httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dE <de.tec...@gmail.com>
Subject Re: [users@httpd] Cannot get certificate chain to work.
Date Wed, 08 Oct 2014 10:15:57 GMT
On 10/08/14 14:33, Igor Cicimov wrote:
>
>
> On Wed, Oct 8, 2014 at 6:03 PM, dE <de.techno@gmail.com 
> <mailto:de.techno@gmail.com>> wrote:
>
>     On 10/08/14 10:18, Igor Cicimov wrote:
>>     On Wed, Oct 8, 2014 at 2:27 PM, dE <de.techno@gmail.com
>>     <mailto:de.techno@gmail.com>> wrote:
>>
>>         On 10/08/14 05:18, Igor Cicimov wrote:
>>>
>>>         On Wed, Oct 8, 2014 at 1:59 AM, dE <de.techno@gmail.com
>>>         <mailto:de.techno@gmail.com>> wrote:
>>>
>>>             On 10/07/14 18:12, Igor Cicimov wrote:
>>>>
>>>>
>>>>             On Tue, Oct 7, 2014 at 2:51 AM, dE <de.techno@gmail.com
>>>>             <mailto:de.techno@gmail.com>> wrote:
>>>>
>>>>                 Hi.
>>>>
>>>>                 I'm in a situation where I got 3 certificates
>>>>
>>>>                 server.pem -- the end user certificate which's sent
>>>>                 by the server to the client.
>>>>                 intermediate.pem -- server.pem is signed by
>>>>                 intermediate.pem's private key.
>>>>                 issuer.pem -- intermediate.pem is signed by
>>>>                 issuer.pem's private key.
>>>>
>>>>                 combined.pem is created by --
>>>>
>>>>                 cat server.pem intermediate.pem > combined.pem
>>>>
>>>>                 Issuer.pem is installed in the web browser.
>>>>
>>>>                 The chain is working, I can verify this via the SSL
>>>>                 command --
>>>>
>>>>                 cat intermediate.pem issuer.pem > cert_bundle.pem
>>>>                 openssl verify -CAfile cert_bundle.pem server.pem
>>>>                 server.pem: OK
>>>>
>>>>                 However the browsers (FF, Chrome, Konqueror and
>>>>                 wget) fail authentication, claiming there are no
>>>>                 certificates to verity server.pem's signature.
>>>>
>>>>                 I'm using Apache 2.4.10 with the following --
>>>>
>>>>                 SSLCertificateFile /tmp/combined.pem
>>>>                 SSLCertificateKeyFile /tmp/server.key
>>>>
>>>>
>>>>             Try this:
>>>>
>>>>             $ cat issuer.pem intermediate.pem > CA_chain.pem
>>>>
>>>>             SSLCertificateFile server.pem
>>>>             SSLCertificateKeyFile server.key
>>>>             SSLCertificateChainFile CA_chain.pem
>>>>
>>>
>>>             Tried this on Apache 2.2 (SSLCertificateChainFile does
>>>             not work with 2.4) with the same issue.
>>>
>>>         Hmm in that case you have something mixed up or simply this
>>>         can not work for self signed certificates since this is
>>>         exactly what I'm using on Apache 2.2.24/26 on all our
>>>         company web sites: a certificate signed by CA authority and
>>>         a chain certificate file where the authorities CA and
>>>         Intermediate certs have been concatenated.
>>>
>>>         Can you show us the output of:
>>>
>>>         openssl x509 -noout -in cert.pem -text
>>>
>>>         for all your sertificates?
