Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3BAB217BDD for ; Wed, 8 Oct 2014 16:01:06 +0000 (UTC) Received: (qmail 29330 invoked by uid 500); 8 Oct 2014 16:01:02 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 29296 invoked by uid 500); 8 Oct 2014 16:01:02 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 29281 invoked by uid 99); 8 Oct 2014 16:01:01 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Oct 2014 16:01:01 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of de.techno@gmail.com designates 209.85.192.173 as permitted sender) Received: from [209.85.192.173] (HELO mail-pd0-f173.google.com) (209.85.192.173) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Oct 2014 16:00:35 +0000 Received: by mail-pd0-f173.google.com with SMTP id g10so7141895pdj.32 for ; Wed, 08 Oct 2014 09:00:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=cz0QLbUUpIwj58SI1WweipiU9I+tw1BCiLyDM3QoXSk=; b=Da3Ie/+ctMAVVB+C8h4ehTbhPbkEa10oOahhgvoX0HCdwNqcWtUb5OdZ0OKsXmsi9g lDtXQg99NSDDH4j2Oe1y/ZJ7nDELgT+KjFpYUbCGLQN73X641dZLXOI+XAFC1XguLG+R GNl6L+K/DZLkxTUGqCVLLWtKjnY6vuqrb+WXEBhtiNqDwtwdFo7HFyHjQ9Sr1bpygbvS SOjb6mrrbIcDxQVVKfu1kvGl1CR93eP62nxo3f/m1MhPKZwD7+XXN483GKCsyRbmMlu+ zaeuvop+s54gL2T3LauFDhECfsneLwZuVqJ5mr/Q/qTNeey4EAFp1eCNEqygBiClkuio 5cUA== X-Received: by 10.66.150.5 with SMTP id ue5mr11578996pab.129.1412784032710; Wed, 08 Oct 2014 09:00:32 -0700 (PDT) Received: from [192.168.1.2] ([117.208.68.252]) by mx.google.com with ESMTPSA id fo4sm421106pbb.12.2014.10.08.09.00.30 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 08 Oct 2014 09:00:32 -0700 (PDT) Message-ID: <54355F8D.4060002@gmail.com> Date: Wed, 08 Oct 2014 21:30:13 +0530 From: dE User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.8.0 MIME-Version: 1.0 To: users@httpd.apache.org References: <5432BA8D.1020903@gmail.com> <5433FFDB.4050504@gmail.com> <5434AF0B.80007@gmail.com> <5434E1B2.6070007@gmail.com> <54350EDD.3060807@gmail.com> In-Reply-To: Content-Type: multipart/alternative; boundary="------------010903010509020903060904" X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Cannot get certificate chain to work. --------------010903010509020903060904 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 10/08/14 17:53, Igor Cicimov wrote: > > > On 08/10/2014 9:16 PM, "dE" > wrote: > > > > On 10/08/14 14:33, Igor Cicimov wrote: > >> > >> > >> > >> On Wed, Oct 8, 2014 at 6:03 PM, dE > wrote: > >>> > >>> On 10/08/14 10:18, Igor Cicimov wrote: > >>>> > >>>> On Wed, Oct 8, 2014 at 2:27 PM, dE > wrote: > >>>>> > >>>>> On 10/08/14 05:18, Igor Cicimov wrote: > >>>>>> > >>>>>> > >>>>>> On Wed, Oct 8, 2014 at 1:59 AM, dE > wrote: > >>>>>>> > >>>>>>> On 10/07/14 18:12, Igor Cicimov wrote: > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> On Tue, Oct 7, 2014 at 2:51 AM, dE > wrote: > >>>>>>>>> > >>>>>>>>> Hi. > >>>>>>>>> > >>>>>>>>> I'm in a situation where I got 3 certificates > >>>>>>>>> > >>>>>>>>> server.pem -- the end user certificate which's sent by the > server to the client. > >>>>>>>>> intermediate.pem -- server.pem is signed by > intermediate.pem's private key. > >>>>>>>>> issuer.pem -- intermediate.pem is signed by issuer.pem's > private key. > >>>>>>>>> > >>>>>>>>> combined.pem is created by -- > >>>>>>>>> > >>>>>>>>> cat server.pem intermediate.pem > combined.pem > >>>>>>>>> > >>>>>>>>> Issuer.pem is installed in the web browser. > >>>>>>>>> > >>>>>>>>> The chain is working, I can verify this via the SSL command -- > >>>>>>>>> > >>>>>>>>> cat intermediate.pem issuer.pem > cert_bundle.pem > >>>>>>>>> openssl verify -CAfile cert_bundle.pem server.pem > >>>>>>>>> server.pem: OK > >>>>>>>>> > >>>>>>>>> However the browsers (FF, Chrome, Konqueror and wget) fail > authentication, claiming there are no certificates to verity > server.pem's signature. > >>>>>>>>> > >>>>>>>>> I'm using Apache 2.4.10 with the following -- > >>>>>>>>> > >>>>>>>>> SSLCertificateFile /tmp/combined.pem > >>>>>>>>> SSLCertificateKeyFile /tmp/server.key > >>>>>>>>> > >>>>>>>> > >>>>>>>> Try this: > >>>>>>>> > >>>>>>>> $ cat issuer.pem intermediate.pem > CA_chain.pem > >>>>>>>> > >>>>>>>> SSLCertificateFile server.pem > >>>>>>>> SSLCertificateKeyFile server.key > >>>>>>>> SSLCertificateChainFile CA_chain.pem > >>>>>>>> > >>>>>>> > >>>>>>> Tried this on Apache 2.2 (SSLCertificateChainFile does not > work with 2.4) with the same issue. > >>>>>> > >>>>>> > >>>>>> Hmm in that case you have something mixed up or simply this can > not work for self signed certificates since this is exactly what I'm > using on Apache 2.2.24/26 on all our company web sites: a certificate > signed by CA authority and a chain certificate file where the > authorities CA and Intermediate certs have been concatenated. > >>>>>> > >>>>>> Can you show us the output of: > >>>>>> > >>>>>> openssl x509 -noout -in cert.pem -text > >>>>>> > >>>>>> for all your sertificates? > >>>>>> > >>>>> > >>>>> $ openssl x509 -noout -in server.pem -text > >>>>> Certificate: > >>>>> Data: > >>>>> Version: 1 (0x0) > >>>>> Serial Number: 13192573755114198537 (0xb7156feedab91609) > >>>>> Signature Algorithm: sha1WithRSAEncryption > >>>>> Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate > >>>>> Validity > >>>>> Not Before: Oct 7 08:43:42 2014 GMT > >>>>> Not After : Oct 2 08:43:42 2015 GMT > >>>>> Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server > >>>>> Subject Public Key Info: > >>>>> Public Key Algorithm: rsaEncryption > >>>>> Public-Key: (1024 bit) > >>>>> Modulus: > >>>>> 00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18: > >>>>> 6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a: > >>>>> 81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb: > >>>>> b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80: > >>>>> e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e: > >>>>> 7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8: > >>>>> 44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84: > >>>>> 3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f: > >>>>> 26:3f:36:cc:29:f0:69:2b:79 > >>>>> Exponent: 65537 (0x10001) > >>>>> Signature Algorithm: sha1WithRSAEncryption > >>>>> 4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6: > >>>>> b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a: > >>>>> 33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea: > >>>>> a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb: > >>>>> c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13: > >>>>> b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c: > >>>>> ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c: > >>>>> 7c:fe > >>>>> > >>>>> > >>>>> $ openssl x509 -noout -in intermediate.pem -text > >>>>> Certificate: > >>>>> Data: > >>>>> Version: 1 (0x0) > >>>>> Serial Number: 11894061023072807904 (0xa510317ba912ebe0) > >>>>> Signature Algorithm: sha1WithRSAEncryption > >>>>> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer > >>>>> Validity > >>>>> Not Before: Oct 7 08:42:05 2014 GMT > >>>>> Not After : Oct 2 08:42:05 2015 GMT > >>>>> Subject: C=AU, ST=Some-State, O=intermediate, > CN=intermediate > >>>>> Subject Public Key Info: > >>>>> Public Key Algorithm: rsaEncryption > >>>>> Public-Key: (1024 bit) > >>>>> Modulus: > >>>>> 00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8: > >>>>> f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a: > >>>>> df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6: > >>>>> 2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82: > >>>>> df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40: > >>>>> 14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d: > >>>>> 78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69: > >>>>> f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9: > >>>>> 3a:fd:f3:d1:f0:27:49:f4:c3 > >>>>> Exponent: 65537 (0x10001) > >>>>> Signature Algorithm: sha1WithRSAEncryption > >>>>> 0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d: > >>>>> 0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29: > >>>>> 5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95: > >>>>> dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de: > >>>>> 96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec: > >>>>> 51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c: > >>>>> 8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78: > >>>>> 57:8d > >>>>> > >>>>> > >>>>> $ openssl x509 -noout -in issuer.pem -text > >>>>> Certificate: > >>>>> Data: > >>>>> Version: 1 (0x0) > >>>>> Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6) > >>>>> Signature Algorithm: sha1WithRSAEncryption > >>>>> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer > >>>>> Validity > >>>>> Not Before: Oct 7 08:40:29 2014 GMT > >>>>> Not After : Oct 7 08:40:29 2015 GMT > >>>>> Subject: C=AU, ST=Some-State, O=issuer, OU=signing, > CN=issuer > >>>>> Subject Public Key Info: > >>>>> Public Key Algorithm: rsaEncryption > >>>>> Public-Key: (1024 bit) > >>>>> Modulus: > >>>>> 00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18: > >>>>> 7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2: > >>>>> 72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89: > >>>>> 26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d: > >>>>> af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41: > >>>>> e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97: > >>>>> d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49: > >>>>> af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9: > >>>>> 05:d0:5c:50:0f:8f:3f:c4:d5 > >>>>> Exponent: 65537 (0x10001) > >>>>> Signature Algorithm: sha1WithRSAEncryption > >>>>> 3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9: > >>>>> 70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c: > >>>>> 96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38: > >>>>> 82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82: > >>>>> 9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62: > >>>>> f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9: > >>>>> 40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a: > >>>>> 68:bf > >>>> > >>>> > >>>> And the output from the bellow command executed from the client > you are running wget from: > >>>> > >>>> openssl s_client -connect :443 > >>>> > >>>> You should see some output with lots of information regarding the > ssl connection, the server certificate and something like this: > >>>> > >>>> --- > >>>> Certificate chain > >>>> 0 s:/C=AU/ST=New South Wales/L=Sydney/O= Pty > Ltd/CN=*..com > >>>> i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA > >>>> 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA > >>>> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert > Global Root CA > >>>> 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert > Global Root CA > >>>> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert > Global Root CA > >>>> > >>>> which will confirm the complete chain is being received by the > client. If you see something like this at the bottom: > >>>> > >>>> Verify return code: 19 (self signed certificate in