Re: httpd: certificate files with prepended intermediates
On Tue, Sep 13, 2016 at 03:57:33AM -0400, Ian Sutton wrote: > On Tue, Sep 13, 2016 at 09:50:43AM +0200, Robert Klein wrote: > > Did you try to /append/ the intermediate certificate(s) to the server > > certificate? That worked for me on OpenBSD 6.0's httpd. > > Yes. > > Uncanny timing on your mail -- I just got it to work. httpd(8) needs the > intermediate certificate to be at the *bottom* of the combined > certificate, the opposite of what I'm used to. Both nginx and apache do it like that... -Otto > > To clarify for future readers: if you want to provide an intermediate > certificate with OpenBSD httpd, your /etc/ssl/server.crt files should > look like this: > > -BEGIN CERTIFICATE- > > -END CERTIFICATE- > -BEGIN CERTIFICATE- > > -END CERTIFICATE- > > > > An explanation might be the documentation to the > > SSL_CTX_use_certificate_chain_XXX functions used: > > > > The SSL_CTX_use_certificate_chain*() functions load a certificate > > chain into ctx. The certificates must be in PEM format and must > > be sorted starting with the subject's certificate (actual client > > or server certificate), followed by intermediate CA certificates > > if applicable, and ending at the highest level (root) CA. There > > is no corresponding function working on a single SSL object. > > I (myopically) missed this. > > > Best regards > > Robert
Re: httpd: certificate files with prepended intermediates
On Tue, 13 Sep 2016 03:15:18 -0400 Ian Suttonwrote: > On Tue, Sep 13, 2016 at 12:05:53AM -0700, Philip Guenther wrote: > > See, here's where you're taking a wrong turn that I should have > > caught earlier: your first post should answer this question: > > What problem are you trying to solve? > > > > httpd may be able to do what you want *already*, but since you > > haven't actually *told anyone* what you're trying to do, no one can > > help you and say "oh yeah, that already works as documented in > > " > > Since my certificate isn't provided by a root CA, any clients would > have to verify both my cert AND the certificates of the intermediate > authorities between me and the root CA. I can provide this certificate > stapled along with my own cert to save the client the trouble of > fetching it, which Qualys informs me is "good practice". Did you try to /append/ the intermediate certificate(s) to the server certificate? That worked for me on OpenBSD 6.0's httpd. An explanation might be the documentation to the SSL_CTX_use_certificate_chain_XXX functions used: The SSL_CTX_use_certificate_chain*() functions load a certificate chain into ctx. The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA. There is no corresponding function working on a single SSL object. Best regards Robert
Re: httpd: certificate files with prepended intermediates
On Tue, Sep 13, 2016 at 09:50:43AM +0200, Robert Klein wrote: > Did you try to /append/ the intermediate certificate(s) to the server > certificate? That worked for me on OpenBSD 6.0's httpd. Yes. Uncanny timing on your mail -- I just got it to work. httpd(8) needs the intermediate certificate to be at the *bottom* of the combined certificate, the opposite of what I'm used to. To clarify for future readers: if you want to provide an intermediate certificate with OpenBSD httpd, your /etc/ssl/server.crt files should look like this: -BEGIN CERTIFICATE- -END CERTIFICATE- -BEGIN CERTIFICATE- -END CERTIFICATE- > An explanation might be the documentation to the > SSL_CTX_use_certificate_chain_XXX functions used: > > The SSL_CTX_use_certificate_chain*() functions load a certificate > chain into ctx. The certificates must be in PEM format and must > be sorted starting with the subject's certificate (actual client > or server certificate), followed by intermediate CA certificates > if applicable, and ending at the highest level (root) CA. There > is no corresponding function working on a single SSL object. I (myopically) missed this. > Best regards > Robert