>>>
>>
>>         $ openssl x509 -noout -in server.pem -text
>>         Certificate:
>>             Data:
>>                 Version: 1 (0x0)
>>                 Serial Number: 13192573755114198537 (0xb7156feedab91609)
>>             Signature Algorithm: sha1WithRSAEncryption
>>                 Issuer: C=AU, ST=Some-State, O=intermediate,
>>         CN=intermediate
>>                 Validity
>>                     Not Before: Oct  7 08:43:42 2014 GMT
>>                     Not After : Oct  2 08:43:42 2015 GMT
>>                 Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
>>                 Subject Public Key Info:
>>                     Public Key Algorithm: rsaEncryption
>>                         Public-Key: (1024 bit)
>>                         Modulus:
>>         00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18:
>>         6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a:
>>         81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb:
>>         b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80:
>>         e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e:
>>         7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8:
>>         44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84:
>>         3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f:
>>         26:3f:36:cc:29:f0:69:2b:79
>>                         Exponent: 65537 (0x10001)
>>             Signature Algorithm: sha1WithRSAEncryption
>>         4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6:
>>         b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a:
>>         33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea:
>>         a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb:
>>         c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13:
>>         b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c:
>>         ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c:
>>                  7c:fe
>>
>>
>>         $ openssl x509 -noout -in intermediate.pem -text
>>         Certificate:
>>             Data:
>>                 Version: 1 (0x0)
>>                 Serial Number: 11894061023072807904 (0xa510317ba912ebe0)
>>             Signature Algorithm: sha1WithRSAEncryption
>>                 Issuer: C=AU, ST=Some-State, O=issuer, OU=signing,
>>         CN=issuer
>>                 Validity
>>                     Not Before: Oct  7 08:42:05 2014 GMT
>>                     Not After : Oct  2 08:42:05 2015 GMT
>>                 Subject: C=AU, ST=Some-State, O=intermediate,
>>         CN=intermediate
>>                 Subject Public Key Info:
>>                     Public Key Algorithm: rsaEncryption
>>                         Public-Key: (1024 bit)
>>                         Modulus:
>>         00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8:
>>         f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a:
>>         df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6:
>>         2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82:
>>         df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40:
>>         14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d:
>>         78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69:
>>         f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9:
>>         3a:fd:f3:d1:f0:27:49:f4:c3
>>                         Exponent: 65537 (0x10001)
>>             Signature Algorithm: sha1WithRSAEncryption
>>         0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d:
>>         0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29:
>>         5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95:
>>         dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de:
>>         96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec:
>>         51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c:
>>         8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78:
>>                  57:8d
>>
>>
>>         $ openssl x509 -noout -in issuer.pem -text
>>         Certificate:
>>             Data:
>>                 Version: 1 (0x0)
>>                 Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6)
>>             Signature Algorithm: sha1WithRSAEncryption
>>                 Issuer: C=AU, ST=Some-State, O=issuer, OU=signing,
>>         CN=issuer
>>                 Validity
>>                     Not Before: Oct  7 08:40:29 2014 GMT
>>                     Not After : Oct  7 08:40:29 2015 GMT
>>                 Subject: C=AU, ST=Some-State, O=issuer, OU=signing,
>>         CN=issuer
>>                 Subject Public Key Info:
>>                     Public Key Algorithm: rsaEncryption
>>                         Public-Key: (1024 bit)
>>                         Modulus:
>>         00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18:
>>         7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2:
>>         72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89:
>>         26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d:
>>         af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41:
>>         e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97:
>>         d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49:
>>         af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9:
>>         05:d0:5c:50:0f:8f:3f:c4:d5
>>                         Exponent: 65537 (0x10001)
>>             Signature Algorithm: sha1WithRSAEncryption
>>         3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9:
>>         70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c:
>>         96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38:
>>         82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82:
>>         9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62:
>>         f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9:
>>         40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a:
>>                  68:bf
>>
>>
>>     And the output from the bellow command executed from the client
>>     you are running wget from:
>>
>>     openssl s_client -connect <your_server>:443
>>
>>     You should see some output with lots of information regarding the
>>     ssl connection, the server certificate and something like this:
>>
>>     ---
>>     Certificate chain
>>      0 s:/C=AU/ST=New South Wales/L=Sydney/O=<MyCorporation> Pty
>>     Ltd/CN=*.<mydomain>.com
>>        i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
>>      1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
>>        i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
>>     <http://www.digicert.com/CN=DigiCert> Global Root CA
>>      2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
>>     <http://www.digicert.com/CN=DigiCert> Global Root CA
>>        i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
>>     <http://www.digicert.com/CN=DigiCert> Global Root CA
>>
>>     which will confirm the complete chain is being received by the
>>     client. If you see something like this at the bottom:
>>
>>     Verify return code: 19 (self signed certificate in certificate chain)
>>
>>     means you haven't properly imported the CA chain on the client.
>>     In case of wget or curl or other terminal tools this is done on
>>     OS level so you would need to consult the OS documentation about
>>     importing certificates.
>>
>>     You can find more about openssl tool set here:
>>     https://www.openssl.org/docs/apps/s_client.html, its perfect for
>>     ssl troubleshooting.