certificate chain) > >>>> > >>>> means you haven't properly imported the CA chain on the client. > In case of wget or curl or other terminal tools this is done on OS > level so you would need to consult the OS documentation about > importing certificates. > >>>> > >>>> You can find more about openssl tool set here: > https://www.openssl.org/docs/apps/s_client.html, its perfect for ssl > troubleshooting. > >>>> > >>>> > >>> > >>> $ openssl s_client -connect server:443 > >>> gethostbyname failure > >>> CONNECTED(00000003) > >>> depth=2 C = AU, ST = Some-State, O = issuer, OU = signing, CN = issuer > >>> verify error:num=19:self signed certificate in certificate chain > >>> verify return:0 > >>> --- > >>> Certificate chain > >>> 0 s:/C=AU/ST=Some-State/O=server/OU=IT/CN=server > >>> i:/C=AU/ST=Some-State/O=intermediate/CN=intermediate > >>> 1 s:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer > >>> i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer > >>> 2 s:/C=AU/ST=Some-State/O=intermediate/CN=intermediate > >>> i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer > >>> --- > >>> Server certificate > >>> -----BEGIN CERTIFICATE----- > >>> MIICGDCCAYECCQC3FW/u2rkWCTANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJB > >>> VTETMBEGA1UECAwKU29tZS1TdGF0ZTEVMBMGA1UECgwMaW50ZXJtZWRpYXRlMRUw > >>> EwYDVQQDDAxpbnRlcm1lZGlhdGUwHhcNMTQxMDA3MDg0MzQyWhcNMTUxMDAyMDg0 > >>> MzQyWjBRMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UE > >>> CgwGc2VydmVyMQswCQYDVQQLDAJJVDEPMA0GA1UEAwwGc2VydmVyMIGfMA0GCSqG > >>> SIb3DQEBAQUAA4GNADCBiQKBgQCV0xy3rEnMOCxHaKKyGG12gDydogPMS9/AboE/ > >>> eoG+4Tg0X+AbTuLcpcbZu7CGO5g95wNCx6TLBfCWgOYTTr1P5HPqcnwMkCN6XnpG > >>> fedkPB1UeubZh53j+ESc3whk1x2hUMP9qp0bhD7NHbmBunBqlcdjqxt7HyY/Nswp > >>> 8GkreQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAE5SlQFID8e9UW7mnvY8tBYQprV1 > >>> LrJJvOdQRtWX8ejttx24GjMvo37KQRoqdEqjgQSZwsh26qaRjyGSTGKtDFdDc7U8 > >>> DWyCy8HAdNityxIfL5pJRVoGBf6aE7nT4RfmZ4gY/dzFZ5qUm0HPDMqIT7X+fuIe > >>> YdtP4bzc8AetHHz+ > >>> -----END CERTIFICATE----- > >>> subject=/C=AU/ST=Some-State/O=server/OU=IT/CN=server > >>> issuer=/C=AU/ST=Some-State/O=intermediate/CN=intermediate > >>> --- > >>> No client certificate CA names sent > >>> --- > >>> SSL handshake has read 2391 bytes and written 498 bytes > >>> --- > >>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 > >>> Server public key is 1024 bit > >>> Secure Renegotiation IS supported > >>> Compression: NONE > >>> Expansion: NONE > >>> SSL-Session: > >>> Protocol : TLSv1.2 > >>> Cipher : DHE-RSA-AES256-GCM-SHA384 > >>> Session-ID: > FA13516B3E695D88CFC650899A5EE7D2DEE4D38DCDFD2848D688A0AAB4D2A90C > >>> Session-ID-ctx: > >>> Master-Key: > 5E39DF223E5A23B4088F2CE3D65A530F0D936860D8F94BB123E0483430CF3C42B7F7F40B246B6B7370551A2B702CB47A > >>> Key-Arg : None > >>> PSK identity: None > >>> PSK identity hint: None > >>> SRP username: None > >>> TLS session ticket lifetime hint: 300 (seconds) > >>> TLS session ticket: > >>> 0000 - b9 a3 67 f3 a1 e1 2f 40-90 64 09 db ef 26 4d b2 > ..g.../@.d...&M. > >>> 0010 - e8 a3 c2 25 30 d6 df af-8c 4d d3 19 20 83 bb c3 > ...%0....M.. ... > >>> 0020 - 6f a9 51 a3 3a 2f f5 43-1e a8 9d 1e 49 25 67 43 > o.Q.:/.C....I%gC > >>> 0030 - f0 05 3f 75 50 c8 49 2b-be 44 d2 72 58 14 2e f6 > ..?uP.I+.D.rX... > >>> 0040 - 55 a5 ba 0a 34 34 92 9f-cc 8b c1 30 55 f1 69 c0 > U...44.....0U.i. > >>> 0050 - df f8 3d 08 38 37 11 46-90 9d 88 6c ce 48 5d 79 > ..=.87.F...l.H]y > >>> 0060 - 96 bb 5a 23 56 4d e9 c3-2f 17 d9 11 45 47 fb 2b > ..Z#VM../...EG.+ > >>> 0070 - 05 1a cb 92 52 13 52 e6-72 16 44 51 3f 66 90 88 > ....R.R.r.DQ?f.. > >>> 0080 - f9 2e 46 ad 44 23 5b 75-f9 69 7c 6b c0 0f 83 42 > ..F.D#[u.i|k...B > >>> 0090 - 33 c0 c1 6b 6a f8 23 55-ee 18 0c 32 f9 5a 81 6b > 3..kj.