You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by dE <de...@gmail.com> on 2014/10/06 17:51:41 UTC
[users@httpd] Cannot get certificate chain to work.
Hi.
I'm in a situation where I got 3 certificates
server.pem -- the end user certificate which's sent by the server to the
client.
intermediate.pem -- server.pem is signed by intermediate.pem's private key.
issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
combined.pem is created by --
cat server.pem intermediate.pem > combined.pem
Issuer.pem is installed in the web browser.
The chain is working, I can verify this via the SSL command --
cat intermediate.pem issuer.pem > cert_bundle.pem
openssl verify -CAfile cert_bundle.pem server.pem
server.pem: OK
However the browsers (FF, Chrome, Konqueror and wget) fail
authentication, claiming there are no certificates to verity
server.pem's signature.
I'm using Apache 2.4.10 with the following --
SSLCertificateFile /tmp/combined.pem
SSLCertificateKeyFile /tmp/server.key
I can attach *.pem if you want.
Thanks for any assistance.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Cannot get certificate chain to work.
Posted by Daniel <df...@gmail.com>.
changelog in 2.4.8
" *) mod_ssl: Remove the hardcoded algorithm-type dependency for the
SSLCertificateFile and SSLCertificateKeyFile directives, to enable
future algorithm agility, and deprecate the SSLCertificateChainFile
directive (obsoleted by SSLCertificateFile). [Kaspar Brand]"
2014-10-07 19:49 GMT+02:00 dE <de...@gmail.com>:
> On 10/07/14 22:42, Daniel wrote:
>
> SSLCertificateChainFile is deprecated in 2.4 in favour of
> SSLCaCertificateFile
>
> 2014-10-07 16:59 GMT+02:00 dE <de...@gmail.com>:
>
>> On 10/07/14 18:12, Igor Cicimov wrote:
>>
>>
>>
>> On Tue, Oct 7, 2014 at 2:51 AM, dE <de...@gmail.com> wrote:
>>
>>> Hi.
>>>
>>> I'm in a situation where I got 3 certificates
>>>
>>> server.pem -- the end user certificate which's sent by the server to the
>>> client.
>>> intermediate.pem -- server.pem is signed by intermediate.pem's private
>>> key.
>>> issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
>>>
>>> combined.pem is created by --
>>>
>>> cat server.pem intermediate.pem > combined.pem
>>>
>>> Issuer.pem is installed in the web browser.
>>>
>>> The chain is working, I can verify this via the SSL command --
>>>
>>> cat intermediate.pem issuer.pem > cert_bundle.pem
>>> openssl verify -CAfile cert_bundle.pem server.pem
>>> server.pem: OK
>>>
>>> However the browsers (FF, Chrome, Konqueror and wget) fail
>>> authentication, claiming there are no certificates to verity server.pem's
>>> signature.
>>>
>>> I'm using Apache 2.4.10 with the following --
>>>
>>> SSLCertificateFile /tmp/combined.pem
>>> SSLCertificateKeyFile /tmp/server.key
>>>
>>>
>> Try this:
>>
>> $ cat issuer.pem intermediate.pem > CA_chain.pem
>>
>> SSLCertificateFile server.pem
>> SSLCertificateKeyFile server.key
>> SSLCertificateChainFile CA_chain.pem
>>
>>
>> Tried this on Apache 2.2 (SSLCertificateChainFile does not work with
>> 2.4) with the same issue.
>>
>
>
> No, you can see it here --
>
> http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile
>
> when SSLCertificateFile
> <http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile>
> was extended to also load intermediate CA certificates from the server
> certificate file.
>
>
Re: [users@httpd] Cannot get certificate chain to work.
Posted by dE <de...@gmail.com>.
On 10/07/14 22:42, Daniel wrote:
> SSLCertificateChainFile is deprecated in 2.4 in favour of
> SSLCaCertificateFile
>
> 2014-10-07 16:59 GMT+02:00 dE <de.techno@gmail.com
> <ma...@gmail.com>>:
>
> On 10/07/14 18:12, Igor Cicimov wrote:
>>
>>
>> On Tue, Oct 7, 2014 at 2:51 AM, dE <de.techno@gmail.com
>> <ma...@gmail.com>> wrote:
>>
>> Hi.
>>
>> I'm in a situation where I got 3 certificates
>>
>> server.pem -- the end user certificate which's sent by the
>> server to the client.
>> intermediate.pem -- server.pem is signed by
>> intermediate.pem's private key.
>> issuer.pem -- intermediate.pem is signed by issuer.pem's
>> private key.
>>
>> combined.pem is created by --
>>
>> cat server.pem intermediate.pem > combined.pem
>>
>> Issuer.pem is installed in the web browser.
