Re: [users@httpd] Cannot get certificate chain to work.

[dE]

On 10/08/14 14:33, Igor Cicimov wrote:


On Wed, Oct 8, 2014 at 6:03 PM, dE <de.tec...@gmail.com 
<mailto:de.tec...@gmail.com>> wrote:

    On 10/08/14 10:18, Igor Cicimov wrote:
    On Wed, Oct 8, 2014 at 2:27 PM, dE <de.tec...@gmail.com
    <mailto:de.tec...@gmail.com>> wrote:

        On 10/08/14 05:18, Igor Cicimov wrote:

        On Wed, Oct 8, 2014 at 1:59 AM, dE <de.tec...@gmail.com
        <mailto:de.tec...@gmail.com>> wrote:

            On 10/07/14 18:12, Igor Cicimov wrote:


            On Tue, Oct 7, 2014 at 2:51 AM, dE <de.tec...@gmail.com
            <mailto:de.tec...@gmail.com>> wrote:

                Hi.

                I'm in a situation where I got 3 certificates

                server.pem -- the end user certificate which's sent
                by the server to the client.
                intermediate.pem -- server.pem is signed by
                intermediate.pem's private key.
                issuer.pem -- intermediate.pem is signed by
                issuer.pem's private key.

                combined.pem is created by --

                cat server.pem intermediate.pem > combined.pem

                Issuer.pem is installed in the web browser.

                The chain is working, I can verify this via the SSL
                command --

                cat intermediate.pem issuer.pem > cert_bundle.pem
                openssl verify -CAfile cert_bundle.pem server.pem
                server.pem: OK

                However the browsers (FF, Chrome, Konqueror and
                wget) fail authentication, claiming there are no
                certificates to verity server.pem's signature.

                I'm using Apache 2.4.10 with the following --

                SSLCertificateFile /tmp/combined.pem
                SSLCertificateKeyFile /tmp/server.key


            Try this:

            $ cat issuer.pem intermediate.pem > CA_chain.pem

            SSLCertificateFile server.pem
            SSLCertificateKeyFile server.key
            SSLCertificateChainFile CA_chain.pem


            Tried this on Apache 2.2 (SSLCertificateChainFile does
            not work with 2.4) with the same issue.

        Hmm in that case you have something mixed up or simply this
        can not work for self signed certificates since this is
        exactly what I'm using on Apache 2.2.24/26 on all our
        company web sites: a certificate signed by CA authority and
        a chain certificate file where the authorities CA and
        Intermediate certs have been concatenated.

        Can you show us the output of:

        openssl x509 -noout -in cert.pem -text

        for all your sertificates?


        $ openssl x509 -noout -in server.pem -text
        Certificate:
            Data:
                Version: 1 (0x0)
                Serial Number: 13192573755114198537 (0xb7156feedab91609)
            Signature Algorithm: sha1WithRSAEncryption
                Issuer: C=AU, ST=Some-State, O=intermediate,
        CN=intermediate
                Validity
                    Not Before: Oct  7 08:43:42 2014 GMT
                    Not After : Oct  2 08:43:42 2015 GMT
                Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
                Subject Public Key Info:
                    Public Key Algorithm: rsaEncryption
                        Public-Key: (1024 bit)
                        Modulus:
        00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18:
        6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a:
        81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb:
        b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80:
        e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e:
        7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8:
        44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84:
        3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f:
        26:3f:36:cc:29:f0:69:2b:79
                        Exponent: 65537 (0x10001)
            Signature Algorithm: sha1WithRSAEncryption
        4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6:
        b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a:
        33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea:
        a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb:
        c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13:
        b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c:
        ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c:
                 7c:fe


