On 08/10/2014 9:16 PM, "dE" <de.tec...@gmail.com
<mailto:de.tec...@gmail.com>> wrote:
>
> On 10/08/14 14:33, Igor Cicimov wrote:
>>
>>
>>
>> On Wed, Oct 8, 2014 at 6:03 PM, dE <de.tec...@gmail.com
<mailto:de.tec...@gmail.com>> wrote:
>>>
>>> On 10/08/14 10:18, Igor Cicimov wrote:
>>>>
>>>> On Wed, Oct 8, 2014 at 2:27 PM, dE <de.tec...@gmail.com
<mailto:de.tec...@gmail.com>> wrote:
>>>>>
>>>>> On 10/08/14 05:18, Igor Cicimov wrote:
>>>>>>
>>>>>>
>>>>>> On Wed, Oct 8, 2014 at 1:59 AM, dE <de.tec...@gmail.com
<mailto:de.tec...@gmail.com>> wrote:
>>>>>>>
>>>>>>> On 10/07/14 18:12, Igor Cicimov wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Oct 7, 2014 at 2:51 AM, dE <de.tec...@gmail.com
<mailto:de.tec...@gmail.com>> wrote:
>>>>>>>>>
>>>>>>>>> Hi.
>>>>>>>>>
>>>>>>>>> I'm in a situation where I got 3 certificates
>>>>>>>>>
>>>>>>>>> server.pem -- the end user certificate which's sent by the
server to the client.
>>>>>>>>> intermediate.pem -- server.pem is signed by
intermediate.pem's private key.
>>>>>>>>> issuer.pem -- intermediate.pem is signed by issuer.pem's
private key.
>>>>>>>>>
>>>>>>>>> combined.pem is created by --
>>>>>>>>>
>>>>>>>>> cat server.pem intermediate.pem > combined.pem
>>>>>>>>>
>>>>>>>>> Issuer.pem is installed in the web browser.
>>>>>>>>>
>>>>>>>>> The chain is working, I can verify this via the SSL command --
>>>>>>>>>
>>>>>>>>> cat intermediate.pem issuer.pem > cert_bundle.pem
>>>>>>>>> openssl verify -CAfile cert_bundle.pem server.pem
>>>>>>>>> server.pem: OK
>>>>>>>>>
>>>>>>>>> However the browsers (FF, Chrome, Konqueror and wget) fail
authentication, claiming there are no certificates to verity
server.pem's signature.
>>>>>>>>>
>>>>>>>>> I'm using Apache 2.4.10 with the following --
>>>>>>>>>
>>>>>>>>> SSLCertificateFile /tmp/combined.pem
>>>>>>>>> SSLCertificateKeyFile /tmp/server.key
>>>>>>>>>
>>>>>>>>
>>>>>>>> Try this:
>>>>>>>>
>>>>>>>> $ cat issuer.pem intermediate.pem > CA_chain.pem
>>>>>>>>
>>>>>>>> SSLCertificateFile server.pem
>>>>>>>> SSLCertificateKeyFile server.key
>>>>>>>> SSLCertificateChainFile CA_chain.pem
>>>>>>>>
>>>>>>>
>>>>>>> Tried this on Apache 2.2 (SSLCertificateChainFile does not
work with 2.4) with the same issue.
>>>>>>
>>>>>>
>>>>>> Hmm in that case you have something mixed up or simply this can
not work for self signed certificates since this is exactly what I'm
using on Apache 2.2.24/26 on all our company web sites: a certificate
signed by CA authority and a chain certificate file where the
authorities CA and Intermediate certs have been concatenated.
>>>>>>
>>>>>> Can you show us the output of:
>>>>>>
>>>>>> openssl x509 -noout -in cert.pem -text
>>>>>>
>>>>>> for all your sertificates?
