Re: Intermediate root CA's -- lost and confused :(
On Mon, 13 Sep 2010, Mounir IDRASSI wrote: Your problem could come from the fact that your Apache SSLCertificateChainFile configuration is missing the Thawte Cross Root CA that links thawte Primary Root CA to Thawte Premium Server CA. Thanks for the suggestion, but I don't see that I need that, the thawte Primary Root CA is signed directly by the Thawte Premium Server CA. Interestingly, I found two different versions of the thawte Primary Root CA available from Thawte -- one signed by the Thawte Premium Server CA, and one self-signed. As if this mess wasn't confusing enough :). It turns out my problem was specifying the SSLCertificateChainFile directive in a virtualhost section that wasn't the default. When I moved the config to the default ssl vhost it started working. -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Intermediate root CA's -- lost and confused :(
'. - Peer's certificate is trusted Why won't openssl verify the cert? It seems to stop and give up right after seeing the server cert, rather than downloading the rest of the certs in the chain. I'm assuming this is why all of the tools built on top of openssl (wget, ldapsearch, etc) are all failing: $ wget https://strategic.wiki.csupomona.edu/ --2010-09-13 12:55:57-- https://strategic.wiki.csupomona.edu/ Resolving strategic.wiki.csupomona.edu... 134.71.247.55 Connecting to strategic.wiki.csupomona.edu|134.71.247.55|:443... connected. ERROR: cannot verify strategic.wiki.csupomona.edus certificate, issued by /C=US/O=Thawte, Inc./CN=Thawte SSL CA: Unable to locally verify the issuers authority. But again, a server with a directly signed cert works fine: $ wget https://www.csupomona.edu/ --2010-09-13 12:57:27-- https://www.csupomona.edu/ Resolving www.csupomona.edu... 134.71.177.148 Connecting to www.csupomona.edu|134.71.177.148|:443... connected. HTTP request sent, awaiting response... 200 OK Any help much appreciated, thanks... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Intermediate root CA's -- lost and confused :(
On Mon, 13 Sep 2010, Ashish Thapliyal wrote: From the openssl s_client log it looks like the server is not sending the whole certificate chain. You should be seeing something like: root cert intermediate cert your cert I am not familiar with apache, but from the documentation at http://www.apache-ssl.org/docs.html#SSLCACertificateFile, my guess is that you have not added all the intermediate roots to the CACertificatesFile Thanks for the response. I'm pretty sure the web server is configured correctly. Before I added the CACertificatesFile directive, I was getting security errors from firefox/IE/et al; whereas after I added it web browsers seems to be working fine. Also, gnutls-client works correctly and lists the entire CA chain, which would also seem to indicate the server is supplying them. -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Intermediate root CA's -- lost and confused :(
On Mon, 13 Sep 2010, Chris wrote: Be careful you are not checking the web server from a browser that has the intermediate certificate installed. I initially installed just the new cert on the web server, and the web browsers were generating cert security errors. I then went back and added the SSLCACertificateFile directive and the intermediate certs on the server; at that point the web browsers were happy. This leads me to believe the web server is correctly configured. openssl s_client -verify 10 -CAfile thawte_root_cert.pem -connect strategic.wiki.csupomona.edu:443 I had output from a similar command in my initial email without the verify option, it still fails with it: - $ openssl s_client -verify 10 -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem -connect strategic.wiki.csupomona.edu:443 verify depth is 10 CONNECTED(0003) depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic University, Pomona/OU=I(ampersand)IT Systems/CN=strategic.wiki.csupomona.edu verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic University, Pomona/OU=I(ampersand)IT Systems/CN=strategic.wiki.csupomona.edu verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic University, Pomona/OU=I(ampersand)IT Systems/CN=strategic.wiki.csupomona.edu verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Pomona/O=California State Polytechnic University, Pomona/OU=I(ampersand)IT Systems/CN=strategic.wiki.csupomona.edu i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA --- Server certificate -BEGIN CERTIFICATE- [...] - gnutls-client on the same box works fine, listing the entire certificate chain: - $ gnutls-cli --x509cafile /etc/ssl/certs/Thawte_Premium_Server_CA.pem strategic.wiki.csupomona.edu -p 443 Processed 1 CA certificate(s). Resolving 'strategic.wiki.csupomona.edu'... Connecting to '134.71.247.55:443'... - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1023 bits - Peer's public key: 1024 bits - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `C=US,ST=California,L=Pomona,O=California State Polytechnic University\, Pomona,OU=I(ampersand)IT Systems,CN=strategic.wiki.csupomona.edu', issuer `C=US,O=Thawte\, Inc.,CN=Thawte SSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2010-09-10 00:00:00 UTC', expires `2011-09-10 23:59:59 UTC', SHA-1 fingerprint `57292bcd7541c56c7b664705f0192b43a927056c' - Certificate[1] info: - subject `C=US,O=Thawte\, Inc.,CN=Thawte SSL CA', issuer `C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2010-02-08 00:00:00 UTC', expires `2020-02-07 23:59:59 UTC', SHA-1 fingerprint `73e42686657aece354fbf685712361658f2f4357' - Certificate[2] info: - subject `C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA', issuer `C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA,email=premium-ser...@thawte.com', RSA key 2048 bits, signed using RSA-SHA1, activated `2006-11-17 00:00:00 UTC', expires `2020-12-30 23:59:59 UTC', SHA-1 fingerprint `1fa490d1d4957942cd23545f6e823d796ea2' - The hostname in the certificate matches 'strategic.wiki.csupomona.edu'. - Peer's certificate is trusted - As far as I can tell the web server is configured correctly, as web browsers and gnutls are happy with it. It's just openssl and applications that use it that seem to be failing for reasons I haven't determined. Thanks... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Intermediate root CA's -- lost and confused :(
On Mon, 13 Sep 2010, Tim Hudson wrote: Try gnutls without the TLS extensions processing occurring and you will see that the server is not sending back the certificate chain: Hmm, so the server isn't volunteering the chain, but if the client is smart enough to ask for it it will provide it :)? This fails. You need to correct your server configuration so that it correctly sends out the chain. I'm using bog-standard apache with mod_ssl, currently version 2.2.14. The instructions from Thawte were to use the SSLCACertificateFile directive in the config pointing to a file they provided containing two certs (the thawte Primary Root CA followed by the Thawte SSL CA). My server cert is signed by the Thawte SSL CA, and my openssl client has the Thawte Premium Server CA cert installed on it. This didn't work, as you point out it seems the server is not sending the chain. Per an off list discussion, I've changed my config and am now using the SSLCertificateChainFile directive instead (which seems to be the better way to do it). I also reversed the order of the certs in the file per a forum thread I found indicating they should be in order of verification. That's still not working, no chain from the server. Presumably somebody has one of these new Thawte certs installed under apache working correctly, could one of those somebodies possibly post what apache configuration directives they are using, and what certificates in what order are present in the intermediate ca file they are using? That would be greatly appreciated :). Thanks... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Intermediate root CA's -- lost and confused :( **SOLVED**
On Mon, 13 Sep 2010, Tim Hudson wrote: You need to correct your server configuration so that it correctly sends out the chain. Ok, I figured out what was wrong. I only had the SSLCertificateChainFile configured in the specific ssl virtual host, but not the default ssl virtual host. When I added the SSLCertificateChainFile to the default virtual host config as well as the specific ssl virtual host the server started sending the chain. That was a very frustrating and confusing ordeal 8-/. It's weird that the browsers started working when I added it just to the specific ssl virtual host config, that led me to believe the server was configured correctly when it wasn't. Thanks much to everybody that helped! -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