#U...2.Z.k > >>> 00a0 - 1b 4e a4 42 14 56 54 66-1d 20 2e 53 95 df 24 f5 > .N.B.VTf. .S..$. > >>> 00b0 - c6 4c 8a e2 ed bc 21 d9-ef a1 8c fb 51 36 51 8d > .L....!.....Q6Q. > >>> > >>> Start Time: 1412751118 > >>> Timeout : 300 (sec) > >>> Verify return code: 19 (self signed certificate in certificate > chain) > >>> --- > >>> DONE > >>> > >>> I even tried copying issuer.pem to /etc/ssl/certs > >>> > >>> With the same error no. 19 in the chain. > >>> > >>> Thanks for this command. It's truly useful. That FF extension > shows only 1 certificate received. > >> > >> > >> You need to point the tool to the CA path like this: > >> > >> $ openssl s_client -connect server:443 -CApath /etc/ssl/certs > >> > >> then the cert will get properly validated. > >> > > > > I pointed it to the location where all of my relevant *.pem is there > And I still get error 19. > > Ok repeating again, you need to put the whole ca chain in > /etc/ssl/certs in this case the CA_chain.pem file as I created it > above, same as you did in the browser. I don't know why are you so > confused it is very simple: the client no matter if it is a > application or browser needs to know about the WHOLE chain of ca > certificates involved in signing the server's one. Not just the issuer > not just the intermediate but both of them. > > I really recommend you find some good documentation about how the > certificates work as it looks like you are misinterpreting the roles > of the web server and the browser in the whole process of the > certificate verification. > I'm getting the same Error no. 19. But doing this is pointless, it's not what I'm trying to do. intermediate.pem is not expected to be installed in the browser, but it's signed by issuer.pem, which's installed in the browser. server.pem is signed by intermediate.pem intermediate.pem must get installed automatically in the browsers (at least in FF), but instead these browsers don't see the certificate. --------------010903010509020903060904 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
On 10/08/14 17:53, Igor Cicimov wrote:


On 08/10/2014 9:16 PM, "dE" <de.techno@gmail.com> wrote:
>
> On 10/08/14 14:33, Igor Cicimov wrote:
>>
>>
>>
>> On Wed, Oct 8, 2014 at 6:03 PM, dE <de.techno@gmail.com> wrote:
>>>
>>> On 10/08/14 10:18, Igor Cicimov wrote:
>>>>
>>>> On Wed, Oct 8, 2014 at 2:27 PM, dE <de.techno@gmail.com> wrote:
>>>>>
>>>>> On 10/08/14 05:18, Igor Cicimov wrote:
>>>>>>
>>>>>>
>>>>>> On Wed, Oct 8, 2014 at 1:59 AM, dE <de.techno@gmail.com> wrote:
>>>>>>>
>>>>>>> On 10/07/14 18:12, Igor Cicimov wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Oct 7, 2014 at 2:51 AM, dE <de.techno@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>> Hi.
>>>>>>>>>
>>>>>>>>> I'm in a situation where I got 3 certificates
>>>>>>>>>
>>>>>>>>> server.pem -- the end user certificate which's sent by the server to the client.
>>>>>>>>> intermediate.pem -- server.pem is signed by intermediate.pem's private key.
>>>>>>>>> issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
>>>>>>>>>
>>>>>>>>> combined.pem is created by --
>>>>>>>>>
>>>>>>>>> cat server.pem intermediate.pem > combined.pem
>>>>>>>>>
>>>>>>>>> Issuer.pem is installed in the web browser.
>>>>>>>>>
>>>>>>>>> The chain is working, I can verify this via the SSL command --
>>>>>>>>>
>>>>>>>>> cat intermediate.pem issuer.pem > cert_bundle.pem
>>>>>>>>> openssl verify -CAfile cert_bundle.pem server.pem
>>>>>>>>> server.pem: OK
>>>>>>>>>
>>>>>>>>> However the browsers (FF, Chrome, Konqueror and wget) fail authentication, claiming there are no certificates to verity server.pem's signature.
