httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: [users@httpd] Cannot get certificate chain to work.
Date Wed, 08 Oct 2014 09:03:43 GMT
On Wed, Oct 8, 2014 at 6:03 PM, dE <de.techno@gmail.com> wrote:

>  On 10/08/14 10:18, Igor Cicimov wrote:
>
>  On Wed, Oct 8, 2014 at 2:27 PM, dE <de.techno@gmail.com> wrote:
>
>>   On 10/08/14 05:18, Igor Cicimov wrote:
>>
>>
>> On Wed, Oct 8, 2014 at 1:59 AM, dE <de.techno@gmail.com> wrote:
>>
>>>   On 10/07/14 18:12, Igor Cicimov wrote:
>>>
>>>
>>>
>>> On Tue, Oct 7, 2014 at 2:51 AM, dE <de.techno@gmail.com> wrote:
>>>
>>>> Hi.
>>>>
>>>> I'm in a situation where I got 3 certificates
>>>>
>>>> server.pem -- the end user certificate which's sent by the server to
>>>> the client.
>>>> intermediate.pem -- server.pem is signed by intermediate.pem's private
>>>> key.
>>>> issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
>>>>
>>>> combined.pem is created by --
>>>>
>>>> cat server.pem intermediate.pem > combined.pem
>>>>
>>>> Issuer.pem is installed in the web browser.
>>>>
>>>> The chain is working, I can verify this via the SSL command --
>>>>
>>>> cat intermediate.pem issuer.pem > cert_bundle.pem
>>>> openssl verify -CAfile cert_bundle.pem server.pem
>>>> server.pem: OK
>>>>
>>>> However the browsers (FF, Chrome, Konqueror and wget) fail
>>>> authentication, claiming there are no certificates to verity server.pem's
>>>> signature.
>>>>
>>>> I'm using Apache 2.4.10 with the following --
>>>>
>>>> SSLCertificateFile /tmp/combined.pem
>>>> SSLCertificateKeyFile /tmp/server.key
>>>>
>>>>
>>>  Try this:
>>>
>>>  $ cat issuer.pem intermediate.pem > CA_chain.pem
>>>
>>>   SSLCertificateFile server.pem
>>>   SSLCertificateKeyFile server.key
>>>   SSLCertificateChainFile CA_chain.pem
>>>
>>>
>>>  Tried this on Apache 2.2 (SSLCertificateChainFile does not work with
>>> 2.4) with the same issue.
>>>
>>
>>  Hmm in that case you have something mixed up or simply this can not work
>> for self signed certificates since this is exactly what I'm using on Apache
>> 2.2.24/26 on all our company web sites: a certificate signed by CA
>> authority and a chain certificate file where the authorities CA and
>> Intermediate certs have been concatenated.
>>
>>  Can you show us the output of:
>>
>>  openssl x509 -noout -in cert.pem -text
>>
>>  for all your sertificates?
>>
>>
>>  $ openssl x509 -noout -in server.pem -text
>> Certificate:
>>     Data:
>>         Version: 1 (0x0)
>>         Serial Number: 13192573755114198537 (0xb7156feedab91609)
>>     Signature Algorithm: sha1WithRSAEncryption
>>         Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>>         Validity
>>             Not Before: Oct  7 08:43:42 2014 GMT
>>             Not After : Oct  2 08:43:42 2015 GMT
>>         Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
>>         Subject Public Key Info:
>>             Public Key Algorithm: rsaEncryption
>>                 Public-Key: (1024 bit)
>>                 Modulus:
>>                     00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18:
>>                     6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a:
>>                     81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb:
>>                     b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80:
>>                     e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e:
>>                     7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8:
>>                     44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84:
>>                     3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f:
>>                     26:3f:36:cc:29:f0:69:2b:79
>>                 Exponent: 65537 (0x10001)
>>     Signature Algorithm: sha1WithRSAEncryption
>>          4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6:
>>          b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a:
>>          33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea:
>>          a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb:
>>          c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13:
>>          b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c:
>>          ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c:
>>          7c:fe
>>
>>