>>
>> The chain is working, I can verify this via the SSL command --
>>
>> cat intermediate.pem issuer.pem > cert_bundle.pem
>> openssl verify -CAfile cert_bundle.pem server.pem
>> server.pem: OK
>>
>> However the browsers (FF, Chrome, Konqueror and wget) fail
>> authentication, claiming there are no certificates to verity
>> server.pem's signature.
>>
>> I'm using Apache 2.4.10 with the following --
>>
>> SSLCertificateFile /tmp/combined.pem
>> SSLCertificateKeyFile /tmp/server.key
>>
>>
>> Try this:
>>
>> $ cat issuer.pem intermediate.pem > CA_chain.pem
>>
>> SSLCertificateFile server.pem
>> SSLCertificateKeyFile server.key
>> SSLCertificateChainFile CA_chain.pem
>>
>
> Tried this on Apache 2.2 (SSLCertificateChainFile does not work
> with 2.4) with the same issue.
>
>
No, you can see it here --
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile
when |SSLCertificateFile
<http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile>|
was extended to also load intermediate CA certificates from the
server certificate file.
Re: [users@httpd] Cannot get certificate chain to work.
Posted by Daniel <df...@gmail.com>.
SSLCertificateChainFile is deprecated in 2.4 in favour of
SSLCaCertificateFile
2014-10-07 16:59 GMT+02:00 dE <de...@gmail.com>:
> On 10/07/14 18:12, Igor Cicimov wrote:
>
>
>
> On Tue, Oct 7, 2014 at 2:51 AM, dE <de...@gmail.com> wrote:
>
>> Hi.
>>
>> I'm in a situation where I got 3 certificates
>>
>> server.pem -- the end user certificate which's sent by the server to the
>> client.
>> intermediate.pem -- server.pem is signed by intermediate.pem's private
>> key.
>> issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
>>
>> combined.pem is created by --
>>
>> cat server.pem intermediate.pem > combined.pem
>>
>> Issuer.pem is installed in the web browser.
>>
>> The chain is working, I can verify this via the SSL command --
>>
>> cat intermediate.pem issuer.pem > cert_bundle.pem
>> openssl verify -CAfile cert_bundle.pem server.pem
>> server.pem: OK
>>
>> However the browsers (FF, Chrome, Konqueror and wget) fail
>> authentication, claiming there are no certificates to verity server.pem's
>> signature.
>>
>> I'm using Apache 2.4.10 with the following --
>>
>> SSLCertificateFile /tmp/combined.pem
>> SSLCertificateKeyFile /tmp/server.key
>>
>>
> Try this:
>
> $ cat issuer.pem intermediate.pem > CA_chain.pem
>
> SSLCertificateFile server.pem
> SSLCertificateKeyFile server.key
> SSLCertificateChainFile CA_chain.pem
>
>
> Tried this on Apache 2.2 (SSLCertificateChainFile does not work with 2.4)
> with the same issue.
>
Re: [users@httpd] Cannot get certificate chain to work.
Posted by dE <de...@gmail.com>.
On 10/09/14 03:29, Igor Cicimov wrote:
>
>
> On 09/10/2014 3:46 AM, "dE" <de.techno@gmail.com
> <ma...@gmail.com>> wrote:
> >
> > On 10/08/14 21:36, Eric Covener wrote:
> >>
> >>
> >> On Wed, Oct 8, 2014 at 12:00 PM, dE <de.techno@gmail.com
> <ma...@gmail.com>> wrote:
> >>>
> >>> intermediate.pem must get installed automatically in the browsers
> (at least in FF), but instead these browsers don't see the certificate.
> >>
> >>
> >> No, servers are expected to transmit the intermediate certificates.
> >>
> >
> > Yes, they get installed automatically after it's transmitted by the
> server.
> >
> > Try a fresh FF profile. It'll not have any Microsoft (or MSIT)
> certificates. Open Microsoft.com and you'll get a bunch of Microsoft
> certificates installed in your certificate manager.
> >
> > Actually the problem is with intermediate.pem. I can't install it in
> any of the web browser under the issuer.pem certificate. But openSSL
> says it's 'verified'.
> >
> > This problem is out of scope of Apache.
>
> Weird. And this happens both in ff and chrome? Would be interesting if
> you can test with different (older) versions of ff and chrome might be
> the newer ones have some restrictions in terms of signatures or
> something. May I ask how did you generate the certificates? From what
> you sent I couldn't see anything wrong with them though but will have
> another look.
> That said the browsers behave as expected with all ca authority signed
> certificates I've been using.
>
Yes both FF and Chrome. BUT this works for KDE certificate management.
