Hi Julien,
This is a known issue with 6.8 that is fixed in current. On Mon, Nov 23, 2020 at 03:57:52PM +0100, Julien Robert wrote: > Hello, > > I'm working to upgrade apache reverse proxy server running in OpenBSD 6.5 > to latest version 6.8 doing from scratch install. > But in the 6.8 , there is something wrong using openssl and the -CApath > directive. > The issue is similar using openssl command or apache configuration. > > In Apache (package apache-httpd), > I put all my CA (root and intermediates) in /etc/ssl with corrects rights > I created my hash files using openssl certhash command > > Apache is correctly configured with : > Code : > SSLCertificateFile server.crt > SSLCertificateKeyFile /etc/ssl/private/server.key > SSLCACertificatePath /etc/ssl/ > > When I try to connect using Web Browser, I get error UNKNOWN_CA_ALERT > Apache logs : > Code : > Error (20): unable to get local issuer certificate > > The same configuration in OpenBSD 6.5 (actually in production) works fine. > And I tried in OpenBSD 6.7, it's working fine too. > > If I create a CA bundle file with all my CA (bundle.pem) and I configure > Apache with SSLCACertificateFile bundle.pem : It's OK, but it's not what I > want :( > > Now, when I try directly using openssl command, I get the following issue : > Code : > openssl verify -CApath /etc/ssl server.crt > server.crt: C = XX, O = YYYY, OU = WWWW, OU = VVVV, OU = ZZZZZ, CN = > service.web.fr > error 20 at 0 depth lookup: unable to get local issuer certificate > C = XX, O = YYYY, OU = WWWW, OU = VVVV, OU = ZZZZZ, CN = service.web.fr > error 20 at 0 depth lookup: unable to get local issuer certificate > > Result is KO. The same command in OpenBSD 6.5 and 6.7 is OK > > If I try with the bundle.pem previously created : > Code : > openssl verify -CAfile /etc/ssl/bundle.pem server.crt > server.crt: OK > It's OK > > Adding my CA in the default cert.pem (provided by OpenBSD) > I tried : > Code : > openssl verify -CAfile /etc/ssl/cert.pem server.crt > server.crt: OK > It's OK, normal. > > but now, if I try with CApath > Code : > openssl verify -CApath /etc/ssl server.crt > server.crt: OK > > It's very strange ?! > Doing this command with ktrace show that only cert.pem is parsed using > CApath option. other CA files using hash files are ignored. > > I tried in Apache with all my CA stored in cert.pem but it's still not > working :( > > I don't find similar cases on google or mailing-list. > I didn't find changelog about CApath parsing for the latest version, maybe > it's a bug ? > > Many thanks in advance for your help > Julien