>>>>>>
>>>>>
>>>>> $ openssl x509 -noout -in server.pem -text
>>>>> Certificate:
>>>>> Data:
>>>>> Version: 1 (0x0)
>>>>> Serial Number: 13192573755114198537 (0xb7156feedab91609)
>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>> Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>>>>> Validity
>>>>> Not Before: Oct 7 08:43:42 2014 GMT
>>>>> Not After : Oct 2 08:43:42 2015 GMT
>>>>> Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
>>>>> Subject Public Key Info:
>>>>> Public Key Algorithm: rsaEncryption
>>>>> Public-Key: (1024 bit)
>>>>> Modulus:
>>>>> 00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18:
>>>>> 6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a:
>>>>> 81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb:
>>>>> b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80:
>>>>> e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e:
>>>>> 7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8:
>>>>> 44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84:
>>>>> 3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f:
>>>>> 26:3f:36:cc:29:f0:69:2b:79
>>>>> Exponent: 65537 (0x10001)
>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>> 4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6:
>>>>> b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a:
>>>>> 33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea:
>>>>> a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb:
>>>>> c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13:
>>>>> b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c:
>>>>> ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c:
>>>>> 7c:fe
>>>>>
>>>>>
>>>>> $ openssl x509 -noout -in intermediate.pem -text
>>>>> Certificate:
>>>>> Data:
>>>>> Version: 1 (0x0)
>>>>> Serial Number: 11894061023072807904 (0xa510317ba912ebe0)
>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>>>>> Validity
>>>>> Not Before: Oct 7 08:42:05 2014 GMT
>>>>> Not After : Oct 2 08:42:05 2015 GMT
>>>>> Subject: C=AU, ST=Some-State, O=intermediate,
CN=intermediate
>>>>> Subject Public Key Info:
>>>>> Public Key Algorithm: rsaEncryption
>>>>> Public-Key: (1024 bit)
>>>>> Modulus:
>>>>> 00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8:
>>>>> f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a:
>>>>> df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6:
>>>>> 2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82:
>>>>> df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40:
>>>>> 14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d:
>>>>> 78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69:
>>>>> f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9:
>>>>> 3a:fd:f3:d1:f0:27:49:f4:c3
>>>>> Exponent: 65537 (0x10001)
>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>> 0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d:
>>>>> 0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29:
>>>>> 5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95:
>>>>> dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de:
>>>>> 96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec:
>>>>> 51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c:
>>>>> 8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78:
>>>>> 57:8d
>>>>>
>>>>>
>>>>> $ openssl x509 -noout -in issuer.pem -text
>>>>> Certificate:
>>>>> Data:
>>>>> Version: 1 (0x0)
>>>>> Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6)
>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>>>>> Validity
>>>>> Not Before: Oct 7 08:40:29 2014 GMT
>>>>> Not After : Oct 7 08:40:29 2015 GMT
>>>>> Subject: C=AU, ST=Some-State, O=issuer, OU=signing,
CN=issuer
>>>>> Subject Public Key Info:
>>>>> Public Key Algorithm: rsaEncryption
>>>>> Public-Key: (1024 bit)
>>>>> Modulus:
>>>>> 00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18:
>>>>> 7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2:
>>>>> 72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89:
>>>>> 26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d:
>>>>> af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41:
>>>>> e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97:
>>>>> d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49:
>>>>> af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9:
>>>>> 05:d0:5c:50:0f:8f:3f:c4:d5
>>>>> Exponent: 65537 (0x10001)
>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>> 3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9:
>>>>> 70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c:
>>>>> 96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38:
>>>>> 82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82:
>>>>> 9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62:
>>>>> f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9:
>>>>> 40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a:
>>>>> 68:bf
>>>>
>>>>
>>>> And the output from the bellow command executed from the client
you are running wget from:
>>>>
>>>> openssl s_client -connect <your_server>:443
>>>>
>>>> You should see some output with lots of information regarding the
ssl connection, the server certificate and something like this:
>>>>
>>>> ---
>>>> Certificate chain
>>>> 0 s:/C=AU/ST=New South Wales/L=Sydney/O=<MyCorporation> Pty
Ltd/CN=*.<mydomain>.com
>>>> i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
>>>> 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
>>>> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
<http://www.digicert.com/CN=DigiCert> Global Root CA
>>>> 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
<http://www.digicert.com/CN=DigiCert> Global Root CA
>>>> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
<http://www.digicert.com/CN=DigiCert> Global Root CA
>>>>
>>>> which will confirm the complete chain is being received by the
client. If you see something like this at the bottom:
>>>>
>>>> Verify return code: 19 (self signed certificate in certificate chain)
>>>>
>>>> means you haven't properly imported the CA chain on the client.
In case of wget or curl or other terminal tools this is done on OS
level so you would need to consult the OS documentation about
importing certificates.
>>>>
>>>> You can find more about openssl tool set here:
https://www.openssl.org/docs/apps/s_client.html, its perfect for ssl
troubleshooting.
