Thanks for the input, Mark. Unfortunately, I am not in a position to suggest changes to the F5's configuration. Fortunately, Mohammad's workaround worked.
Sean On Fri, 8 Jul 2022 at 15:19, Mark H. Wood <[email protected]> wrote: > On Fri, Jul 08, 2022 at 11:24:37AM +0200, Sean Carte wrote: > > Ah, but wait, I remembered the chain of events that led to me installing > > the cert, whose chain is broken: > > > > The F5 firewall seems to provide certification through its wildcard > > certificate. So if you visit our current DSpace-CRIS 5 repository at > > https://openscholar.dut.ac.za/ and check the connection security for > that > > site, you will see that it is verified by Sectigo Ltd. However, on that > > server, I'm using a self-signed certificate. (It used to be LetsEncrypt > > before the F5.) > > > > /etc/apache2/sites-enabled/default-ssl.conf > > SSLCertificateFile > /etc/ssl/certs/apache-selfsigned.crt > > SSLCertificateKeyFile > /etc/ssl/private/apache-selfsigned.key > > > > That didn't work for DSpace 7 (I forget the exact error, but I suspect it > > was the verification error). So I requested the certificate from the IT > > admin, and installed that. > > > > But it seems as though that doesn't even get seen by openssl s_client ... > > > > For comparison, if I run > > openssl s_client -connect openscholar.dut.ac.za:443 > > > > I get a similar error: Verification error: unable to verify the first > > certificate. > > > > I'm really out of my depth here and not sure who or where to seek help. > All > > I know is that I can get this working unless it's behind the F5. But > then, > > in that case, I'm using LetsEncrypt. > > Your wildcard certificate for *.dut.ac.za is signed by "C = GB, ST = > Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA > Organization Validation Secure Server CA" but that cert. is not in your > client's trust store. It's not in the trusted certificates bundle on > my workstation, either. Google has a lot of hits on "sectigo root > certificate not trusted" which may shed some light. You may need help > from Sectigo customer support. Or there may be some reason why that > particular cert. is no longer trusted. > > Or it may be an intermediate authority whose cert. should be sent out > with the server cert. to complete the trust chain to the root. In > that case, you may need to get a copy of that cert. and install it in > the F5's trust store (once you're sure that *you* trust it). > > A client must be able to construct a path from the certificate > presented by the site, through that cert.'s issuer cert. ("i:" in the > certificate chain) via *its* issuer, etc. until it reaches a root > certificate that it already trusts. > > -- > Mark H. Wood > Lead Technology Analyst > > University Library > Indiana University - Purdue University Indianapolis > 755 W. Michigan Street > Indianapolis, IN 46202 > 317-274-0749 > www.ulib.iupui.edu > > -- > All messages to this mailing list should adhere to the Code of Conduct: > https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx > --- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/dspace-tech/Ysguzgx1FU%2BATiUl%40IUPUI.Edu > . > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CA%2BxAuhN%3D3G8K2uVYUODc2zoryqjWUnef7CH%3DSLgYLS4nScww%2Bw%40mail.gmail.com.