>> $ openssl x509 -noout -in intermediate.pem -text
>> Certificate:
>>     Data:
>>         Version: 1 (0x0)
>>         Serial Number: 11894061023072807904 (0xa510317ba912ebe0)
>>     Signature Algorithm: sha1WithRSAEncryption
>>         Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>>         Validity
>>             Not Before: Oct  7 08:42:05 2014 GMT
>>             Not After : Oct  2 08:42:05 2015 GMT
>>         Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>>         Subject Public Key Info:
>>             Public Key Algorithm: rsaEncryption
>>                 Public-Key: (1024 bit)
>>                 Modulus:
>>                     00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8:
>>                     f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a:
>>                     df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6:
>>                     2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82:
>>                     df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40:
>>                     14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d:
>>                     78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69:
>>                     f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9:
>>                     3a:fd:f3:d1:f0:27:49:f4:c3
>>                 Exponent: 65537 (0x10001)
>>     Signature Algorithm: sha1WithRSAEncryption
>>          0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d:
>>          0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29:
>>          5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95:
>>          dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de:
>>          96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec:
>>          51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c:
>>          8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78:
>>          57:8d
>>
>>
>> $ openssl x509 -noout -in issuer.pem -text
>> Certificate:
>>     Data:
>>         Version: 1 (0x0)
>>         Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6)
>>     Signature Algorithm: sha1WithRSAEncryption
>>         Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>>         Validity
>>             Not Before: Oct  7 08:40:29 2014 GMT
>>             Not After : Oct  7 08:40:29 2015 GMT
>>         Subject: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>>         Subject Public Key Info:
>>             Public Key Algorithm: rsaEncryption
>>                 Public-Key: (1024 bit)
>>                 Modulus:
>>                     00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18:
>>                     7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2:
>>                     72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89:
>>                     26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d:
>>                     af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41:
>>                     e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97:
>>                     d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49:
>>                     af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9:
>>                     05:d0:5c:50:0f:8f:3f:c4:d5
>>                 Exponent: 65537 (0x10001)
>>     Signature Algorithm: sha1WithRSAEncryption
>>          3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9:
>>          70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c:
>>          96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38:
>>          82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82:
>>          9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62:
>>          f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9:
>>          40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a:
>>          68:bf
>>
>
>  And the output from the bellow command executed from the client you are
> running wget from:
>
>  openssl s_client -connect <your_server>:443
>
>  You should see some output with lots of information regarding the ssl
> connection, the server certificate and something like this:
>
>  ---
> Certificate chain
>  0 s:/C=AU/ST=New South Wales/L=Sydney/O=<MyCorporation> Pty
> Ltd/CN=*.<mydomain>.com
