httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: [users@httpd] Cannot get certificate chain to work.
Date Wed, 08 Oct 2014 12:23:14 GMT
On 08/10/2014 9:16 PM, "dE" <de.techno@gmail.com> wrote:
>
> On 10/08/14 14:33, Igor Cicimov wrote:
>>
>>
>>
>> On Wed, Oct 8, 2014 at 6:03 PM, dE <de.techno@gmail.com> wrote:
>>>
>>> On 10/08/14 10:18, Igor Cicimov wrote:
>>>>
>>>> On Wed, Oct 8, 2014 at 2:27 PM, dE <de.techno@gmail.com> wrote:
>>>>>
>>>>> On 10/08/14 05:18, Igor Cicimov wrote:
>>>>>>
>>>>>>
>>>>>> On Wed, Oct 8, 2014 at 1:59 AM, dE <de.techno@gmail.com> wrote:
>>>>>>>
>>>>>>> On 10/07/14 18:12, Igor Cicimov wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Oct 7, 2014 at 2:51 AM, dE <de.techno@gmail.com>
wrote:
>>>>>>>>>
>>>>>>>>> Hi.
>>>>>>>>>
>>>>>>>>> I'm in a situation where I got 3 certificates
>>>>>>>>>
>>>>>>>>> server.pem -- the end user certificate which's sent by
the server
to the client.
>>>>>>>>> intermediate.pem -- server.pem is signed by intermediate.pem's
private key.
>>>>>>>>> issuer.pem -- intermediate.pem is signed by issuer.pem's
private
key.
>>>>>>>>>
>>>>>>>>> combined.pem is created by --
>>>>>>>>>
>>>>>>>>> cat server.pem intermediate.pem > combined.pem
>>>>>>>>>
>>>>>>>>> Issuer.pem is installed in the web browser.
>>>>>>>>>
>>>>>>>>> The chain is working, I can verify this via the SSL command
--
>>>>>>>>>
>>>>>>>>> cat intermediate.pem issuer.pem > cert_bundle.pem
>>>>>>>>> openssl verify -CAfile cert_bundle.pem server.pem
>>>>>>>>> server.pem: OK
>>>>>>>>>
>>>>>>>>> However the browsers (FF, Chrome, Konqueror and wget)
fail
authentication, claiming there are no certificates to verity server.pem's
signature.
>>>>>>>>>
>>>>>>>>> I'm using Apache 2.4.10 with the following --
>>>>>>>>>
>>>>>>>>> SSLCertificateFile /tmp/combined.pem
>>>>>>>>> SSLCertificateKeyFile /tmp/server.key
>>>>>>>>>
>>>>>>>>
>>>>>>>> Try this:
>>>>>>>>
>>>>>>>> $ cat issuer.pem intermediate.pem > CA_chain.pem
>>>>>>>>
>>>>>>>>   SSLCertificateFile server.pem
>>>>>>>>   SSLCertificateKeyFile server.key
>>>>>>>>   SSLCertificateChainFile CA_chain.pem
>>>>>>>>
>>>>>>>
>>>>>>> Tried this on Apache 2.2 (SSLCertificateChainFile does not work
with 2.4) with the same issue.
>>>>>>
>>>>>>
>>>>>> Hmm in that case you have something mixed up or simply this can not
work for self signed certificates since this is exactly what I'm using on
Apache 2.2.24/26 on all our company web sites: a certificate signed by CA
authority and a chain certificate file where the authorities CA and
Intermediate certs have been concatenated.
>>>>>>
>>>>>> Can you show us the output of:
>>>>>>
>>>>>> openssl x509 -noout -in cert.pem -text
>>>>>>
>>>>>> for all your sertificates?
