On Wed, Oct 8, 2014 at 6:03 PM, dE <de.tec...@gmail.com> wrote: > On 10/08/14 10:18, Igor Cicimov wrote: > > On Wed, Oct 8, 2014 at 2:27 PM, dE <de.tec...@gmail.com> wrote: > >> On 10/08/14 05:18, Igor Cicimov wrote: >> >> >> On Wed, Oct 8, 2014 at 1:59 AM, dE <de.tec...@gmail.com> wrote: >> >>> On 10/07/14 18:12, Igor Cicimov wrote: >>> >>> >>> >>> On Tue, Oct 7, 2014 at 2:51 AM, dE <de.tec...@gmail.com> wrote: >>> >>>> Hi. >>>> >>>> I'm in a situation where I got 3 certificates >>>> >>>> server.pem -- the end user certificate which's sent by the server to >>>> the client. >>>> intermediate.pem -- server.pem is signed by intermediate.pem's private >>>> key. >>>> issuer.pem -- intermediate.pem is signed by issuer.pem's private key. >>>> >>>> combined.pem is created by -- >>>> >>>> cat server.pem intermediate.pem > combined.pem >>>> >>>> Issuer.pem is installed in the web browser. >>>> >>>> The chain is working, I can verify this via the SSL command -- >>>> >>>> cat intermediate.pem issuer.pem > cert_bundle.pem >>>> openssl verify -CAfile cert_bundle.pem server.pem >>>> server.pem: OK >>>> >>>> However the browsers (FF, Chrome, Konqueror and wget) fail >>>> authentication, claiming there are no certificates to verity server.pem's >>>> signature. >>>> >>>> I'm using Apache 2.4.10 with the following -- >>>> >>>> SSLCertificateFile /tmp/combined.pem >>>> SSLCertificateKeyFile /tmp/server.key >>>> >>>> >>> Try this: >>> >>> $ cat issuer.pem intermediate.pem > CA_chain.pem >>> >>> SSLCertificateFile server.pem >>> SSLCertificateKeyFile server.key >>> SSLCertificateChainFile CA_chain.pem >>> >>> >>> Tried this on Apache 2.2 (SSLCertificateChainFile does not work with >>> 2.4) with the same issue. >>> >> >> Hmm in that case you have something mixed up or simply this can not work >> for self signed certificates since this is exactly what I'm using on Apache >> 2.2.24/26 on all our company web sites: a certificate signed by CA >> authority and a chain certificate file where the authorities CA and >> Intermediate certs have been concatenated. >> >> Can you show us the output of: >> >> openssl x509 -noout -in cert.pem -text >> >> for all your sertificates? >> >> >> $ openssl x509 -noout -in server.pem -text >> Certificate: >> Data: >> Version: 1 (0x0) >> Serial Number: 13192573755114198537 (0xb7156feedab91609) >> Signature Algorithm: sha1WithRSAEncryption >> Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate >> Validity >> Not Before: Oct 7 08:43:42 2014 GMT >> Not After : Oct 2 08:43:42 2015 GMT >> Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server >> Subject Public Key Info: >> Public Key Algorithm: rsaEncryption >> Public-Key: (1024 bit) >> Modulus: >> 00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18: >> 6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a: >> 81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb: >> b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80: >> e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e: >> 7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8: >> 44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84: >> 3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f: >> 26:3f:36:cc:29:f0:69:2b:79 >> Exponent: 65537 (0x10001) >> Signature Algorithm: sha1WithRSAEncryption >> 4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6: >> b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a: >> 33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea: >> a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb: >> c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13: >> b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c: >> ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c: >> 7c:fe >> >> >> $ openssl x509 -noout -in intermediate.pem -text >> Certificate: >> Data: >> Version: 1 (0x0) >> Serial Number: 11894061023072807904 (0xa510317ba912ebe0) >> Signature Algorithm: sha1WithRSAEncryption >> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer >> Validity >> Not Before: Oct 7 08:42:05 2014 GMT >> Not After : Oct 2 08:42:05 2015 GMT >> Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate >> Subject Public Key Info: >> Public Key Algorithm: rsaEncryption >> Public-Key: (1024 bit) >> Modulus: >> 00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8: >> f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a: >> df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6: >> 2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82: >> df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40: >> 14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d: >> 78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69: >> f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9: >> 3a:fd:f3:d1:f0:27:49:f4:c3 >> Exponent: 65537 (0x10001) >> Signature Algorithm: sha1WithRSAEncryption >> 0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d: >> 0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29: >> 5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95: >> dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de: >> 96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec: >> 51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c: >> 8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78: >> 57:8d >> >> >> $ openssl x509 -noout -in issuer.pem -text >> Certificate: >> Data: >> Version: 1 (0x0) >> Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6) >> Signature Algorithm: sha1WithRSAEncryption >> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer >> Validity >> Not Before: Oct 7 08:40:29 2014 GMT >> Not After : Oct 7 08:40:29 2015 GMT >> Subject: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer >> Subject Public Key Info: >> Public Key Algorithm: rsaEncryption >> Public-Key: (1024 bit) >> Modulus: >> 