Re: httpd: certificate files with prepended intermediates
On Tue, Sep 13, 2016 at 12:05:53AM -0700, Philip Guenther wrote: > See, here's where you're taking a wrong turn that I should have caught > earlier: your first post should answer this question: > What problem are you trying to solve? > > httpd may be able to do what you want *already*, but since you haven't > actually *told anyone* what you're trying to do, no one can help you > and say "oh yeah, that already works as documented in " Since my certificate isn't provided by a root CA, any clients would have to verify both my cert AND the certificates of the intermediate authorities between me and the root CA. I can provide this certificate stapled along with my own cert to save the client the trouble of fetching it, which Qualys informs me is "good practice". > Or maybe: "oh yeah, that can be done, but isn't documented because it > seemed clunky. Use this configuration, and I'm fixing the docs". > > Or maybe: "oh yeah, that would be useful. I was thinking it should be > done like but if you implement it send me the diff." If this is the case, I would like to know so I could try and implement it myself and atone for my apparant sins. > I suspect it's the middle case..but I'm not reyk@ and don't normally > work on httpd... > > > ...and I don't know why you took this thread off-list. This seems > like a discussion that would be useful to others. Forgot to cc the list ;)
Re: httpd: certificate files with prepended intermediates
On Mon, Sep 12, 2016 at 11:16 PM, Ian Suttonwrote: > httpd currently fails to serve over TLS if the certificate file > specified in httpd.conf contains an intermediate certificate ahead of > the site's certificate. httpd still starts with no error indication > (with rcctl) but `httpd -d` shows: Hmm. What wording of the documentation suggested that multiple certificates should or *could* be place in that file? The manpage says certificate file Specify the certificate to use for this server. The file should contain a PEM encoded certificate. The default is /etc/ssl/server.crt. It doesn't say how it behaves if there are multiple certificates in the file, so why do you think the current behavior is wrong? More precisely, since it *doesn't* say *which* cert in the file it would use when there are multiple, it may use any of them. If the one it chose didn't match the key that you provided the yeah, it'll fail. So, as the old joke goes, "don't do that!" Having looked at the source, I *think* I know which it'll use as the server cert, and what it'll do with other certs in file, but a) I haven't tested it and b) more importantly, reyk@ hasn't documented a behavior and thereby decided it's supported, in some sense. Philip Guenther
httpd: certificate files with prepended intermediates
httpd currently fails to serve over TLS if the certificate file specified in httpd.conf contains an intermediate certificate ahead of the site's certificate. httpd still starts with no error indication (with rcctl) but `httpd -d` shows: server_tls_init: failed to configure tls - failed to load private key I think this may be due to a fingerprint mismatch between the pub/private key on the server and the first cert found in the certfile (the intermediate in my case). No error is reported in error.log, and if this failure is indeed intended functionality, perhaps we should log an error as I imagine a lot of people will run into this. I'm getting this problem on the server at https://ce.gl with the compound certfile pasted below. I'm running the latest snapshot as of this mail. -BEGIN CERTIFICATE- MIIEtTCCA52gAwIBAgIQSOmUQNQ2SRy4uII9CUOUxzANBgkqhkiG9w0BAQsFADCB mDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsT MChjKSAyMDA4IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25s eTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eSAtIEczMB4XDTE0MDYxMDAwMDAwMFoXDTI0MDYwOTIzNTk1OVowRzELMAkG