>>>>
>>>>
>>>
>>> $ openssl s_client -connect server:443
>>> gethostbyname failure
>>> CONNECTED(00000003)
>>> depth=2 C = AU, ST = Some-State, O = issuer, OU = signing, CN = issuer
>>> verify error:num=19:self signed certificate in certificate chain
>>> verify return:0
>>> ---
>>> Certificate chain
>>> 0 s:/C=AU/ST=Some-State/O=server/OU=IT/CN=server
>>> i:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>>> 1 s:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>>> i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>>> 2 s:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>>> i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>>> ---
>>> Server certificate
>>> -----BEGIN CERTIFICATE-----
>>> MIICGDCCAYECCQC3FW/u2rkWCTANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJB
>>> VTETMBEGA1UECAwKU29tZS1TdGF0ZTEVMBMGA1UECgwMaW50ZXJtZWRpYXRlMRUw
>>> EwYDVQQDDAxpbnRlcm1lZGlhdGUwHhcNMTQxMDA3MDg0MzQyWhcNMTUxMDAyMDg0
>>> MzQyWjBRMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UE
>>> CgwGc2VydmVyMQswCQYDVQQLDAJJVDEPMA0GA1UEAwwGc2VydmVyMIGfMA0GCSqG
>>> SIb3DQEBAQUAA4GNADCBiQKBgQCV0xy3rEnMOCxHaKKyGG12gDydogPMS9/AboE/
>>> eoG+4Tg0X+AbTuLcpcbZu7CGO5g95wNCx6TLBfCWgOYTTr1P5HPqcnwMkCN6XnpG
>>> fedkPB1UeubZh53j+ESc3whk1x2hUMP9qp0bhD7NHbmBunBqlcdjqxt7HyY/Nswp
>>> 8GkreQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAE5SlQFID8e9UW7mnvY8tBYQprV1
>>> LrJJvOdQRtWX8ejttx24GjMvo37KQRoqdEqjgQSZwsh26qaRjyGSTGKtDFdDc7U8
>>> DWyCy8HAdNityxIfL5pJRVoGBf6aE7nT4RfmZ4gY/dzFZ5qUm0HPDMqIT7X+fuIe
>>> YdtP4bzc8AetHHz+
>>> -----END CERTIFICATE-----
>>> subject=/C=AU/ST=Some-State/O=server/OU=IT/CN=server
>>> issuer=/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 2391 bytes and written 498 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
>>> Server public key is 1024 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>> Protocol : TLSv1.2
>>> Cipher : DHE-RSA-AES256-GCM-SHA384
>>> Session-ID:
FA13516B3E695D88CFC650899A5EE7D2DEE4D38DCDFD2848D688A0AAB4D2A90C
>>> Session-ID-ctx:
>>> Master-Key:
5E39DF223E5A23B4088F2CE3D65A530F0D936860D8F94BB123E0483430CF3C42B7F7F40B246B6B7370551A2B702CB47A
>>> Key-Arg : None
>>> PSK identity: None
>>> PSK identity hint: None
>>> SRP username: None
>>> TLS session ticket lifetime hint: 300 (seconds)
>>> TLS session ticket:
>>> 0000 - b9 a3 67 f3 a1 e1 2f 40-90 64 09 db ef 26 4d b2
..g.../@.d...&M.
>>> 0010 - e8 a3 c2 25 30 d6 df af-8c 4d d3 19 20 83 bb c3
...%0....M.. ...
>>> 0020 - 6f a9 51 a3 3a 2f f5 43-1e a8 9d 1e 49 25 67 43
o.Q.:/.C....I%gC
>>> 0030 - f0 05 3f 75 50 c8 49 2b-be 44 d2 72 58 14 2e f6
..?uP.I+.D.rX...
>>> 0040 - 55 a5 ba 0a 34 34 92 9f-cc 8b c1 30 55 f1 69 c0
U...44.....0U.i.
>>> 0050 - df f8 3d 08 38 37 11 46-90 9d 88 6c ce 48 5d 79
..=.87.F...l.H]y
>>> 0060 - 96 bb 5a 23 56 4d e9 c3-2f 17 d9 11 45 47 fb 2b
..Z#VM../...EG.+
>>> 0070 - 05 1a cb 92 52 13 52 e6-72 16 44 51 3f 66 90 88
....R.R.r.DQ?f..
>>> 0080 - f9 2e 46 ad 44 23 5b 75-f9 69 7c 6b c0 0f 83 42
..F.D#[u.i|k...B
>>> 0090 - 33 c0 c1 6b 6a f8 23 55-ee 18 0c 32 f9 5a 81 6b
3..kj.#U...2.Z.k
>>> 00a0 - 1b 4e a4 42 14 56 54 66-1d 20 2e 53 95 df 24 f5
.N.B.VTf. .S..$.
>>> 00b0 - c6 4c 8a e2 ed bc 21 d9-ef a1 8c fb 51 36 51 8d
.L....!.....Q6Q.
>>>
>>> Start Time: 1412751118
>>> Timeout : 300 (sec)
>>> Verify return code: 19 (self signed certificate in certificate
chain)
>>> ---
>>> DONE
>>>
>>> I even tried copying issuer.pem to /etc/ssl/certs
>>>
>>> With the same error no. 19 in the chain.
>>>
>>> Thanks for this command. It's truly useful. That FF extension
shows only 1 certificate received.
>>
>>
>> You need to point the tool to the CA path like this:
>>
>> $ openssl s_client -connect server:443 -CApath /etc/ssl/certs
>>
>> then the cert will get properly validated.
>>
>
> I pointed it to the location where all of my relevant *.pem is there
And I still get error 19.
Ok repeating again, you need to put the whole ca chain in
/etc/ssl/certs in this case the CA_chain.pem file as I created it
above, same as you did in the browser. I don't know why are you so
confused it is very simple: the client no matter if it is a
application or browser needs to know about the WHOLE chain of ca
certificates involved in signing the server's one. Not just the issuer
not just the intermediate but both of them.
I really recommend you find some good documentation about how the
certificates work as it looks like you are misinterpreting the roles
of the web server and the browser in the whole process of the
certificate verification.