>>>>>>>>>
>>>>>>>>> I'm using Apache 2.4.10 with the following --
>>>>>>>>>
>>>>>>>>> SSLCertificateFile /tmp/combined.pem
>>>>>>>>> SSLCertificateKeyFile /tmp/server.key
>>>>>>>>>
>>>>>>>>
>>>>>>>> Try this:
>>>>>>>>
>>>>>>>> $ cat issuer.pem intermediate.pem > CA_chain.pem
>>>>>>>>
>>>>>>>>   SSLCertificateFile server.pem
>>>>>>>>   SSLCertificateKeyFile server.key
>>>>>>>>   SSLCertificateChainFile CA_chain.pem
>>>>>>>>
>>>>>>>
>>>>>>> Tried this on Apache 2.2 (SSLCertificateChainFile does not work with 2.4) with the same issue.
>>>>>>
>>>>>>  
>>>>>> Hmm in that case you have something mixed up or simply this can not work for self signed certificates since this is exactly what I'm using on Apache 2.2.24/26 on all our company web sites: a certificate signed by CA authority and a chain certificate file where the authorities CA and Intermediate certs have been concatenated.
>>>>>>
>>>>>> Can you show us the output of:
>>>>>>
>>>>>> openssl x509 -noout -in cert.pem -text
>>>>>>
>>>>>> for all your sertificates?
>>>>>>
>>>>>
>>>>> $ openssl x509 -noout -in server.pem -text       
>>>>> Certificate:
>>>>>     Data:
>>>>>         Version: 1 (0x0)
>>>>>         Serial Number: 13192573755114198537 (0xb7156feedab91609)
>>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>>         Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>>>>>         Validity
>>>>>             Not Before: Oct  7 08:43:42 2014 GMT
>>>>>             Not After : Oct  2 08:43:42 2015 GMT
>>>>>         Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
>>>>>         Subject Public Key Info:
>>>>>             Public Key Algorithm: rsaEncryption
>>>>>                 Public-Key: (1024 bit)
>>>>>                 Modulus:
>>>>>                     00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18:
>>>>>                     6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a:
>>>>>                     81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb:
>>>>>                     b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80:
>>>>>                     e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e:
>>>>>                     7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8:
>>>>>                     44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84:
>>>>>                     3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f:
>>>>>                     26:3f:36:cc:29:f0:69:2b:79
>>>>>                 Exponent: 65537 (0x10001)
>>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>>          4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6:
>>>>>          b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a:
>>>>>          33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea:
>>>>>          a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb:
>>>>>          c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13:
>>>>>          b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c:
>>>>>          ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c:
>>>>>          7c:fe
>>>>>
>>>>>
>>>>> $ openssl x509 -noout -in intermediate.pem -text         
>>>>> Certificate:
>>>>>     Data:
>>>>>         Version: 1 (0x0)
>>>>>         Serial Number: 11894061023072807904 (0xa510317ba912ebe0)
>>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>>         Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>>>>>         Validity
>>>>>             Not Before: Oct  7 08:42:05 2014 GMT
>>>>>             Not After : Oct  2 08:42:05 2015 GMT
>>>>>         Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>>>>>         Subject Public Key Info:
>>>>>             Public Key Algorithm: rsaEncryption
>>>>>                 Public-Key: (1024 bit)
>>>>>                 Modulus:
>>>>>                     00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8:
>>>>>                     f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a:
>>>>>                     df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6:
>>>>>                     2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82:
>>>>>                     df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40:
>>>>>                     14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d:
>>>>>                     78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69:
>>>>>                     f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9:
>>>>>                     3a:fd:f3:d1:f0:27:49:f4:c3
>>>>>                 Exponent: 65537 (0x10001)
>>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>>          0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d:
>>>>>          0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29:
>>>>>          5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95:
>>>>>          dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de:
>>>>>          96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec:
>>>>>          51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c:
>>>>>          8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78:
>>>>>          57:8d
>>>>>
>>>>>
>>>>> $ openssl x509 -noout -in issuer.pem -text            
>>>>> Certificate:
>>>>>     Data:
>>>>>         Version: 1 (0x0)
>>>>>         Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6)
>>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>>         Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>>>>>         Validity