        $ openssl x509 -noout -in intermediate.pem -text
        Certificate:
            Data:
                Version: 1 (0x0)
                Serial Number: 11894061023072807904 (0xa510317ba912ebe0)
            Signature Algorithm: sha1WithRSAEncryption
                Issuer: C=AU, ST=Some-State, O=issuer, OU=signing,
        CN=issuer
                Validity
                    Not Before: Oct  7 08:42:05 2014 GMT
                    Not After : Oct  2 08:42:05 2015 GMT
                Subject: C=AU, ST=Some-State, O=intermediate,
        CN=intermediate
                Subject Public Key Info:
                    Public Key Algorithm: rsaEncryption
                        Public-Key: (1024 bit)
                        Modulus:
        00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8:
        f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a:
        df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6:
        2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82:
        df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40:
        14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d:
        78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69:
        f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9:
        3a:fd:f3:d1:f0:27:49:f4:c3
                        Exponent: 65537 (0x10001)
            Signature Algorithm: sha1WithRSAEncryption
        0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d:
        0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29:
        5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95:
        dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de:
        96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec:
        51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c:
        8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78:
                 57:8d


        $ openssl x509 -noout -in issuer.pem -text
        Certificate:
            Data:
                Version: 1 (0x0)
                Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6)
            Signature Algorithm: sha1WithRSAEncryption
                Issuer: C=AU, ST=Some-State, O=issuer, OU=signing,
        CN=issuer
                Validity
                    Not Before: Oct  7 08:40:29 2014 GMT
                    Not After : Oct  7 08:40:29 2015 GMT
                Subject: C=AU, ST=Some-State, O=issuer, OU=signing,
        CN=issuer
                Subject Public Key Info:
                    Public Key Algorithm: rsaEncryption
                        Public-Key: (1024 bit)
                        Modulus:
        00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18:
        7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2:
        72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89:
        26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d:
        af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41:
        e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97:
        d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49:
        af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9:
        05:d0:5c:50:0f:8f:3f:c4:d5
                        Exponent: 65537 (0x10001)
            Signature Algorithm: sha1WithRSAEncryption
        3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9:
        70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c:
        96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38:
        82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82:
        9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62:
        f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9:
        40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a:
                 68:bf


    And the output from the bellow command executed from the client
    you are running wget from:

    openssl s_client -connect <your_server>:443

    You should see some output with lots of information regarding the
    ssl connection, the server certificate and something like this:

    ---
    Certificate chain
     0 s:/C=AU/ST=New South Wales/L=Sydney/O=<MyCorporation> Pty
    Ltd/CN=*.<mydomain>.com
       i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
     1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
       i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
    <http://www.digicert.com/CN=DigiCert> Global Root CA
     2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
    <http://www.digicert.com/CN=DigiCert> Global Root CA
       i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
    <http://www.digicert.com/CN=DigiCert> Global Root CA

    which will confirm the complete chain is being received by the
    client. If you see something like this at the bottom:

    Verify return code: 19 (self signed certificate in certificate chain)

    means you haven't properly imported the CA chain on the client.
    In case of wget or curl or other terminal tools this is done on
    OS level so you would need to consult the OS documentation about
    importing certificates.

    You can find more about openssl tool set here:
    https://www.openssl.org/docs/apps/s_client.html, its perfect for
    ssl troubleshooting.



