Ah, but wait, I remembered the chain of events that led to me installing the cert, whose chain is broken:
The F5 firewall seems to provide certification through its wildcard certificate. So if you visit our current DSpace-CRIS 5 repository at https://openscholar.dut.ac.za/ and check the connection security for that site, you will see that it is verified by Sectigo Ltd. However, on that server, I'm using a self-signed certificate. (It used to be LetsEncrypt before the F5.) /etc/apache2/sites-enabled/default-ssl.conf SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key That didn't work for DSpace 7 (I forget the exact error, but I suspect it was the verification error). So I requested the certificate from the IT admin, and installed that. But it seems as though that doesn't even get seen by openssl s_client ... For comparison, if I run openssl s_client -connect openscholar.dut.ac.za:443 I get a similar error: Verification error: unable to verify the first certificate. I'm really out of my depth here and not sure who or where to seek help. All I know is that I can get this working unless it's behind the F5. But then, in that case, I'm using LetsEncrypt. Sean On Thu, 7 Jul 2022 at 16:11, Sean Carte <[email protected]> wrote: > Thanks, Michael. That's useful. I'll follow up with our IT department. > > Sean > > On Thu, 7 Jul 2022 at 10:23, Plate, Michael < > [email protected]> wrote: > >> Hi Sean, >> >> your certificate chain is broken: >> >> openssl s_client -connect crdb.dut.ac.za:443 >> >> CONNECTED(00000003) >> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street >> = Overport, street = 7 Ritson Road, O = Durban University of Technology, OU >> = ITSS, CN = *.dut.ac.za >> verify error:num=20:unable to get local issuer certificate >> verify return:1 >> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street >> = Overport, street = 7 Ritson Road, O = Durban University of Technology, OU >> = ITSS, CN = *.dut.ac.za >> verify error:num=21:unable to verify the first certificate >> verify return:1 >> depth=0 C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street >> = Overport, street = 7 Ritson Road, O = Durban University of Technology, OU >> = ITSS, CN = *.dut.ac.za >> verify return:1 >> --- >> Certificate chain >> 0 s:C = ZA, postalCode = 4001, ST = KwaZulu-Natal, L = Durban, street = >> Overport, street = 7 Ritson Road, O = Durban University of Technology, OU = >> ITSS, CN = *.dut.ac.za >> i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, >> CN = Sectigo RSA Organization Validation Secure Server CA >> --- >> […] >> >> browsers accept this, other programs are more picky about chain order . >> If you cant't get around it, try letsencrypt and install certbot (its in >> debian packages, no need for snap) >> >> >> Michael >> >> ________________________________________ >> Von: [email protected] <[email protected]> im >> Auftrag von Sean Carte <[email protected]> >> Gesendet: Donnerstag, 7. Juli 2022 07:54 >> An: Thiago Henrique Carvalho da Costa >> Cc: DSpace Technical Support >> Betreff: Re: [dspace-tech] Re: DSpace 7.2 behind a F5 internal firewall >> with wildcard certificate >> >> […] >> >> -- >> All messages to this mailing list should adhere to the Code of Conduct: >> https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx >> --- >> You received this message because you are subscribed to the Google Groups >> "DSpace Technical Support" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/dspace-tech/d00aa2e38fde4d2b8d28b164d724ce99%40bibliothek.uni-kassel.de >> . >> > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhPm8wh6rBDKk9UQyzLGy%2Bf0tu_YXrUfTGMb%2B5Z8w_qoig%40mail.gmail.com.
