On Mon, Mar 25, 2024 at 11:55 AM Stanley Gilliam <stanley.x.gill...@gsk.com> wrote: > > I apologize for the miscommunication. Here is the output from the openssl > command: > > [I am root!@uptus060-1:conf.d]# openssl s_client -connect hpc.gsk.com:443
You should use -servername here. It triggers Server Name Indication (SNI). > CONNECTED(00000003) > depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo Smith > Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress = > scientific_computing_supp...@gsk.com > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo Smith > Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress = > scientific_computing_supp...@gsk.com > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 s:/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith > Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com > i:/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1 > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIGbjCCBFagAwIBAgITEQAABQ+0dA0YF873AQAAAAAFDzANBgkqhkiG9w0BAQsF > ADBlMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIY29ycG5l > dDExGTAXBgoJkiaJk/IsZAEZFgl3bXNlcnZpY2UxGTAXBgNVBAMTEEdTSyBJc3N1 > aW5nIENBIDEwHhcNMjQwMzA4MTcyMDU1WhcNMjUwMzA4MTcyMDU1WjCBtTELMAkG > A1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEZMBcGA1UEBxMQVXBwZXIg > UHJvdmlkZW5jZTEaMBgGA1UEChMRR2xheG8gU21pdGggS2xpbmUxDTALBgNVBAsT > BFNSQ0ExFDASBgNVBAMTC2hwYy5nc2suY29tMTMwMQYJKoZIhvcNAQkBFiRzY2ll > bnRpZmljX2NvbXB1dGluZ19zdXBwb3J0QGdzay5jb20wggEiMA0GCSqGSIb3DQEB > AQUAA4IBDwAwggEKAoIBAQC1Cr+j9j5/739k+sHHiMDMvhprJmDHazw0UI1rPX7j > W9wPg2kYHnP+jv33j7DB6vE/opCFVOgHTV3Lc7by3QBZAG142GPVSvu51k2syB+r > AooW5a7onwaqZRKRSQX0NkHI4vSRHjVh9/0zxX6aPX6ygDyDKWOPslQ/71SFCyuZ > /bgt/HMXeTP1WaT5u13lj5XtbRejx1WMu3HoRLguXZ6pBa5M5KNc9CaJJcnuTLzm > 0152G1As1mkLJ2wm0PqzhXADoqXfnotBvZcSKov4+vYSSFB+7RUVLjdUVkRieDCK > MBsGm+ufxUhWAxXnlC2b9NmM0XV7fr98V8WZD2D2sL4PAgMBAAGjggHEMIIBwDAv > BgNVHREEKDAmggtocGMuZ3NrLmNvbYIXdXB0dXMwNjAtMS5jb3JwbmV0Mi5jb20w > HQYDVR0OBBYEFAVcViHs7XlTuBk8aN7489VTL4pIMB8GA1UdIwQYMBaAFKvPJYEQ > 0/UAImqrIU7r9upTKxjpMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9wa2kuZ3Nr > LmNvbS9jZHAvR1NLJTIwSXNzdWluZyUyMENBJTIwMS5jcmwwcgYIKwYBBQUHAQEE > ZjBkMD0GCCsGAQUFBzAChjFodHRwOi8vcGtpLmdzay5jb20vY2RwL0dTSyUyMElz > c3VpbmclMjBDQSUyMDEuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vcGtpLmdzay5j > b20vb2NzcDAOBgNVHQ8BAf8EBAMCBaAwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGC > NxUI6vIrg/quQIX1kxyFkoFCheT+WYFUhq3CJ4KPsXwCAWQCAT8wHQYDVR0lBBYw > FAYIKwYBBQUHAwEGCCsGAQUFBwMCMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUH > AwEwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggIBAD0zCO/K/11ycaNA3scY > SpT8Tqzc5wJToeC+EEyk+fCbwBaOfoPiDNLUC4jsG8kLtb1Z4XhBMa7eGmz3Xt58 > ubVC5C4QW/AJI0v0oJU3atJoPk5h8iERGzolEHnbpvt1dLDpmwFzid6APzavixem > v1FC0jmD2tk5W2HSaMCZ8Qbt8B9uSwyknxLwjc4oyMxs1Oq1Jtsv8HCzC4Bi9yd6 > RYbB4uNAvULBSK5RoIjgsONfE42fnJKPCS1TBPWkjlROlmhyvi76NNoPl4GlS+eM > pv9FB+Q7xcYTrfoygvEy6lvPCgQ3AqFcVmbQg5dEBMthPAymBHAdQHkjbKfVJd5X > W8CFmsZ7pD8nmj5lfzT4SpkiMj59U0bj2e8FfLWQybtiGCGFO9M/nZdOHQndxHua > O8bJzWs4rCy9hw+iOHZEUEe06m+mc+rLPN7DTO1rQOAk/BdakIauQyMTh5oYQ2mM > us+7YUwZrNidZv9xfAJZc+zmnaumoGIbxkKChSfwhtb5L8uFnfQc6XDNaYUVKvwi > XV9OQgiymXkGAp8Ai5eVv881BirqQkHyAtbUdpazUF5jlxreowp24NSAa/rWLa6p > RKqS9aPC2lOfR2Kysv1SvJgst1OvtckqKsdlunGxRUH5gInwn7gzzmovCeWiD3+F > GzKWlw6feJiNivlqBH1QwP39 > -----END CERTIFICATE----- > subject=/C=US/ST=Pennsylvania/L=Upper Providence/O=Glaxo Smith > Kline/OU=SRCA/CN=hpc.gsk.com/emailAddress=scientific_computing_supp...@gsk.com > issuer=/DC=com/DC=corpnet1/DC=wmservice/CN=GSK Issuing CA 1 > --- > No client certificate CA names sent > Peer signing digest: SHA512 > Server Temp Key: ECDH, P-256, 256 bits > --- > SSL handshake has read 2341 bytes and written 427 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES256-GCM-SHA384 > Session-ID: > F8C2904FEE4CA89D0F03B21E4D8E16B120419D3F0737265AAC27452DD5BAD62E > Session-ID-ctx: > Master-Key: > 4D6D3D158228C520B36FF399795D8B847ADF21E2559CDB3EC0CDE8E8AF322B1397B9531598C5CA1215385F6CE8113248 > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > TLS session ticket lifetime hint: 7200 (seconds) > TLS session ticket: > 0000 - 33 fa b8 44 6b 0f fe 61-e5 14 06 66 19 9d 0e 73 3..Dk..a...f...s > 0010 - 8f 06 54 21 20 97 7d ac-2c c4 12 91 c8 c0 c7 7f ..T! .}.,....... > 0020 - 09 8a c8 13 0a 58 fc 16-e2 f3 96 67 c6 d6 d5 58 .....X.....g...X > 0030 - ab 60 47 fc 66 22 17 8b-04 73 fd 2d a5 62 c4 35 .`G.f"...s.-.b.5 > 0040 - e8 dc 3a a9 e6 37 ba 2a-ea 05 0d ea fb 5a 01 80 ..:..7.*.....Z.. > 0050 - 88 9e 6a 5d 7b ae 21 8f-89 32 af ae 0c 52 20 27 ..j]{.!..2...R ' > 0060 - 2f 1b 8e ae 18 82 54 c0-ee e4 b9 bb 1e 71 be db /.....T......q.. > 0070 - c3 0e 36 9f 0b ce a4 2e-be dc 1d 3f 10 01 08 71 ..6........?...q > 0080 - ae 74 b1 d4 1f ce 46 a3-94 54 93 ad 67 4a 72 15 .t....F..T..gJr. > 0090 - 93 5a 46 0c 84 35 f2 b6-7e 2d 7a 07 b5 7a ca 47 .ZF..5..~-z..z.G > 00a0 - 88 8f 1a fa 78 cc 49 26-12 26 54 0d 27 5d f6 a3 ....x.I&.&T.'].. > 00b0 - 43 d1 2b 7d c6 6f b9 19-32 a8 56 35 9a 1c 31 97 C.