>>>>>             Not Before: Oct  7 08:40:29 2014 GMT
>>>>>             Not After : Oct  7 08:40:29 2015 GMT
>>>>>         Subject: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>>>>>         Subject Public Key Info:
>>>>>             Public Key Algorithm: rsaEncryption
>>>>>                 Public-Key: (1024 bit)
>>>>>                 Modulus:
>>>>>                     00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18:
>>>>>                     7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2:
>>>>>                     72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89:
>>>>>                     26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d:
>>>>>                     af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41:
>>>>>                     e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97:
>>>>>                     d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49:
>>>>>                     af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9:
>>>>>                     05:d0:5c:50:0f:8f:3f:c4:d5
>>>>>                 Exponent: 65537 (0x10001)
>>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>>          3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9:
>>>>>          70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c:
>>>>>          96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38:
>>>>>          82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82:
>>>>>          9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62:
>>>>>          f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9:
>>>>>          40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a:
>>>>>          68:bf
>>>>
>>>>
>>>> And the output from the bellow command executed from the client you are running wget from:
>>>>
>>>> openssl s_client -connect <your_server>:443
>>>>
>>>> You should see some output with lots of information regarding the ssl connection, the server certificate and something like this:
>>>>
>>>> ---
>>>> Certificate chain
>>>>  0 s:/C=AU/ST=New South Wales/L=Sydney/O=<MyCorporation> Pty Ltd/CN=*.<mydomain>.com
>>>>    i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
>>>>  1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
>>>>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
>>>>  2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
>>>>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
>>>>
>>>> which will confirm the complete chain is being received by the client. If you see something like this at the bottom:
>>>>
>>>> Verify return code: 19 (self signed certificate in certificate chain)
>>>>
>>>> means you haven't properly imported the CA chain on the client. In case of wget or curl or other terminal tools this is done on OS level so you would need to consult the OS documentation about importing certificates.
>>>>
>>>> You can find more about openssl tool set here: https://www.openssl.org/docs/apps/s_client.html, its perfect for ssl troubleshooting.
>>>>
>>>>
>>>
>>> $ openssl s_client -connect server:443            
>>> gethostbyname failure
>>> CONNECTED(00000003)
>>> depth=2 C = AU, ST = Some-State, O = issuer, OU = signing, CN = issuer
>>> verify error:num=19:self signed certificate in certificate chain
>>> verify return:0
>>> ---
>>> Certificate chain
>>>  0 s:/C=AU/ST=Some-State/O=server/OU=IT/CN=server
>>>    i:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>>>  1 s:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>>>    i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>>>  2 s:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>>>    i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>>> ---
>>> Server certificate
>>> -----BEGIN CERTIFICATE-----
>>> MIICGDCCAYECCQC3FW/u2rkWCTANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJB
>>> VTETMBEGA1UECAwKU29tZS1TdGF0ZTEVMBMGA1UECgwMaW50ZXJtZWRpYXRlMRUw
>>> EwYDVQQDDAxpbnRlcm1lZGlhdGUwHhcNMTQxMDA3MDg0MzQyWhcNMTUxMDAyMDg0
>>> MzQyWjBRMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UE
>>> CgwGc2VydmVyMQswCQYDVQQLDAJJVDEPMA0GA1UEAwwGc2VydmVyMIGfMA0GCSqG
>>> SIb3DQEBAQUAA4GNADCBiQKBgQCV0xy3rEnMOCxHaKKyGG12gDydogPMS9/AboE/
>>> eoG+4Tg0X+AbTuLcpcbZu7CGO5g95wNCx6TLBfCWgOYTTr1P5HPqcnwMkCN6XnpG
>>> fedkPB1UeubZh53j+ESc3whk1x2hUMP9qp0bhD7NHbmBunBqlcdjqxt7HyY/Nswp
>>> 8GkreQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAE5SlQFID8e9UW7mnvY8tBYQprV1
>>> LrJJvOdQRtWX8ejttx24GjMvo37KQRoqdEqjgQSZwsh26qaRjyGSTGKtDFdDc7U8
>>> DWyCy8HAdNityxIfL5pJRVoGBf6aE7nT4RfmZ4gY/dzFZ5qUm0HPDMqIT7X+fuIe
>>> YdtP4bzc8AetHHz+
>>> -----END CERTIFICATE-----
>>> subject=/C=AU/ST=Some-State/O=server/OU=IT/CN=server
>>> issuer=/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 2391 bytes and written 498 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
>>> Server public key is 1024 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>     Protocol  : TLSv1.2
>>>     Cipher    : DHE-RSA-AES256-GCM-SHA384
>>>     Session-ID: FA13516B3E695D88CFC650899A5EE7D2DEE4D38DCDFD2848D688A0AAB4D2A90C
>>>     Session-ID-ctx:
>>>     Master-Key: 5E39DF223E5A23B4088F2CE3D65A530F0D936860D8F94BB123E0483430CF3C42B7F7F40B246B6B7370551A2B702CB47A
>>>     Key-Arg   : None
>>>     PSK identity: None
>>>     PSK identity hint: None
>>>     SRP username: None
>>>     TLS session ticket lifetime hint: 300 (seconds)
>>>     TLS session ticket:
>>>     0000 - b9 a3 67 f3 a1 e1 2f 40-90 64 09 db ef 26 4d b2   ..g.../@.d...&M.