>    i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
>  1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
>  2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
>
>  which will confirm the complete chain is being received by the client.
> If you see something like this at the bottom:
>
>  Verify return code: 19 (self signed certificate in certificate chain)
>
>  means you haven't properly imported the CA chain on the client. In case
> of wget or curl or other terminal tools this is done on OS level so you
> would need to consult the OS documentation about importing certificates.
>
>  You can find more about openssl tool set here:
> https://www.openssl.org/docs/apps/s_client.html, its perfect for ssl
> troubleshooting.
>
>
>
> $ openssl s_client -connect server:443
> gethostbyname failure
> CONNECTED(00000003)
> depth=2 C = AU, ST = Some-State, O = issuer, OU = signing, CN = issuer
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
>  0 s:/C=AU/ST=Some-State/O=server/OU=IT/CN=server
>    i:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>  1 s:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>    i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>  2 s:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>    i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIICGDCCAYECCQC3FW/u2rkWCTANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJB
> VTETMBEGA1UECAwKU29tZS1TdGF0ZTEVMBMGA1UECgwMaW50ZXJtZWRpYXRlMRUw
> EwYDVQQDDAxpbnRlcm1lZGlhdGUwHhcNMTQxMDA3MDg0MzQyWhcNMTUxMDAyMDg0
> MzQyWjBRMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UE
> CgwGc2VydmVyMQswCQYDVQQLDAJJVDEPMA0GA1UEAwwGc2VydmVyMIGfMA0GCSqG
> SIb3DQEBAQUAA4GNADCBiQKBgQCV0xy3rEnMOCxHaKKyGG12gDydogPMS9/AboE/
> eoG+4Tg0X+AbTuLcpcbZu7CGO5g95wNCx6TLBfCWgOYTTr1P5HPqcnwMkCN6XnpG
> fedkPB1UeubZh53j+ESc3whk1x2hUMP9qp0bhD7NHbmBunBqlcdjqxt7HyY/Nswp
> 8GkreQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAE5SlQFID8e9UW7mnvY8tBYQprV1
> LrJJvOdQRtWX8ejttx24GjMvo37KQRoqdEqjgQSZwsh26qaRjyGSTGKtDFdDc7U8
> DWyCy8HAdNityxIfL5pJRVoGBf6aE7nT4RfmZ4gY/dzFZ5qUm0HPDMqIT7X+fuIe
> YdtP4bzc8AetHHz+
> -----END CERTIFICATE-----
> subject=/C=AU/ST=Some-State/O=server/OU=IT/CN=server
> issuer=/C=AU/ST=Some-State/O=intermediate/CN=intermediate
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2391 bytes and written 498 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
> Server public key is 1024 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : DHE-RSA-AES256-GCM-SHA384
>     Session-ID:
> FA13516B3E695D88CFC650899A5EE7D2DEE4D38DCDFD2848D688A0AAB4D2A90C
>     Session-ID-ctx:
>     Master-Key:
> 5E39DF223E5A23B4088F2CE3D65A530F0D936860D8F94BB123E0483430CF3C42B7F7F40B246B6B7370551A2B702CB47A
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 300 (seconds)
>     TLS session ticket:
>     0000 - b9 a3 67 f3 a1 e1 2f 40-90 64 09 db ef 26 4d b2
> ..g.../@.d...&M.
>     0010 - e8 a3 c2 25 30 d6 df af-8c 4d d3 19 20 83 bb c3   ...%0....M..
> ...
>     0020 - 6f a9 51 a3 3a 2f f5 43-1e a8 9d 1e 49 25 67 43
> o.Q.:/.C....I%gC
>     0030 - f0 05 3f 75 50 c8 49 2b-be 44 d2 72 58 14 2e f6
> ..?uP.I+.D.rX...
>     0040 - 55 a5 ba 0a 34 34 92 9f-cc 8b c1 30 55 f1 69 c0
> U...44.....0U.i.
>     0050 - df f8 3d 08 38 37 11 46-90 9d 88 6c ce 48 5d 79
> ..=.87.F...l.H]y
>     0060 - 96 bb 5a 23 56 4d e9 c3-2f 17 d9 11 45 47 fb 2b
> ..Z#VM../...EG.+
>     0070 - 05 1a cb 92 52 13 52 e6-72 16 44 51 3f 66 90 88
> ....R.R.r.DQ?f..
>     0080 - f9 2e 46 ad 44 23 5b 75-f9 69 7c 6b c0 0f 83 42
> ..F.D#[u.i|k...B
>     0090 - 33 c0 c1 6b 6a f8 23 55-ee 18 0c 32 f9 5a 81 6b
> 3..kj.#U...2.Z.k
>     00a0 - 1b 4e a4 42 14 56 54 66-1d 20 2e 53 95 df 24 f5   .N.B.VTf.
> .S..$.
>     00b0 - c6 4c 8a e2 ed bc 21 d9-ef a1 8c fb 51 36 51 8d
> .L....!.....Q6Q.
>
>     Start Time: 1412751118
>     Timeout   : 300 (sec)
>     Verify return code: 19 (self signed certificate in certificate chain)
> ---
> DONE
>
> I even tried copying issuer.pem to /etc/ssl/certs
>
> With the same error no. 19 in the chain.
>
> Thanks for this command. It's truly useful. That FF extension shows only 1
> certificate received.
>

You need to point the tool to the CA path like this:

$ openssl s_client -connect server:443 -CApath /etc/ssl/certs

then the cert will get properly validated.

Mime
View raw message