A1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlk U1NMIFNIQTI1NiBDQSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAxJVjKNBOMEWvi5c0FEX4XFhK+jOObpxgq/OG/zR0siu+oYzVoqNgekC54fwi yme6YKrHmvkGf+73uoUFsAP/cq4VQUqYZNcXS1TvBcaYB5MnPk/cD8Z7i+fzBl6N 6LSuKbQeHi0WkNPqqueMO22vNln/xQr6x0y9NotkxEr1zjP5B75/RZCoCBSw0KVP 34KA2hvuwxOwmPUP+X52tea5XWi5XFCQiaQ2sXAW6rEQtWp23+G7/HjycpnPyaLU c1R3v8A5d+WuEsV4WhlF1EEZ03z1b5lr14u8LQmdSxBhwNpSw68iQ8brN35jdDAN anGO3l1bisjF15sp6K62JWGB6wIDAQABo4IBSTCCAUUwLgYIKwYBBQUHAQEEIjAg MB4GCCsGAQUFBzABhhJodHRwOi8vZy5zeW1jZC5jb20wEgYDVR0TAQH/BAgwBgEB /wIBADBMBgNVHSAERTBDMEEGCmCGSAGG+EUBBzYwMzAxBggrBgEFBQcCARYlaHR0 cDovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczA2BgNVHR8ELzAtMCug KaAnhiVodHRwOi8vZy5zeW1jYi5jb20vR2VvVHJ1c3RQQ0EtRzMuY3JsMA4GA1Ud DwEB/wQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRU3ltYW50ZWNQS0kt MS02OTcwHQYDVR0OBBYEFEz0v+g7vsIk8xtHO7VuSI4Wq68SMB8GA1UdIwQYMBaA FMR5yo6hTgMdHNxr2zFblD4/MH8tMA0GCSqGSIb3DQEBCwUAA4IBAQB6U7Xetu9S o1+K9YnxQsxeRoiupQiHUd4PDwLrDIJ443N9cb1D6cqKP+AlkpszM3RJXgDZcxQc C0Z2HIoNTYxsfkv3YNiBeKB40CViqxDKIugcGd1Sg2QF5Ydmrud6pDs+2HB6dqJn OdTJ+uW3HkHiCTmIHBhVCsRBr7Lz8w9CFGF0gePah1qaTYvTyY+JZhMpEeT/4t+O lgxaoaprm/38AztVDaaiJUgXH0Ko2mx+aW6g32fSbfQOahJ59XzIpTIcxDGy5ruo a2qiimBpwFd9svIxDJhlMuwIWs7GmOkhlz8seSkD9faUK1Mx85NoV+HXTzrRYaFg zrmrmK41VGOL -END CERTIFICATE- -BEGIN CERTIFICATE- MIIHSzCCBjOgAwIBAgIQW67ZVzRyTffPhd2TF72dcTANBgkqhkiG9w0BAQsFADBC MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS UmFwaWRTU0wgU0hBMjU2IENBMB4XDTE2MDgxOTAwMDAwMFoXDTE5MDgxOTIzNTk1 OVowEDEOMAwGA1UEAwwFY2UuZ2wwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK AoICAQC9DlvOyoljoevhSYkW7F0IctgaS2mFln0shcuKwF4Lp2U0bWygE9FuxZZe fEDGlQv+6SPchoyHJxtMNB4zZ53exud+aXWfXyP85J7f2dvuzxlpiqKSU8TV1dKv hzrPP9tKN5BAjfNjKtzSkPQbBb313BR+sIGj4pVRZlce25y6v4d1tXRbDN+lNf94 6DlMLMwAejwW8BT7HhgjN2y/kotrZc6dh/jAScbUCs+sW14bVX6z0H01mWomtnn1 7CmNnIGqzVF4ZYVeJwa7hKRnkPh3uZbV1eZLGME6qYyIw6Ip77GxP2Cq4UDrO6Cl ZcS0IyUfNo6bUwVKDUdCE5RxvCXoO1dD5Tnp7NEjntXv+bLxnYTCTWyStE6Lunn3 dgaUjAgrCMFX5EmlvKusVa/LjSibvgdWlJSV4LN+WpGuvcGWWIh/NLs1MdGxgQ8J JJPUD/JTOBwofvs0x9/JrQH0bHKri72kWtCj0Ldtt4z25J/w5YcVkyNsYGykzccu 0lnz7jVWJMCpVOP0mcuu3tElsK9NtEtFmpItPeSoneq7Fuer7fIFr0vl7Um3RsHi RmWdRE1o/+9YeC3mLmCZAdX+Vr9tUYZs/HZA7YxtPh4ulCqqq4VF9mPkEN22ugAG A2W4aSoV7eTn9VauYtszncw0ga2huYAHWn+DfUbKfE0xywezDwIDAQABo4IDbTCC A2kwGwYDVR0RBBQwEoIFY2UuZ2yCCXd3dy5jZS5nbDAJBgNVHRMEAjAAMCsGA1Ud HwQkMCIwIKAeoByGGmh0dHA6Ly9ncC5zeW1jYi5jb20vZ3AuY3JsMG8GA1UdIARo MGYwZAYGZ4EMAQIBMFowKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LnJhcGlkc3Ns LmNvbS9sZWdhbDAsBggrBgEFBQcCAjAgDB5odHRwczovL3d3dy5yYXBpZHNzbC5j b20vbGVnYWwwHwYDVR0jBBgwFoAUl8InUJ7CyewMiDLIfK3ipgFP2m8wDgYDVR0P AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBXBggrBgEF BQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9ncC5zeW1jZC5jb20wJgYIKwYB BQUHMAKGGmh0dHA6Ly9ncC5zeW1jYi5jb20vZ3AuY3J0MIIB9gYKKwYBBAHWeQIE AgSCAeYEggHiAeAAdQDd6x0reg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAA AVag+RhOAAAEAwBGMEQCIFiBRHgUzAy64XjT5bpJHwktFi48C7KiXukD/Grc0YSQ AiBN+6wQkrsiJ6Y+dvsAW3uNIr55ukslWvpWyXBealLmpAB3AKS5CZC0GFgUh7sT osxncAo8NZgE+RvfuON3zQ7IDdwQAAABVqD5Gg0AAAQDAEgwRgIhAKrbjgn2rp4Z A9xsflPrPdc//Lo8EVKgK7NhY01qrH8nAiEA5/xngKESqWXbUAjtAKr/rp7Gx67H 9l7zxskMqSSjYSkAdgBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAA AVag+RoYAAAEAwBHMEUCIQCI5YuEx9Ncp3XRuvG86YjHuJt3owGb7objrT406HqA GgIgKD+/uXZrvGCeUO6WWMQ11JqXVaMKa5x564U1UHDDgboAdgDuS723dc5guuFC aR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAVag+RznAAAEAwBHMEUCIQDQJEPmjKq9 xrYN8DK5N9v20GBt1Ew5qEa/KbFImShG+QIgGmLKCwOYRPbJ96Cyn6p3VRGBrOLy xPYFypeaPd2iE5wwDQYJKoZIhvcNAQELBQADggEBAIv9q86HrAvTl1EcjZRMWJPc es7HP91xh6Dk3J/jTtvd7FRNo33lv2jwW+7C0UaZBY5hREdfw7pysXehwXFv4hlE +eHS5PkSRep/xIFw656JTceP8BDBwkWnaq6A9Gj9zHpis6c/CcV/99JZWDsdbdOY qJnjm+LviYeSIdDZSDX5U8b8EZNTxuRvrNaUBWHLQ7UIlE1txAqkBZlJkolpe3Ca tGQ9g2iOExUWqseKfWW/8DjA3yGr6Nz3aNjc+E7mRCN0TMZ6/OfTGdW7FgDKtFA1