On Fri, Jul 08, 2022 at 11:24:37AM +0200, Sean Carte wrote: > Ah, but wait, I remembered the chain of events that led to me installing > the cert, whose chain is broken: > > The F5 firewall seems to provide certification through its wildcard > certificate. So if you visit our current DSpace-CRIS 5 repository at > https://openscholar.dut.ac.za/ and check the connection security for that > site, you will see that it is verified by Sectigo Ltd. However, on that > server, I'm using a self-signed certificate. (It used to be LetsEncrypt > before the F5.) > > /etc/apache2/sites-enabled/default-ssl.conf > SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt > SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key > > That didn't work for DSpace 7 (I forget the exact error, but I suspect it > was the verification error). So I requested the certificate from the IT > admin, and installed that. > > But it seems as though that doesn't even get seen by openssl s_client ... > > For comparison, if I run > openssl s_client -connect openscholar.dut.ac.za:443 > > I get a similar error: Verification error: unable to verify the first > certificate. > > I'm really out of my depth here and not sure who or where to seek help. All > I know is that I can get this working unless it's behind the F5. But then, > in that case, I'm using LetsEncrypt.
Your wildcard certificate for *.dut.ac.za is signed by "C = GB, ST =
Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA
Organization Validation Secure Server CA" but that cert. is not in your
client's trust store. It's not in the trusted certificates bundle on
my workstation, either. Google has a lot of hits on "sectigo root
certificate not trusted" which may shed some light. You may need help
from Sectigo customer support. Or there may be some reason why that
particular cert. is no longer trusted.
Or it may be an intermediate authority whose cert. should be sent out
with the server cert. to complete the trust chain to the root. In
that case, you may need to get a copy of that cert. and install it in
the F5's trust store (once you're sure that *you* trust it).
A client must be able to construct a path from the certificate
presented by the site, through that cert.'s issuer cert. ("i:" in the
certificate chain) via *its* issuer, etc. until it reaches a root
certificate that it already trusts.
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
--
All messages to this mailing list should adhere to the Code of Conduct:
https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/dspace-tech/Ysguzgx1FU%2BATiUl%40IUPUI.Edu.
signature.asc
Description: PGP signature