+}.o..2.V5..1. > > Start Time: 1711376647 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > --- > :q! > HTTP/1.1 400 Bad Request > Date: Mon, 25 Mar 2024 14:24:13 GMT > Server: Apache > Content-Length: 226 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > <html><head> > <title>400 Bad Request</title> > </head><body> > <h1>Bad Request</h1> > <p>Your browser sent a request that this server could not understand.<br /> > </p> > </body></html> > read:errno=0 $ export cert='-----BEGIN CERTIFICATE----- MIIGbjCCBFagAwIBAgITEQAABQ+0dA [...] GzKWlw6feJiNivlqBH1QwP39 -----END CERTIFICATE-----' Then: $ echo "$cert" | openssl x509 -inform PEM -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 11:00:00:05:0f:b4:74:0d:18:17:ce:f7:01:00:00:00:00:05:0f Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = corpnet1, DC = wmservice, CN = GSK Issuing CA 1 Validity Not Before: Mar 8 17:20:55 2024 GMT Not After : Mar 8 17:20:55 2025 GMT Subject: C = US, ST = Pennsylvania, L = Upper Providence, O = Glaxo Smith Kline, OU = SRCA, CN = hpc.gsk.com, emailAddress = scientific_computing_supp...@gsk.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b5:0a:bf:a3:f6:3e:7f:ef:7f:64:fa:c1:c7:88: c0:cc:be:1a:6b:26:60:c7:6b:3c:34:50:8d:6b:3d: 7e:e3:5b:dc:0f:83:69:18:1e:73:fe:8e:fd:f7:8f: b0:c1:ea:f1:3f:a2:90:85:54:e8:07:4d:5d:cb:73: b6:f2:dd:00:59:00:6d:78:d8:63:d5:4a:fb:b9:d6: 4d:ac:c8:1f:ab:02:8a:16:e5:ae:e8:9f:06:aa:65: 12:91:49:05:f4:36:41:c8:e2:f4:91:1e:35:61:f7: fd:33:c5:7e:9a:3d:7e:b2:80:3c:83:29:63:8f:b2: 54:3f:ef:54:85:0b:2b:99:fd:b8:2d:fc:73:17:79: 33:f5:59:a4:f9:bb:5d:e5:8f:95:ed:6d:17:a3:c7: 55:8c:bb:71:e8:44:b8:2e:5d:9e:a9:05:ae:4c:e4: a3:5c:f4:26:89:25:c9:ee:4c:bc:e6:d3:5e:76:1b: 50:2c:d6:69:0b:27:6c:26:d0:fa:b3:85:70:03:a2: a5:df:9e:8b:41:bd:97:12:2a:8b:f8:fa:f6:12:48: 50:7e:ed:15:15:2e:37:54:56:44:62:78:30:8a:30: 1b:06:9b:eb:9f:c5:48:56:03:15:e7:94:2d:9b:f4: d9:8c:d1:75:7b:7e:bf:7c:57:c5:99:0f:60:f6:b0: be:0f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:hpc.gsk.com, DNS:uptus060-1.corpnet2.com X509v3 Subject Key Identifier: 05:5C:56:21:EC:ED:79:53:B8:19:3C:68:DE:F8:F3:D5:53:2F:8A:48 X509v3 Authority Key Identifier: AB:CF:25:81:10:D3:F5:00:22:6A:AB:21:4E:EB:F6:EA:53:2B:18:E9 X509v3 CRL Distribution Points: Full Name: URI:http://pki.gsk.com/cdp/GSK%20Issuing%20CA%201.crl Authority Information Access: CA Issuers - URI:http://pki.gsk.com/cdp/GSK%20Issuing%20CA%201.crt OCSP - URI:http://pki.gsk.com/ocsp X509v3 Key Usage: critical Digital Signature, Key Encipherment 1.3.6.1.4.1.311.21.7: 0..&+.....7....+...@.......B...Y.T...'...