This's how they were generated --
openssl genpkey -out issuer.key -algorithm rsa
openssl genpkey -out intermediate.key -algorithm rsa
openssl genpkey -out server.key -algorithm rsa
openssl req -new -key issuer.key -out issuer.csr
openssl req -new -key server.key -out server.csr
openssl req -new -key intermediate.key -out intermediate.csr
openssl x509 -req -days 365 -in issuer.csr -signkey issuer.key -out
issuer.pem
openssl x509 -req -days 360 -in intermediate.csr -CA issuer.pem -CAkey
issuer.key -CAcreateserial -out intermediate.pem
openssl x509 -req -days 360 -in server.csr -CA intermediate.pem -CAkey
intermediate.key -CAcreateserial -out server.pem
I'll see this with older version.
Re: [users@httpd] Cannot get certificate chain to work.
Posted by Igor Cicimov <ic...@gmail.com>.
On 09/10/2014 3:46 AM, "dE" <de...@gmail.com> wrote:
>
> On 10/08/14 21:36, Eric Covener wrote:
>>
>>
>> On Wed, Oct 8, 2014 at 12:00 PM, dE <de...@gmail.com> wrote:
>>>
>>> intermediate.pem must get installed automatically in the browsers (at
least in FF), but instead these browsers don't see the certificate.
>>
>>
>> No, servers are expected to transmit the intermediate certificates.
>>
>
> Yes, they get installed automatically after it's transmitted by the
server.
>
> Try a fresh FF profile. It'll not have any Microsoft (or MSIT)
certificates. Open Microsoft.com and you'll get a bunch of Microsoft
certificates installed in your certificate manager.
>
> Actually the problem is with intermediate.pem. I can't install it in any
of the web browser under the issuer.pem certificate. But openSSL says it's
'verified'.
>
> This problem is out of scope of Apache.
Weird. And this happens both in ff and chrome? Would be interesting if you
can test with different (older) versions of ff and chrome might be the
newer ones have some restrictions in terms of signatures or something. May
I ask how did you generate the certificates? From what you sent I couldn't
see anything wrong with them though but will have another look.
That said the browsers behave as expected with all ca authority signed
certificates I've been using.
Re: [users@httpd] Cannot get certificate chain to work.
Posted by dE <de...@gmail.com>.
On 10/08/14 21:36, Eric Covener wrote:
>
> On Wed, Oct 8, 2014 at 12:00 PM, dE <de.techno@gmail.com
> <ma...@gmail.com>> wrote:
>
> intermediate.pem must get installed automatically in the browsers
> (at least in FF), but instead these browsers don't see the
> certificate.
>
>
> No, servers are expected to transmit the intermediate certificates.
>
Yes, they get installed automatically after it's transmitted by the server.
Try a fresh FF profile. It'll not have any Microsoft (or MSIT)
certificates. Open Microsoft.com and you'll get a bunch of Microsoft
certificates installed in your certificate manager.
Actually the problem is with intermediate.pem. I can't install it in any
of the web browser under the issuer.pem certificate. But openSSL says
it's 'verified'.
This problem is out of scope of Apache.
Re: [users@httpd] Cannot get certificate chain to work.
Posted by Eric Covener <co...@gmail.com>.
On Wed, Oct 8, 2014 at 12:00 PM, dE <de...@gmail.com> wrote:
> intermediate.pem must get installed automatically in the browsers (at
> least in FF), but instead these browsers don't see the certificate.
No, servers are expected to transmit the intermediate certificates.
Re: [users@httpd] Cannot get certificate chain to work.
Posted by dE <de...@gmail.com>.
On 10/08/14 17:53, Igor Cicimov wrote:
>
>
> On 08/10/2014 9:16 PM, "dE" <de.techno@gmail.com
> <ma...@gmail.com>> wrote:
> >
> > On 10/08/14 14:33, Igor Cicimov wrote:
> >>
> >>
> >>
> >> On Wed, Oct 8, 2014 at 6:03 PM, dE <de.techno@gmail.com
> <ma...@gmail.com>> wrote:
> >>>
> >>> On 10/08/14 10:18, Igor Cicimov wrote:
> >>>>
> >>>> On Wed, Oct 8, 2014 at 2:27 PM, dE <de.techno@gmail.com
> <ma...@gmail.com>> wrote:
> >>>>>
> >>>>> On 10/08/14 05:18, Igor Cicimov wrote:
> >>>>>>
> >>>>>>
> >>>>>> On Wed, Oct 8, 2014 at 1:59 AM, dE <de.techno@gmail.com
> <ma...@gmail.com>> wrote:
> >>>>>>>
> >>>>>>> On 10/07/14 18:12, Igor Cicimov wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Tue, Oct 7, 2014 at 2:51 AM, dE <de.techno@gmail.com
> <ma...@gmail.com>> wrote:
> >>>>>>>>>
> >>>>>>>>> Hi.
