95:
dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de:
96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec:
51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c:
8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78:
57:8d
$ openssl x509 -noout -in issuer.pem -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
Validity
Not Before: Oct 7 08:40:29 2014 GMT
Not After : Oct 7 08:40:29 2015 GMT
Subject: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18:
7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2:
72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89:
26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d:
af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41:
e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97:
d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49:
af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9:
05:d0:5c:50:0f:8f:3f:c4:d5
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9:
70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c:
96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38:
82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82:
9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62:
f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9:
40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a:
68:bf
And the output from the bellow command executed from the client you
are running wget from:
openssl s_client -connect <your_server>:443
You should see some output with lots of information regarding the ssl
connection, the server certificate and something like this:
---
Certificate chain
0 s:/C=AU/ST=New South Wales/L=Sydney/O=<MyCorporation> Pty
Ltd/CN=*.<mydomain>.com
i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
<http://www.digicert.com/CN=DigiCert> Global Root CA
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
<http://www.digicert.com/CN=DigiCert> Global Root CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
<http://www.digicert.com/CN=DigiCert> Global Root CA
which will confirm the complete chain is being received by the client.
If you see something like this at the bottom:
Verify return code: 19 (self signed certificate in certificate chain)
means you haven't properly imported the CA chain on the client. In
case of wget or curl or other terminal tools this is done on OS level
so you would need to consult the OS documentation about importing
certificates.
You can find more about openssl tool set here:
https://www.openssl.org/docs/apps/s_client.html, its perfect for ssl
troubleshooting.
$ openssl s_client -connect server:443
gethostbyname failure
CONNECTED(00000003)
depth=2 C = AU, ST = Some-State, O = issuer, OU = signing, CN = issuer
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=AU/ST=Some-State/O=server/OU=IT/CN=server
i:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
1 s:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
2 s:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICGDCCAYECCQC3FW/u2rkWCTANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJB
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEVMBMGA1UECgwMaW50ZXJtZWRpYXRlMRUw
EwYDVQQDDAxpbnRlcm1lZGlhdGUwHhcNMTQxMDA3MDg0MzQyWhcNMTUxMDAyMDg0
MzQyWjBRMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UE
CgwGc2VydmVyMQswCQYDVQQLDAJJVDEPMA0GA1UEAwwGc2VydmVyMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCV0xy3rEnMOCxHaKKyGG12gDydogPMS9/AboE/
eoG+4Tg0X+AbTuLcpcbZu7CGO5g95wNCx6TLBfCWgOYTTr1P5HPqcnwMkCN6XnpG
fedkPB1UeubZh53j+ESc3whk1x2hUMP9qp0bhD7NHbmBunBqlcdjqxt7HyY/Nswp
8GkreQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAE5SlQFID8e9UW7mnvY8tBYQprV1
LrJJvOdQRtWX8ejttx24GjMvo37KQRoqdEqjgQSZwsh26qaRjyGSTGKtDFdDc7U8
DWyCy8HAdNityxIfL5pJRVoGBf6aE7nT4RfmZ4gY/dzFZ5qUm0HPDMqIT7X+fuIe
YdtP4bzc8AetHHz+
-----END CERTIFICATE-----
subject=/C=AU/ST=Some-State/O=server/OU=IT/CN=server
issuer=/C=AU/ST=Some-State/O=intermediate/CN=intermediate
---
No client certificate CA names sent
---
SSL handshake has read 2391 bytes and written 498 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID:
FA13516B3E695D88CFC650899A5EE7D2DEE4D38DCDFD2848D688A0AAB4D2A90C
Session-ID-ctx:
Master-Key:
5E39DF223E5A23B4088F2CE3D65A530F0D936860D8F94BB123E0483430CF3C42B7F7F40B246B6B7370551A2B702CB47A
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - b9 a3 67 f3 a1 e1 2f 40-90 64 09 db ef 26 4d b2 ..g.../@.d...&M.
0010 - e8 a3 c2 25 30 d6 df af-8c 4d d3 19 20 83 bb c3 ...%0....M.. ...
0020 - 6f a9 51 a3 3a 2f f5 43-1e a8 9d 1e 49 25 67 43 o.Q.:/.C....I%gC
0030 - f0 05 3f 75 50 c8 49 2b-be 44 d2 72 58 14 2e f6 ..?uP.I+.D.rX...
0040 - 55 a5 ba 0a 34 34 92 9f-cc 8b c1 30 55 f1 69 c0 U...44.....0U.i.
0050 - df f8 3d 08 38 37 11 46-90 9d 88 6c ce 48 5d 79 ..=.87.F...l.H]y
0060 - 96 bb 5a 23 56 4d e9 c3-2f 17 d9 11 45 47 fb 2b ..Z#VM../...EG.+
0070 - 05 1a cb 92 52 13 52 e6-72 16 44 51 3f 66 90 88 ....R.R.r.DQ?f..
0080 - f9 2e 46 ad 44 23 5b 75-f9 69 7c 6b c0 0f 83 42 ..F.D#[u.i|k...B
0090 - 33 c0 c1 6b 6a f8 23 55-ee 18 0c 32 f9 5a 81 6b 3..kj.#U...2.Z.k
00a0 - 1b 4e a4 42 14 56 54 66-1d 20 2e 53 95 df 24 f5 .N.B.VTf. .S..$.
00b0 - c6 4c 8a e2 ed bc 21 d9-ef a1 8c fb 51 36 51 8d .L....!.....Q6Q.
Start Time: 1412751118
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
DONE
I even tried copying issuer.pem to /etc/ssl/certs
With the same error no. 19 in the chain.
Thanks for this command. It's truly useful. That FF extension shows only
1 certificate received.