00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18: >> 7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2: >> 72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89: >> 26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d: >> af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41: >> e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97: >> d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49: >> af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9: >> 05:d0:5c:50:0f:8f:3f:c4:d5 >> Exponent: 65537 (0x10001) >> Signature Algorithm: sha1WithRSAEncryption >> 3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9: >> 70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c: >> 96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38: >> 82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82: >> 9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62: >> f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9: >> 40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a: >> 68:bf >> > > And the output from the bellow command executed from the client you are > running wget from: > > openssl s_client -connect <your_server>:443 > > You should see some output with lots of information regarding the ssl > connection, the server certificate and something like this: > > --- > Certificate chain > 0 s:/C=AU/ST=New South Wales/L=Sydney/O=<MyCorporation> Pty > Ltd/CN=*.<mydomain>.com > i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA > 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA > i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA > 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA > i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA > > which will confirm the complete chain is being received by the client. > If you see something like this at the bottom: > > Verify return code: 19 (self signed certificate in certificate chain) > > means you haven't properly imported the CA chain on the client. In case > of wget or curl or other terminal tools this is done on OS level so you > would need to consult the OS documentation about importing certificates. > > You can find more about openssl tool set here: > https://www.openssl.org/docs/apps/s_client.html, its perfect for ssl > troubleshooting. > > > > $ openssl s_client -connect server:443 > gethostbyname failure > CONNECTED(00000003) > depth=2 C = AU, ST = Some-State, O = issuer, OU = signing, CN = issuer > verify error:num=19:self signed certificate in certificate chain > verify return:0 > --- > Certificate chain > 0 s:/C=AU/ST=Some-State/O=server/OU=IT/CN=server > i:/C=AU/ST=Some-State/O=intermediate/CN=intermediate > 1 s:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer > i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer > 2 s:/C=AU/ST=Some-State/O=intermediate/CN=intermediate > i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIICGDCCAYECCQC3FW/u2rkWCTANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJB > VTETMBEGA1UECAwKU29tZS1TdGF0ZTEVMBMGA1UECgwMaW50ZXJtZWRpYXRlMRUw > EwYDVQQDDAxpbnRlcm1lZGlhdGUwHhcNMTQxMDA3MDg0MzQyWhcNMTUxMDAyMDg0 > MzQyWjBRMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UE > CgwGc2VydmVyMQswCQYDVQQLDAJJVDEPMA0GA1UEAwwGc2VydmVyMIGfMA0GCSqG > SIb3DQEBAQUAA4GNADCBiQKBgQCV0xy3rEnMOCxHaKKyGG12gDydogPMS9/AboE/ > eoG+4Tg0X+AbTuLcpcbZu7CGO5g95wNCx6TLBfCWgOYTTr1P5HPqcnwMkCN6XnpG > fedkPB1UeubZh53j+ESc3whk1x2hUMP9qp0bhD7NHbmBunBqlcdjqxt7HyY/Nswp > 8GkreQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAE5SlQFID8e9UW7mnvY8tBYQprV1 > LrJJvOdQRtWX8ejttx24GjMvo37KQRoqdEqjgQSZwsh26qaRjyGSTGKtDFdDc7U8 > DWyCy8HAdNityxIfL5pJRVoGBf6aE7nT4RfmZ4gY/dzFZ5qUm0HPDMqIT7X+fuIe > YdtP4bzc8AetHHz+ > -----END CERTIFICATE----- > subject=/C=AU/ST=Some-State/O=server/OU=IT/CN=server > issuer=/C=AU/ST=Some-State/O=intermediate/CN=intermediate > --- > No client certificate CA names sent > --- > SSL handshake has read 2391 bytes and written 498 bytes > --- > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 > Server public key is 1024 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 > Cipher : DHE-RSA-AES256-GCM-SHA384 > Session-ID: > FA13516B3E695D88CFC650899A5EE7D2DEE4D38DCDFD2848D688A0AAB4D2A90C > Session-ID-ctx: > Master-Key: > 5E39DF223E5A23B4088F2CE3D65A530F0D936860D8F94BB123E0483430CF3C42B7F7F40B246B6B7370551A2B702CB47A > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 300 (seconds) > TLS session ticket: > 0000 - b9 a3 67 f3 a1 e1 2f 40-90 64 09 db ef 26 4d b2 > ..g.../@.d...&M. > 0010 - e8 a3 c2 25 30 d6 df af-8c 4d d3 19 20 83 bb c3 ...%0....M.. > ... > 0020 - 6f a9 51 a3 3a 2f f5 43-1e a8 9d 1e 49 25 67 43 > o.Q.:/.C....I%gC > 0030 - f0 05 3f 75 50 c8 49 2b-be 44 d2 72 58 14 2e f6 > ..?uP.I+.D.rX... > 0040 - 55 a5 ba 0a 34 34 92 9f-cc 8b c1 30 55 f1 69 c0 > U...44.....0U.i. > 0050 - df f8 3d 08 38 37 11 46-90 9d 88 6c ce 48 5d 79 > ..=.87.F...l.H]y > 0060 - 96 bb 5a 23 56 4d e9 c3-2f 17 d9 11 45 47 fb 2b > ..Z#VM../...EG.+ > 0070 - 05 1a cb 92 52 13 52 e6-72 16 44 51 3f 66 90 88 > ....R.R.r.DQ?f.. > 0080 - f9 2e 46 ad 44 23 5b 75-f9 69 7c 6b c0 0f 83 42 > ..F.D#[u.i|k...B > 0090 - 33 c0 c1 6b 6a f8 23 55-ee 18 0c 32 f9 5a 81 6b > 3..kj.#U...2.Z.k > 00a0 - 1b 4e a4 42 14 56 54 66-1d 20 2e 53 95 df 24 f5 .N.B.VTf. > .S..$. > 00b0 - c6 4c 8a e2 ed bc 21 d9-ef a1 8c fb 51 36 51 8d > .L....!.....Q6Q. > > Start Time: 1412751118 > Timeout : 300 (sec) > Verify return code: 19 (self signed certificate in certificate chain) > --- > DONE > > I even tried copying issuer.pem to /etc/ssl/certs > > With the same error no. 19 in the chain. > > Thanks for this command. It's truly useful. That FF extension shows only 1 > certificate received. >
You need to point the tool to the CA path like this: $ openssl s_client -connect server:443 -CApath /etc/ssl/certs then the cert will get properly validated.