|..d..? X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication 1.3.6.1.4.1.311.21.10: 0.0 ..+.......0 ..+....... Signature Algorithm: sha256WithRSAEncryption Signature Value: 3d:33:08:ef:ca:ff:5d:72:71:a3:40:de:c7:18:4a:94:fc:4e: ac:dc:e7:02:53:a1:e0:be:10:4c:a4:f9:f0:9b:c0:16:8e:7e: 83:e2:0c:d2:d4:0b:88:ec:1b:c9:0b:b5:bd:59:e1:78:41:31: ae:de:1a:6c:f7:5e:de:7c:b9:b5:42:e4:2e:10:5b:f0:09:23: 4b:f4:a0:95:37:6a:d2:68:3e:4e:61:f2:21:11:1b:3a:25:10: 79:db:a6:fb:75:74:b0:e9:9b:01:73:89:de:80:3f:36:af:8b: 17:a6:bf:51:42:d2:39:83:da:d9:39:5b:61:d2:68:c0:99:f1: 06:ed:f0:1f:6e:4b:0c:a4:9f:12:f0:8d:ce:28:c8:cc:6c:d4: ea:b5:26:db:2f:f0:70:b3:0b:80:62:f7:27:7a:45:86:c1:e2: e3:40:bd:42:c1:48:ae:51:a0:88:e0:b0:e3:5f:13:8d:9f:9c: 92:8f:09:2d:53:04:f5:a4:8e:54:4e:96:68:72:be:2e:fa:34: da:0f:97:81:a5:4b:e7:8c:a6:ff:45:07:e4:3b:c5:c6:13:ad: fa:32:82:f1:32:ea:5b:cf:0a:04:37:02:a1:5c:56:66:d0:83: 97:44:04:cb:61:3c:0c:a6:04:70:1d:40:79:23:6c:a7:d5:25: de:57:5b:c0:85:9a:c6:7b:a4:3f:27:9a:3e:65:7f:34:f8:4a: 99:22:32:3e:7d:53:46:e3:d9:ef:05:7c:b5:90:c9:bb:62:18: 21:85:3b:d3:3f:9d:97:4e:1d:09:dd:c4:7b:9a:3b:c6:c9:cd: 6b:38:ac:2c:bd:87:0f:a2:38:76:44:50:47:b4:ea:6f:a6:73: ea:cb:3c:de:c3:4c:ed:6b:40:e0:24:fc:17:5a:90:86:ae:43: 23:13:87:9a:18:43:69:8c:ba:cf:bb:61:4c:19:ac:d8:9d:66: ff:71:7c:02:59:73:ec:e6:9d:ab:a6:a0:62:1b:c6:42:82:85: 27:f0:86:d6:f9:2f:cb:85:9d:f4:1c:e9:70:cd:69:85:15:2a: fc:22:5d:5f:4e:42:08:b2:99:79:06:02:9f:00:8b:97:95:bf: cf:35:06:2a:ea:42:41:f2:02:d6:d4:76:96:b3:50:5e:63:97: 1a:de:a3:0a:76:e0:d4:80:6b:fa:d6:2d:ae:a9:44:aa:92:f5: a3:c2:da:53:9f:47:62:b2:b2:fd:52:bc:98:2c:b7:53:af:b5: c9:2a:2a:c7:65:ba:71:b1:45:41:f9:80:89:f0:9f:b8:33:ce: 6a:2f:09:e5:a2:0f:7f:85:1b:32:96:97:0e:9f:78:98:8d:8a: f9:6a:04:7d:50:c0:fd:fd The issuer of the end entity (web server) certificate is 'GSK Issuing CA 1'. That is this line: Issuer: DC = com, DC = corpnet1, DC = wmservice, CN = GSK Issuing CA 1 The intermediate certificate must be sent by the server to the client. So next look at the chain: openssl s_client -connect hpc.gsk.com:443 -servername hpc.gsk.com -showcerts Please post the output. The Root CA -- the one where the subject == issuer -- is optional. It ight have a name like 'GSK Root CA', and it would have been used to issue 'GSK Issuing CA 1'. The server can send root CA; or the server can forgo sending the root CA. The RFC makes sending it optional. But the server _must_ send all intermediate certificates used to validate the chain (called 'path building' in PKI). It is required by the RFCs. And the client _must_ trust the root. Jeff