On Mon, Mar 25, 2024 at 12:26 PM Stanley Gilliam <stanley.x.gill...@gsk.com> wrote: > > Here is the output: > > [I am root!@uptus060-1:private]# echo "$cert" | openssl x509 -inform PEM > -text -noout > unable to load certificate > 139671613519760:error:0906D06C:PEM routines:PEM_read_bio:no start > line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE > > > [I am root!@uptus060-1:private]# openssl s_client -connect hpc.gsk.com:443 > -servername hpc.gsk.com -showcerts > CONNECTED(00000003) > depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo Smith > Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress = > scientific_computing_supp...@gsk.com > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo Smith > Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress = > scientific_computing_supp...@gsk.com > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith > Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com > i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1 > -----BEGIN CERTIFICATE----- > MIIGbjCCBFagAwIBAgITEQAABQ+0dA0YF873AQAAAAAFDzANBgkqhkiG9w0BAQsF > ADBlMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIY29ycG5l > dDExGTAXBgoJkiaJk/IsZAEZFgl3bXNlcnZpY2UxGTAXBgNVBAMTEEdTSyBJc3N1 > aW5nIENBIDEwHhcNMjQwMzA4MTcyMDU1WhcNMjUwMzA4MTcyMDU1WjCBtTELMAkG > A1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEZMBcGA1UEBxMQVXBwZXIg > UHJvdmlkZW5jZTEaMBgGA1UEChMRR2xheG8gU21pdGggS2xpbmUxDTALBgNVBAsT > BFNSQ0ExFDASBgNVBAMTC2hwYy5nc2suY29tMTMwMQYJKoZIhvcNAQkBFiRzY2ll > bnRpZmljX2NvbXB1dGluZ19zdXBwb3J0QGdzay5jb20wggEiMA0GCSqGSIb3DQEB > AQUAA4IBDwAwggEKAoIBAQC1Cr+j9j5/739k+sHHiMDMvhprJmDHazw0UI1rPX7j > W9wPg2kYHnP+jv33j7DB6vE/opCFVOgHTV3Lc7by3QBZAG142GPVSvu51k2syB+r > AooW5a7onwaqZRKRSQX0NkHI4vSRHjVh9/0zxX6aPX6ygDyDKWOPslQ/71SFCyuZ > /bgt/HMXeTP1WaT5u13lj5XtbRejx1WMu3HoRLguXZ6pBa5M5KNc9CaJJcnuTLzm > 0152G1As1mkLJ2wm0PqzhXADoqXfnotBvZcSKov4+vYSSFB+7RUVLjdUVkRieDCK > MBsGm+ufxUhWAxXnlC2b9NmM0XV7fr98V8WZD2D2sL4PAgMBAAGjggHEMIIBwDAv > BgNVHREEKDAmggtocGMuZ3NrLmNvbYIXdXB0dXMwNjAtMS5jb3JwbmV0Mi5jb20w > HQYDVR0OBBYEFAVcViHs7XlTuBk8aN7489VTL4pIMB8GA1UdIwQYMBaAFKvPJYEQ > 0/UAImqrIU7r9upTKxjpMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9wa2kuZ3Nr > LmNvbS9jZHAvR1NLJTIwSXNzdWluZyUyMENBJTIwMS5jcmwwcgYIKwYBBQUHAQEE > ZjBkMD0GCCsGAQUFBzAChjFodHRwOi8vcGtpLmdzay5jb20vY2RwL0dTSyUyMElz > c3VpbmclMjBDQSUyMDEuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vcGtpLmdzay5j > b20vb2NzcDAOBgNVHQ8BAf8EBAMCBaAwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGC > NxUI6vIrg/quQIX1kxyFkoFCheT+WYFUhq3CJ4KPsXwCAWQCAT8wHQYDVR0lBBYw > FAYIKwYBBQUHAwEGCCsGAQUFBwMCMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUH > AwEwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggIBAD0zCO/K/11ycaNA3scY > SpT8Tqzc5wJToeC+EEyk+fCbwBaOfoPiDNLUC4jsG8kLtb1Z4XhBMa7eGmz3Xt58 > ubVC5C4QW/AJI0v0oJU3atJoPk5h8iERGzolEHnbpvt1dLDpmwFzid6APzavixem > v1FC0jmD2tk5W2HSaMCZ8Qbt8B9uSwyknxLwjc4oyMxs1Oq1Jtsv8HCzC4Bi9yd6 > RYbB4uNAvULBSK5RoIjgsONfE42fnJKPCS1TBPWkjlROlmhyvi76NNoPl4GlS+eM > pv9FB+Q7xcYTrfoygvEy6lvPCgQ3AqFcVmbQg5dEBMthPAymBHAdQHkjbKfVJd5X > W8CFmsZ7pD8nmj5lfzT4SpkiMj59U0bj2e8FfLWQybtiGCGFO9M/nZdOHQndxHua > O8bJzWs4rCy9hw+iOHZEUEe06m+mc+rLPN7DTO1rQOAk/BdakIauQyMTh5oYQ2mM > us+7YUwZrNidZv9xfAJZc+zmnaumoGIbxkKChSfwhtb5L8uFnfQc6XDNaYUVKvwi > XV9OQgiymXkGAp8Ai5eVv881BirqQkHyAtbUdpazUF5jlxreowp24NSAa/rWLa6p > RKqS9aPC2lOfR2Kysv1SvJgst1OvtckqKsdlunGxRUH5gInwn7gzzmovCeWiD3+F > GzKWlw6feJiNivlqBH1QwP39 > -----END CERTIFICATE----- > --- > Server certificate > subject=/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith > Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com > issuer=/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1 > --- > No client certificate CA names sent > Peer signing digest: SHA512 > Server Temp Key: ECDH, P-256, 256 bits > --- > SSL handshake has read 2361 bytes and written 447 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES256-GCM-SHA384 > Session-ID: > 4A9C3A7A8D91D5BE107F514BD64009F30D71C338D3C0E11AD6F8F2BBA256BDFA > Session-ID-ctx: > Master-Key: > 4B6426694B33A96B96BD3B382D7266826F1FC80C0B4857A9953AE969E6AB903B44739603E06D1933E269DCFA5D30CFD9 > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > TLS session ticket lifetime hint: 7200 (seconds) > TLS session ticket: > 0000 - 25 98 6a 95 45 08 1d 16-50 d9 fa 27 98 8f a3 9f %.j.E...P..'.... > 0010 - 5e 8f e6 ca a5 05 be ea-e5 e7 00 8d da 8f 10 0a ^............... > 0020 - 0c d2 c2 94 ca eb 06 74-46 a1 00 5f 97 b3 aa f1 .......tF.._.... > 0030 - b7 2a a3 19 84 67 72 5d-13 f9 9f a4 86 4f 98 13 .*...gr].....O.. > 0040 - 01 37 b1 fa 38 d4 bb 18-9b 8a ef bf 3f c4 3a 5a .7..8.......?.:Z > 0050 - be 87 fe 5e 31 35 c5 31-63 16 9c 80 55 78 79 2c ...^15.1c...Uxy, > 0060 - c7 93 45 71 7a 39 7f f3-42 4a 47 85 18 59 22 51 ..Eqz9..BJG..Y"Q > 0070 - e9 23 f7 6e a3 9d 35 73-6f 35 cd 09 ce 47 cc af .#.n..5so5...G.. > 0080 - 19 71 0e 5f c5 63 18 a9-d6 b8 d8 23 85 e3 d9 75 .q._.c.....#...u > 0090 - 17 09 46 ac 5a 7b 03 01-55 95 19 80 81 f3 11 19 ..F.Z{..U....... > 00a0 - e5 e2 03 cc cd 8b 3c 63-8c fb 91 99 4c 98 9c 64 ......<c....L..d > 00b0 - 7e e9 24 c6 ba a2 cd 35-d8 39 f2 5e e4 7f 26 ae ~.$....5.9.^..&. > 00c0 - 48 e7 aa fb 9d b2 27 83-28 c8 fb 17 bb 96 b4 75 H.....'.(......u > > Start Time: 1711383886 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > --- > read:errno=0
The server is misconfigured. Level 0 is the end entity (web server) certificate. But the web server is not sending the intermediate certificate called 'GSK Issuing CA 1': Certificate chain 0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1 There should be a level 1, with a subject of '/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1'. Something like: Certificate chain 0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1 1 s:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1 i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Root CA The server _can_ send 'GSK Root CA', but it is not required. The RFC makes sending the root certificate optional. If the root CA is sent, then it would look something like: Certificate chain 0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1 1 s:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1 i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Root CA 2 s:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Root CA i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Root CA The client _must_ trust 'GSK Root CA'. This is your SVN client. That is the next thing to check once the server configuration is fixed. Jeff