>>>>>>
>>>>>
>>>>> $ openssl x509 -noout -in server.pem -text
>>>>> Certificate:
>>>>>     Data:
>>>>>         Version: 1 (0x0)
>>>>>         Serial Number: 13192573755114198537 (0xb7156feedab91609)
>>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>>         Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>>>>>         Validity
>>>>>             Not Before: Oct  7 08:43:42 2014 GMT
>>>>>             Not After : Oct  2 08:43:42 2015 GMT
>>>>>         Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
>>>>>         Subject Public Key Info:
>>>>>             Public Key Algorithm: rsaEncryption
>>>>>                 Public-Key: (1024 bit)
>>>>>                 Modulus:
>>>>>                     00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18:
>>>>>                     6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a:
>>>>>                     81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb:
>>>>>                     b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80:
>>>>>                     e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e:
>>>>>                     7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8:
>>>>>                     44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84:
>>>>>                     3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f:
>>>>>                     26:3f:36:cc:29:f0:69:2b:79
>>>>>                 Exponent: 65537 (0x10001)
>>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>>          4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6:
>>>>>          b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a:
>>>>>          33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea:
>>>>>          a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb:
>>>>>          c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13:
>>>>>          b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c:
>>>>>          ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c:
>>>>>          7c:fe
>>>>>
>>>>>
>>>>> $ openssl x509 -noout -in intermediate.pem -text
>>>>> Certificate:
>>>>>     Data:
>>>>>         Version: 1 (0x0)
>>>>>         Serial Number: 11894061023072807904 (0xa510317ba912ebe0)
>>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>>         Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>>>>>         Validity
>>>>>             Not Before: Oct  7 08:42:05 2014 GMT
>>>>>             Not After : Oct  2 08:42:05 2015 GMT
>>>>>         Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>>>>>         Subject Public Key Info:
>>>>>             Public Key Algorithm: rsaEncryption
>>>>>                 Public-Key: (1024 bit)
>>>>>                 Modulus:
>>>>>                     00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8:
>>>>>                     f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a:
>>>>>                     df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6:
>>>>>                     2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82:
>>>>>                     df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40:
>>>>>                     14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d:
>>>>>                     78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69:
>>>>>                     f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9:
>>>>>                     3a:fd:f3:d1:f0:27:49:f4:c3
>>>>>                 Exponent: 65537 (0x10001)
>>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>>          0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d:
>>>>>          0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29:
>>>>>          5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95:
>>>>>          dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de:
>>>>>          96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec:
>>>>>          51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c:
>>>>>          8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78:
>>>>>          57:8d
>>>>>
>>>>>
>>>>> $ openssl x509 -noout -in issuer.pem -text
>>>>> Certificate:
>>>>>     Data:
>>>>>         Version: 1 (0x0)
>>>>>         Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6)
>>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>>         Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>>>>>         Validity
>>>>>             Not Before: Oct  7 08:40:29 2014 GMT
>>>>>             Not After : Oct  7 08:40:29 2015 GMT
>>>>>         Subject: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>>>>>         Subject Public Key Info:
>>>>>             Public Key Algorithm: rsaEncryption
>>>>>                 Public-Key: (1024 bit)
>>>>>                 Modulus:
>>>>>                     00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18:
>>>>>                     7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2:
>>>>>                     72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89:
>>>>>                     26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d:
>>>>>                     af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41:
>>>>>                     e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97:
>>>>>                     d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49:
>>>>>                     af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9:
>>>>>                     05:d0:5c:50:0f:8f:3f:c4:d5
>>>>>                 Exponent: 65537 (0x10001)
>>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>>          3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9:
>>>>>          70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c:
>>>>>          96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38:
>>>>>          82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82:
>>>>>          9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62:
>>>>>          f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9:
>>>>>          40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a:
>>>>>          68:bf
>>>>
>>>>
>>>> And the output from the bellow command executed from the client you
are running wget from:
>>>>
>>>> openssl s_client -connect <your_server>:443
>>>>
>>>> You should see some output with lots of information regarding the ssl
connection, the server certificate and something like this:
>>>>
>>>> ---
>>>> Certificate chain
>>>>  0 s:/C=AU/ST=New South Wales/L=Sydney/O=<MyCorporation> Pty
Ltd/CN=*.<mydomain>.com
>>>>    i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
>>>>  1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
>>>>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root
CA
>>>>  2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root
CA
>>>>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root
CA
>>>>
>>>> which will confirm the complete chain is being received by the client.
If you see something like this at the bottom:
>>>>
>>>> Verify return code: 19 (self signed certificate in certificate chain)
>>>>
>>>> means you haven't properly imported the CA chain on the client. In
case of wget or curl or other terminal tools this is done on OS level so
you would need to consult the OS documentation about importing certificates.
>>>>
>>>> You can find more about openssl tool set here:
https://www.openssl.org/docs/apps/s_client.html, its perfect for ssl
troubleshooting.
