httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: [users@httpd] Cannot get certificate chain to work.
Date Wed, 08 Oct 2014 04:48:04 GMT
On Wed, Oct 8, 2014 at 2:27 PM, dE <de.techno@gmail.com> wrote:

>  On 10/08/14 05:18, Igor Cicimov wrote:
>
>
> On Wed, Oct 8, 2014 at 1:59 AM, dE <de.techno@gmail.com> wrote:
>
>>   On 10/07/14 18:12, Igor Cicimov wrote:
>>
>>
>>
>> On Tue, Oct 7, 2014 at 2:51 AM, dE <de.techno@gmail.com> wrote:
>>
>>> Hi.
>>>
>>> I'm in a situation where I got 3 certificates
>>>
>>> server.pem -- the end user certificate which's sent by the server to the
>>> client.
>>> intermediate.pem -- server.pem is signed by intermediate.pem's private
>>> key.
>>> issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
>>>
>>> combined.pem is created by --
>>>
>>> cat server.pem intermediate.pem > combined.pem
>>>
>>> Issuer.pem is installed in the web browser.
>>>
>>> The chain is working, I can verify this via the SSL command --
>>>
>>> cat intermediate.pem issuer.pem > cert_bundle.pem
>>> openssl verify -CAfile cert_bundle.pem server.pem
>>> server.pem: OK
>>>
>>> However the browsers (FF, Chrome, Konqueror and wget) fail
>>> authentication, claiming there are no certificates to verity server.pem's
>>> signature.
>>>
>>> I'm using Apache 2.4.10 with the following --
>>>
>>> SSLCertificateFile /tmp/combined.pem
>>> SSLCertificateKeyFile /tmp/server.key
>>>
>>>
>>  Try this:
>>
>>  $ cat issuer.pem intermediate.pem > CA_chain.pem
>>
>>   SSLCertificateFile server.pem
>>   SSLCertificateKeyFile server.key
>>   SSLCertificateChainFile CA_chain.pem
>>
>>
>>  Tried this on Apache 2.2 (SSLCertificateChainFile does not work with
>> 2.4) with the same issue.
>>
>
>  Hmm in that case you have something mixed up or simply this can not work
> for self signed certificates since this is exactly what I'm using on Apache
> 2.2.24/26 on all our company web sites: a certificate signed by CA
> authority and a chain certificate file where the authorities CA and
> Intermediate certs have been concatenated.
>
>  Can you show us the output of:
>
>  openssl x509 -noout -in cert.pem -text
>
>  for all your sertificates?
>
>
> $ openssl x509 -noout -in server.pem -text
> Certificate:
>     Data:
>         Version: 1 (0x0)
>         Serial Number: 13192573755114198537 (0xb7156feedab91609)
>     Signature Algorithm: sha1WithRSAEncryption
>         Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>         Validity
>             Not Before: Oct  7 08:43:42 2014 GMT
>             Not After : Oct  2 08:43:42 2015 GMT
>         Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (1024 bit)
>                 Modulus:
>                     00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18:
>                     6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a:
>                     81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb:
>                     b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80:
>                     e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e:
>                     7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8:
>                     44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84:
>                     3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f:
>                     26:3f:36:cc:29:f0:69:2b:79
>                 Exponent: 65537 (0x10001)
>     Signature Algorithm: sha1WithRSAEncryption
>          4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6:
>          b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a:
>          33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea:
>          a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb:
>          c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13:
>          b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c:
>          ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c:
>          7c:fe
>
>
> $ openssl x509 -noout -in intermediate.pem -text
> Certificate:
>     Data:
>         Version: 1 (0x0)
>         Serial Number: 11894061023072807904 (0xa510317ba912ebe0)
>     Signature Algorithm: sha1WithRSAEncryption
>         Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>         Validity
>             Not Before: Oct  7 08:42:05 2014 GMT
>             Not After : Oct  2 08:42:05 2015 GMT
>         Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (1024 bit)
>                 Modulus:
>                     00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8:
>                     f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a:
>                     df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6:
>                     2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82:
>                     df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40:
>                     14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d:
>                     78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69:
>                     f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9:
>                     3a:fd:f3:d1:f0:27:49:f4:c3
>                 Exponent: 65537 (0x10001)
>     Signature Algorithm: sha1WithRSAEncryption
>          0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d:
>          0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29:
>          5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95:
>          dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de:
>          96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec:
>          51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c:
>          8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78:
>          57:8d
>
>
> $ openssl x509 -noout -in issuer.pem -text
> Certificate:
>     Data:
>         Version: 1 (0x0)
>         Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6)
>     Signature Algorithm: sha1WithRSAEncryption
>         Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>         Validity
>             Not Before: Oct  7 08:40:29 2014 GMT
>             Not After : Oct  7 08:40:29 2015 GMT
>         Subject: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (1024 bit)
>                 Modulus:
>                     00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18:
>                     7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2:
>                     72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89:
>                     26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d:
>                     af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41:
>                     e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97:
>                     d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49:
>                     af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9:
>                     05:d0:5c:50:0f:8f:3f:c4:d5
>                 Exponent: 65537 (0x10001)
>     Signature Algorithm: sha1WithRSAEncryption
>          3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9:
>          70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c:
>          96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38:
>          82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82:
>          9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62:
>          f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9:
>          40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a:
>          68:bf
>

And the output from the bellow command executed from the client you are
running wget from:

openssl s_client -connect <your_server>:443

You should see some output with lots of information regarding the ssl
connection, the server certificate and something like this:

---
Certificate chain
 0 s:/C=AU/ST=New South Wales/L=Sydney/O=<MyCorporation> Pty
Ltd/CN=*.<mydomain>.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

which will confirm the complete chain is being received by the client. If
you see something like this at the bottom:

Verify return code: 19 (self signed certificate in certificate chain)

means you haven't properly imported the CA chain on the client. In case of
wget or curl or other terminal tools this is done on OS level so you would
need to consult the OS documentation about importing certificates.

You can find more about openssl tool set here:
https://www.openssl.org/docs/apps/s_client.html, its perfect for ssl
troubleshooting.

Mime
View raw message