>>>     0010 - e8 a3 c2 25 30 d6 df af-8c 4d d3 19 20 83 bb c3   ...%0....M.. ...
>>>     0020 - 6f a9 51 a3 3a 2f f5 43-1e a8 9d 1e 49 25 67 43   o.Q.:/.C....I%gC
>>>     0030 - f0 05 3f 75 50 c8 49 2b-be 44 d2 72 58 14 2e f6   ..?uP.I+.D.rX...
>>>     0040 - 55 a5 ba 0a 34 34 92 9f-cc 8b c1 30 55 f1 69 c0   U...44.....0U.i.
>>>     0050 - df f8 3d 08 38 37 11 46-90 9d 88 6c ce 48 5d 79   ..=.87.F...l.H]y
>>>     0060 - 96 bb 5a 23 56 4d e9 c3-2f 17 d9 11 45 47 fb 2b   ..Z#VM../...EG.+
>>>     0070 - 05 1a cb 92 52 13 52 e6-72 16 44 51 3f 66 90 88   ....R.R.r.DQ?f..
>>>     0080 - f9 2e 46 ad 44 23 5b 75-f9 69 7c 6b c0 0f 83 42   ..F.D#[u.i|k...B
>>>     0090 - 33 c0 c1 6b 6a f8 23 55-ee 18 0c 32 f9 5a 81 6b   3..kj.#U...2.Z.k
>>>     00a0 - 1b 4e a4 42 14 56 54 66-1d 20 2e 53 95 df 24 f5   .N.B.VTf. .S..$.
>>>     00b0 - c6 4c 8a e2 ed bc 21 d9-ef a1 8c fb 51 36 51 8d   .L....!.....Q6Q.
>>>
>>>     Start Time: 1412751118
>>>     Timeout   : 300 (sec)
>>>     Verify return code: 19 (self signed certificate in certificate chain)
>>> ---
>>> DONE
>>>
>>> I even tried copying issuer.pem to /etc/ssl/certs
>>>
>>> With the same error no. 19 in the chain.
>>>
>>> Thanks for this command. It's truly useful. That FF extension shows only 1 certificate received.
>>
>>
>> You need to point the tool to the CA path like this:
>>
>> $ openssl s_client -connect server:443 -CApath /etc/ssl/certs
>>
>> then the cert will get properly validated.
>>
>
> I pointed it to the location where all of my relevant *.pem is there And I still get error 19.

Ok repeating again, you need to put the whole ca chain in /etc/ssl/certs in this case the CA_chain.pem file as I created it above, same as you did in the browser. I don't know why are you so confused it is very simple: the client no matter if it is a application or browser needs to know about the WHOLE chain of ca certificates involved in signing the server's one. Not just the issuer not just the intermediate but both of them.

I really recommend you find some good documentation about how the certificates work as it looks like you are misinterpreting the roles of the web server and the browser in the whole process of the certificate verification.


I'm getting the same Error no. 19.

But doing this is pointless, it's not what I'm trying to do.

intermediate.pem is not expected to be installed in the browser, but it's signed by issuer.pem, which's installed in the browser.

server.pem is signed by intermediate.pem

intermediate.pem must get installed automatically in the browsers (at least in FF), but instead these browsers don't see the certificate.
--------------010903010509020903060904--