>>>>
>>>>
>>>
>>> $ openssl s_client -connect server:443
>>> gethostbyname failure
>>> CONNECTED(00000003)
>>> depth=2 C = AU, ST = Some-State, O = issuer, OU = signing, CN = issuer
>>> verify error:num=19:self signed certificate in certificate chain
>>> verify return:0
>>> ---
>>> Certificate chain
>>>  0 s:/C=AU/ST=Some-State/O=server/OU=IT/CN=server
>>>    i:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>>>  1 s:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>>>    i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>>>  2 s:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>>>    i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>>> ---
>>> Server certificate
>>> -----BEGIN CERTIFICATE-----
>>> MIICGDCCAYECCQC3FW/u2rkWCTANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJB
>>> VTETMBEGA1UECAwKU29tZS1TdGF0ZTEVMBMGA1UECgwMaW50ZXJtZWRpYXRlMRUw
>>> EwYDVQQDDAxpbnRlcm1lZGlhdGUwHhcNMTQxMDA3MDg0MzQyWhcNMTUxMDAyMDg0
>>> MzQyWjBRMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UE
>>> CgwGc2VydmVyMQswCQYDVQQLDAJJVDEPMA0GA1UEAwwGc2VydmVyMIGfMA0GCSqG
>>> SIb3DQEBAQUAA4GNADCBiQKBgQCV0xy3rEnMOCxHaKKyGG12gDydogPMS9/AboE/
>>> eoG+4Tg0X+AbTuLcpcbZu7CGO5g95wNCx6TLBfCWgOYTTr1P5HPqcnwMkCN6XnpG
>>> fedkPB1UeubZh53j+ESc3whk1x2hUMP9qp0bhD7NHbmBunBqlcdjqxt7HyY/Nswp
>>> 8GkreQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAE5SlQFID8e9UW7mnvY8tBYQprV1
>>> LrJJvOdQRtWX8ejttx24GjMvo37KQRoqdEqjgQSZwsh26qaRjyGSTGKtDFdDc7U8
>>> DWyCy8HAdNityxIfL5pJRVoGBf6aE7nT4RfmZ4gY/dzFZ5qUm0HPDMqIT7X+fuIe
>>> YdtP4bzc8AetHHz+
>>> -----END CERTIFICATE-----
>>> subject=/C=AU/ST=Some-State/O=server/OU=IT/CN=server
>>> issuer=/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 2391 bytes and written 498 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
>>> Server public key is 1024 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>     Protocol  : TLSv1.2
>>>     Cipher    : DHE-RSA-AES256-GCM-SHA384
>>>     Session-ID:
FA13516B3E695D88CFC650899A5EE7D2DEE4D38DCDFD2848D688A0AAB4D2A90C
>>>     Session-ID-ctx:
>>>     Master-Key:
5E39DF223E5A23B4088F2CE3D65A530F0D936860D8F94BB123E0483430CF3C42B7F7F40B246B6B7370551A2B702CB47A
>>>     Key-Arg   : None
>>>     PSK identity: None
>>>     PSK identity hint: None
>>>     SRP username: None
>>>     TLS session ticket lifetime hint: 300 (seconds)
>>>     TLS session ticket:
>>>     0000 - b9 a3 67 f3 a1 e1 2f 40-90 64 09 db ef 26 4d b2
..g.../@.d...&M.
>>>     0010 - e8 a3 c2 25 30 d6 df af-8c 4d d3 19 20 83 bb c3
...%0....M.. ...
>>>     0020 - 6f a9 51 a3 3a 2f f5 43-1e a8 9d 1e 49 25 67 43
o.Q.:/.C....I%gC
>>>     0030 - f0 05 3f 75 50 c8 49 2b-be 44 d2 72 58 14 2e f6
..?uP.I+.D.rX...
>>>     0040 - 55 a5 ba 0a 34 34 92 9f-cc 8b c1 30 55 f1 69 c0
U...44.....0U.i.
>>>     0050 - df f8 3d 08 38 37 11 46-90 9d 88 6c ce 48 5d 79
..=.87.F...l.H]y
>>>     0060 - 96 bb 5a 23 56 4d e9 c3-2f 17 d9 11 45 47 fb 2b
..Z#VM../...EG.+
>>>     0070 - 05 1a cb 92 52 13 52 e6-72 16 44 51 3f 66 90 88
....R.R.r.DQ?f..
>>>     0080 - f9 2e 46 ad 44 23 5b 75-f9 69 7c 6b c0 0f 83 42
..F.D#[u.i|k...B
>>>     0090 - 33 c0 c1 6b 6a f8 23 55-ee 18 0c 32 f9 5a 81 6b
3..kj.#U...2.Z.k
>>>     00a0 - 1b 4e a4 42 14 56 54 66-1d 20 2e 53 95 df 24 f5   .N.B.VTf.
.S..$.
>>>     00b0 - c6 4c 8a e2 ed bc 21 d9-ef a1 8c fb 51 36 51 8d
.L....!.....Q6Q.
>>>
>>>     Start Time: 1412751118
>>>     Timeout   : 300 (sec)
>>>     Verify return code: 19 (self signed certificate in certificate
chain)
>>> ---
>>> DONE
>>>
>>> I even tried copying issuer.pem to /etc/ssl/certs
>>>
>>> With the same error no. 19 in the chain.
>>>
>>> Thanks for this command. It's truly useful. That FF extension shows
only 1 certificate received.
>>
>>
>> You need to point the tool to the CA path like this:
>>
>> $ openssl s_client -connect server:443 -CApath /etc/ssl/certs
>>
>> then the cert will get properly validated.
>>
>
> I pointed it to the location where all of my relevant *.pem is there And
I still get error 19.

Ok repeating again, you need to put the whole ca chain in /etc/ssl/certs in
this case the CA_chain.pem file as I created it above, same as you did in
the browser. I don't know why are you so confused it is very simple: the
client no matter if it is a application or browser needs to know about the
WHOLE chain of ca certificates involved in signing the server's one. Not
just the issuer not just the intermediate but both of them.

I really recommend you find some good documentation about how the
certificates work as it looks like you are misinterpreting the roles of the
web server and the browser in the whole process of the certificate
verification.

Mime
View raw message