>>
>>
>
>     $ openssl s_client -connect server:443
>     gethostbyname failure
>     CONNECTED(00000003)
>     depth=2 C = AU, ST = Some-State, O = issuer, OU = signing, CN = issuer
>     verify error:num=19:self signed certificate in certificate chain
>     verify return:0
>     ---
>     Certificate chain
>      0 s:/C=AU/ST=Some-State/O=server/OU=IT/CN=server
>        i:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>      1 s:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>        i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>      2 s:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>        i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>     ---
>     Server certificate
>     -----BEGIN CERTIFICATE-----
>     MIICGDCCAYECCQC3FW/u2rkWCTANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJB
>     VTETMBEGA1UECAwKU29tZS1TdGF0ZTEVMBMGA1UECgwMaW50ZXJtZWRpYXRlMRUw
>     EwYDVQQDDAxpbnRlcm1lZGlhdGUwHhcNMTQxMDA3MDg0MzQyWhcNMTUxMDAyMDg0
>     MzQyWjBRMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UE
>     CgwGc2VydmVyMQswCQYDVQQLDAJJVDEPMA0GA1UEAwwGc2VydmVyMIGfMA0GCSqG
>     SIb3DQEBAQUAA4GNADCBiQKBgQCV0xy3rEnMOCxHaKKyGG12gDydogPMS9/AboE/
>     eoG+4Tg0X+AbTuLcpcbZu7CGO5g95wNCx6TLBfCWgOYTTr1P5HPqcnwMkCN6XnpG
>     fedkPB1UeubZh53j+ESc3whk1x2hUMP9qp0bhD7NHbmBunBqlcdjqxt7HyY/Nswp
>     8GkreQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAE5SlQFID8e9UW7mnvY8tBYQprV1
>     LrJJvOdQRtWX8ejttx24GjMvo37KQRoqdEqjgQSZwsh26qaRjyGSTGKtDFdDc7U8
>     DWyCy8HAdNityxIfL5pJRVoGBf6aE7nT4RfmZ4gY/dzFZ5qUm0HPDMqIT7X+fuIe
>     YdtP4bzc8AetHHz+
>     -----END CERTIFICATE-----
>     subject=/C=AU/ST=Some-State/O=server/OU=IT/CN=server
>     issuer=/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>     ---
>     No client certificate CA names sent
>     ---
>     SSL handshake has read 2391 bytes and written 498 bytes
>     ---
>     New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
>     Server public key is 1024 bit
>     Secure Renegotiation IS supported
>     Compression: NONE
>     Expansion: NONE
>     SSL-Session:
>         Protocol  : TLSv1.2
>         Cipher    : DHE-RSA-AES256-GCM-SHA384
>         Session-ID:
>     FA13516B3E695D88CFC650899A5EE7D2DEE4D38DCDFD2848D688A0AAB4D2A90C
>         Session-ID-ctx:
>         Master-Key:
>     5E39DF223E5A23B4088F2CE3D65A530F0D936860D8F94BB123E0483430CF3C42B7F7F40B246B6B7370551A2B702CB47A
>         Key-Arg   : None
>         PSK identity: None
>         PSK identity hint: None
>         SRP username: None
>         TLS session ticket lifetime hint: 300 (seconds)
>         TLS session ticket:
>         0000 - b9 a3 67 f3 a1 e1 2f 40-90 64 09 db ef 26 4d b2  
>     ..g.../@.d...&M.
>         0010 - e8 a3 c2 25 30 d6 df af-8c 4d d3 19 20 83 bb c3  
>     ...%0....M.. ...
>         0020 - 6f a9 51 a3 3a 2f f5 43-1e a8 9d 1e 49 25 67 43  
>     o.Q.:/.C....I%gC
>         0030 - f0 05 3f 75 50 c8 49 2b-be 44 d2 72 58 14 2e f6  
>     ..?uP.I+.D.rX...
>         0040 - 55 a5 ba 0a 34 34 92 9f-cc 8b c1 30 55 f1 69 c0  
>     U...44.....0U.i.
>         0050 - df f8 3d 08 38 37 11 46-90 9d 88 6c ce 48 5d 79  
>     ..=.87.F...l.H]y
>         0060 - 96 bb 5a 23 56 4d e9 c3-2f 17 d9 11 45 47 fb 2b  
>     ..Z#VM../...EG.+
>         0070 - 05 1a cb 92 52 13 52 e6-72 16 44 51 3f 66 90 88  
>     ....R.R.r.DQ?f..
>         0080 - f9 2e 46 ad 44 23 5b 75-f9 69 7c 6b c0 0f 83 42  
>     ..F.D#[u.i|k...B
>         0090 - 33 c0 c1 6b 6a f8 23 55-ee 18 0c 32 f9 5a 81 6b  
>     3..kj.#U...2.Z.k
>         00a0 - 1b 4e a4 42 14 56 54 66-1d 20 2e 53 95 df 24 f5  
>     .N.B.VTf. .S..$.
>         00b0 - c6 4c 8a e2 ed bc 21 d9-ef a1 8c fb 51 36 51 8d  
>     .L....!.....Q6Q.
>
>         Start Time: 1412751118
>         Timeout   : 300 (sec)
>         Verify return code: 19 (self signed certificate in certificate
>     chain)
>     ---
>     DONE
>
>     I even tried copying issuer.pem to /etc/ssl/certs
>
>     With the same error no. 19 in the chain.
>
>     Thanks for this command. It's truly useful. That FF extension
>     shows only 1 certificate received.
>
>
> You need to point the tool to the CA path like this:
>
> $ openssl s_client -connect server:443 -CApath /etc/ssl/certs
>
> then the cert will get properly validated.
>

I pointed it to the location where all of my relevant *.pem is there And 
I still get error 19.

Mime
View raw message