Hi Andre, your perfect explanation resolved the issue on my FreeBSD platform.
I did not expect the redundant requirement of the server cert in both the SSLCertificate and the SSLAuthorityChain. Most servers, I’m working with, need only the intermediate cert(s) in the chain file. The root CA cert from DST can be omitted in the chain file, if that cert is in the root CA store on the client system. This is my current configuration in production and I will learn, if it still works after the next LE cert rollover (-; Thanks again for your patience and your time, Axel > Am 10.09.2016 um 02:41 schrieb Andre LaBranche <d...@apple.com>: > > Hi, > > We expect the file (not directory) referenced by the SSLAuthorityChain config > directive to contain a concatenation of the following, in this order: > > server cert > intermediate CA certs > root CA cert > > Once you have constructed such a chain file, you can verify it against the > plain server cert file as follows: > > % openssl verify -verbose -CAfile /path/to/chain.pem -purpose sslserver > /path/to/cert.pem > /path/to/cert.pem: OK > > Trying to verify without specifying the CAfile doesn't validate, as expected: > > % openssl verify -verbose -purpose sslserver /path/to/cert.pem > /path/to/cert.pem: /CN=my-coolest-domain.com > error 20 at 0 depth lookup:unable to get local issuer certificate > > As a related aside, I tested this on my public server that uses LE (and which > is running Server.app, not the open source CalendarServer), however modern > versions of Server.app use an apache reverse proxy to do all the TLS for the > backend services. Apache uses a similar setup, where the configuration > specifies the server cert, the authority chain file (as described above), and > the priv key - so I think it's a valid test. > > Also I note that (using the Server tools), the authority chain file I ended > up with has three certs in it: > my server cert > Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 > Subject: O=Digital Signature Trust Co., CN=DST Root CA X3 > > ... which I only mention because the letsencrypt software doesn't seem to > include that final root cert in any of the files associated with my cert > renewal. Perhaps it's already in my system's root CA store, so it was read > from there while following the issuer chain upstream. > > Hope this helps, > -dre > >> On Sep 4, 2016, at 10:48 AM, Axel Rau <axel....@chaos1.de> wrote: >> >> Hi, >> >> I’m getting spurious ‚certificate not trusted‘ errors on client programs on >> OSX 10.11.6 >> Server cert is from letsencrypt and worked so far, but: >> - - - >> [caldav3:local/etc/caldavd] root# openssl s_client -no_ssl2 -no_ssl3 >> -showcerts -connect caldav.lrau.net:8443 >> CONNECTED(00000003) >> depth=0 CN = caldav.lrau.net >> verify error:num=20:unable to get local issuer certificate >> verify return:1 >> depth=0 CN = caldav.lrau.net >> verify error:num=27:certificate not trusted >> verify return:1 >> depth=0 CN = caldav.lrau.net >> verify error:num=21:unable to verify the first certificate >> verify return:1 >> --- >> Certificate chain >> 0 s:/CN=caldav.lrau.net >> i:/C=US/O=Let’s Encrypt/CN=Let's Encrypt Authority X3 >> . . . >> Verify return code: 21 (unable to verify the first certificate) >> - - - >> >> If I put Let’s Encrypt Authority X3 cert >> https://letsencrypt.org/certificates/ >> in pem format into config dir and point SSLAuthorityChain at it, I get: >> - - - >> root# openssl s_client -no_ssl2 -no_ssl3 -showcerts -connect >> caldav3.lrau.net:8443 >> CONNECTED(00000003) >> 34379258024:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert >> handshake >> failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:757: >> --- >> no peer certificate available >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 7 bytes and written 297 bytes >> --- >> New, (NONE), Cipher is (NONE) >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> - - - >> These certs work with all other servers. >> So what am I doing wrong? >> >> Axel >> >> Installed versions: >> - - - >> gettext-runtime-0.19.8.1 GNU gettext runtime libraries and programs >> gmp-5.1.3_3 Free library for arbitrary precision >> arithmetic >> indexinfo-0.2.4 Utility to regenerate the GNU info page index >> libevent2-2.0.22_1 API for executing callback functions on >> events or timeouts >> libffi-3.2.1 Foreign Function Interface >> memcached-1.4.25 High-performance distributed memory object >> cache system >> perl5-5.20.3_15 Practical Extraction and Report Language >> pkg-1.8.7_1 Package manager >> postgresql94-client-9.4.9 PostgreSQL database (client) >> py27-PyGreSQL-5.0.1,1 Python interface to PostgreSQL, both classic >> and DP-API 2.0 >> py27-attrs-16.0.0 Python attributes without boilerplate >> py27-calendar-0.15423 Library for iCalendar/vCard data >> py27-calendarserver-8.0_8 Calendar and Contacts Server from Apple (RFC >> 4791, RFC 6352) >> py27-cffi-1.7.0 Foreign Function Interface for Python calling >> C code >> py27-characteristic-14.3.0 Python attributes without boilerplate >> py27-cryptography-1.4 Cryptographic recipes and primitives for >> Python developers >> py27-dateutil-2.5.0 Extensions to the standard Python datetime >> module >> py27-enum34-1.1.6 Python 3.4 Enum backported to 3.3, 3.2, 3.1, >> 2.7 >> py27-idna-2.0 Internationalized Domain Names in >> Applications (IDNA) >> py27-ipaddress-1.0.16 Python 3.3's ipaddress for Python 2.6 and 2.7 >> py27-openssl-16.0.0 Python interface to the OpenSSL library >> py27-pg8000-1.10.6 Pure-Python Interface to the PostgreSQL >> Database >> py27-psutil-4.3.0 Process utilities module for Python >> py27-pyasn1-0.1.9 ASN.1 toolkit for Python >> py27-pyasn1-modules-0.0.8_1 Collection of ASN.1 data structures for >> py-asn1 >> py27-pycparser-2.10 C parser in Python >> py27-pycrypto-2.6.1_1 Python Cryptography Toolkit >> py27-pytz-2016.6.1,1 World Timezone Definitions for Python >> py27-service_identity-16.0.0 Service identity verification for pyOpenSSL >> py27-setproctitle-1.1.10 Python module to customize the process title >> py27-setuptools27-23.1.0 Python packages installer >> py27-six-1.10.0 Python 2 and 3 compatibility utilities >> py27-sqlite3-2.7.12_7 Standard Python binding to the SQLite3 >> library (Python 2.7) >> py27-sqlparse-0.1.16 Non-validating SQL parser for Python >> py27-twext-0.15423 Extensions to Twisted >> py27-twisted-15.5.0 Asynchronous networking framework written in >> Python >> py27-xattr-0.7.8 Python wrapper for extended filesystem >> attributes >> py27-zope.interface-4.1.3 Interfaces for Python >> python2-2_3 The "meta-port" for version 2 of the Python >> interpreter >> python27-2.7.12 Interpreted object-oriented programming >> language >> sqlite3-3.14.1 SQL database engine in a C library >> >> OpenSSL 1.0.1p-freebsd 9 Jul 2015 >> FreeBSD caldav3 10.1-RELEASE-p35 FreeBSD 10.1-RELEASE-p35 #0: Sat May 28 >> 03:37:01 UTC 2016 >> r...@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 >> >> --- >> PGP-Key:29E99DD6 ☀ computing @ chaos claudius >> >> _______________________________________________ >> calendarserver-users mailing list >> calendarserver-users@lists.macosforge.org >> https://lists.macosforge.org/mailman/listinfo/calendarserver-users > --- PGP-Key:29E99DD6 ☀ computing @ chaos claudius _______________________________________________ calendarserver-users mailing list calendarserver-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/calendarserver-users