    $ openssl s_client -connect server:443
    gethostbyname failure
    CONNECTED(00000003)
    depth=2 C = AU, ST = Some-State, O = issuer, OU = signing, CN = issuer
    verify error:num=19:self signed certificate in certificate chain
    verify return:0
    ---
    Certificate chain
     0 s:/C=AU/ST=Some-State/O=server/OU=IT/CN=server
       i:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
     1 s:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
       i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
     2 s:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
       i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIICGDCCAYECCQC3FW/u2rkWCTANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJB
    VTETMBEGA1UECAwKU29tZS1TdGF0ZTEVMBMGA1UECgwMaW50ZXJtZWRpYXRlMRUw
    EwYDVQQDDAxpbnRlcm1lZGlhdGUwHhcNMTQxMDA3MDg0MzQyWhcNMTUxMDAyMDg0
    MzQyWjBRMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UE
    CgwGc2VydmVyMQswCQYDVQQLDAJJVDEPMA0GA1UEAwwGc2VydmVyMIGfMA0GCSqG
    SIb3DQEBAQUAA4GNADCBiQKBgQCV0xy3rEnMOCxHaKKyGG12gDydogPMS9/AboE/
    eoG+4Tg0X+AbTuLcpcbZu7CGO5g95wNCx6TLBfCWgOYTTr1P5HPqcnwMkCN6XnpG
    fedkPB1UeubZh53j+ESc3whk1x2hUMP9qp0bhD7NHbmBunBqlcdjqxt7HyY/Nswp
    8GkreQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAE5SlQFID8e9UW7mnvY8tBYQprV1
    LrJJvOdQRtWX8ejttx24GjMvo37KQRoqdEqjgQSZwsh26qaRjyGSTGKtDFdDc7U8
    DWyCy8HAdNityxIfL5pJRVoGBf6aE7nT4RfmZ4gY/dzFZ5qUm0HPDMqIT7X+fuIe
    YdtP4bzc8AetHHz+
    -----END CERTIFICATE-----
    subject=/C=AU/ST=Some-State/O=server/OU=IT/CN=server
    issuer=/C=AU/ST=Some-State/O=intermediate/CN=intermediate
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 2391 bytes and written 498 bytes
    ---
    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
    Server public key is 1024 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : DHE-RSA-AES256-GCM-SHA384
        Session-ID:
    FA13516B3E695D88CFC650899A5EE7D2DEE4D38DCDFD2848D688A0AAB4D2A90C
        Session-ID-ctx:
        Master-Key:
    
5E39DF223E5A23B4088F2CE3D65A530F0D936860D8F94BB123E0483430CF3C42B7F7F40B246B6B7370551A2B702CB47A
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - b9 a3 67 f3 a1 e1 2f 40-90 64 09 db ef 26 4d b2  
    ..g.../@.d...&M.
        0010 - e8 a3 c2 25 30 d6 df af-8c 4d d3 19 20 83 bb c3  
    ...%0....M.. ...
        0020 - 6f a9 51 a3 3a 2f f5 43-1e a8 9d 1e 49 25 67 43  
    o.Q.:/.C....I%gC
        0030 - f0 05 3f 75 50 c8 49 2b-be 44 d2 72 58 14 2e f6  
    ..?uP.I+.D.rX...
        0040 - 55 a5 ba 0a 34 34 92 9f-cc 8b c1 30 55 f1 69 c0  
    U...44.....0U.i.
        0050 - df f8 3d 08 38 37 11 46-90 9d 88 6c ce 48 5d 79  
    ..=.87.F...l.H]y
        0060 - 96 bb 5a 23 56 4d e9 c3-2f 17 d9 11 45 47 fb 2b  
    ..Z#VM../...EG.+
        0070 - 05 1a cb 92 52 13 52 e6-72 16 44 51 3f 66 90 88  
    ....R.R.r.DQ?f..
        0080 - f9 2e 46 ad 44 23 5b 75-f9 69 7c 6b c0 0f 83 42  
    ..F.D#[u.i|k...B
        0090 - 33 c0 c1 6b 6a f8 23 55-ee 18 0c 32 f9 5a 81 6b  
    3..kj.#U...2.Z.k
        00a0 - 1b 4e a4 42 14 56 54 66-1d 20 2e 53 95 df 24 f5  
    .N.B.VTf. .S..$.
        00b0 - c6 4c 8a e2 ed bc 21 d9-ef a1 8c fb 51 36 51 8d  
    .L....!.....Q6Q.

        Start Time: 1412751118
        Timeout   : 300 (sec)
        Verify return code: 19 (self signed certificate in certificate
    chain)
    ---
    DONE

    I even tried copying issuer.pem to /etc/ssl/certs

    With the same error no. 19 in the chain.

    Thanks for this command. It's truly useful. That FF extension
    shows only 1 certificate received.


You need to point the tool to the CA path like this:

$ openssl s_client -connect server:443 -CApath /etc/ssl/certs

then the cert will get properly validated.


I pointed it to the location where all of my relevant *.pem is there And 
I still get error 19.