> >>>>>>>>>
> >>>>>>>>> I'm in a situation where I got 3 certificates
> >>>>>>>>>
> >>>>>>>>> server.pem -- the end user certificate which's sent by the
> server to the client.
> >>>>>>>>> intermediate.pem -- server.pem is signed by
> intermediate.pem's private key.
> >>>>>>>>> issuer.pem -- intermediate.pem is signed by issuer.pem's
> private key.
> >>>>>>>>>
> >>>>>>>>> combined.pem is created by --
> >>>>>>>>>
> >>>>>>>>> cat server.pem intermediate.pem > combined.pem
> >>>>>>>>>
> >>>>>>>>> Issuer.pem is installed in the web browser.
> >>>>>>>>>
> >>>>>>>>> The chain is working, I can verify this via the SSL command --
> >>>>>>>>>
> >>>>>>>>> cat intermediate.pem issuer.pem > cert_bundle.pem
> >>>>>>>>> openssl verify -CAfile cert_bundle.pem server.pem
> >>>>>>>>> server.pem: OK
> >>>>>>>>>
> >>>>>>>>> However the browsers (FF, Chrome, Konqueror and wget) fail
> authentication, claiming there are no certificates to verity
> server.pem's signature.
> >>>>>>>>>
> >>>>>>>>> I'm using Apache 2.4.10 with the following --
> >>>>>>>>>
> >>>>>>>>> SSLCertificateFile /tmp/combined.pem
> >>>>>>>>> SSLCertificateKeyFile /tmp/server.key
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> Try this:
> >>>>>>>>
> >>>>>>>> $ cat issuer.pem intermediate.pem > CA_chain.pem
> >>>>>>>>
> >>>>>>>> SSLCertificateFile server.pem
> >>>>>>>> SSLCertificateKeyFile server.key
> >>>>>>>> SSLCertificateChainFile CA_chain.pem
> >>>>>>>>
> >>>>>>>
> >>>>>>> Tried this on Apache 2.2 (SSLCertificateChainFile does not
> work with 2.4) with the same issue.
> >>>>>>
> >>>>>>
> >>>>>> Hmm in that case you have something mixed up or simply this can
> not work for self signed certificates since this is exactly what I'm
> using on Apache 2.2.24/26 on all our company web sites: a certificate
> signed by CA authority and a chain certificate file where the
> authorities CA and Intermediate certs have been concatenated.
> >>>>>>
> >>>>>> Can you show us the output of:
> >>>>>>
> >>>>>> openssl x509 -noout -in cert.pem -text
> >>>>>>
> >>>>>> for all your sertificates?
> >>>>>>
> >>>>>
> >>>>> $ openssl x509 -noout -in server.pem -text
> >>>>> Certificate:
> >>>>> Data:
> >>>>> Version: 1 (0x0)
> >>>>> Serial Number: 13192573755114198537 (0xb7156feedab91609)
> >>>>> Signature Algorithm: sha1WithRSAEncryption
> >>>>> Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
> >>>>> Validity
> >>>>> Not Before: Oct 7 08:43:42 2014 GMT
> >>>>> Not After : Oct 2 08:43:42 2015 GMT
> >>>>> Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
> >>>>> Subject Public Key Info:
> >>>>> Public Key Algorithm: rsaEncryption
> >>>>> Public-Key: (1024 bit)
> >>>>> Modulus:
> >>>>> 00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18:
> >>>>> 6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a:
> >>>>> 81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb:
> >>>>> b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80:
> >>>>> e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e:
> >>>>> 7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8:
> >>>>> 44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84:
> >>>>> 3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f:
> >>>>> 26:3f:36:cc:29:f0:69:2b:79
> >>>>> Exponent: 65537 (0x10001)
> >>>>> Signature Algorithm: sha1WithRSAEncryption
> >>>>> 4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6:
> >>>>> b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a:
> >>>>> 33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea:
> >>>>> a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb:
> >>>>> c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13:
> >>>>> b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c:
> >>>>> ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c:
> >>>>> 7c:fe
> >>>>>
> >>>>>
> >>>>> $ openssl x509 -noout -in intermediate.pem -text
> >>>>> Certificate:
> >>>>> Data:
> >>>>> Version: 1 (0x0)
> >>>>> Serial Number: 11894061023072807904 (0xa510317ba912ebe0)
> >>>>> Signature Algorithm: sha1WithRSAEncryption
> >>>>> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
> >>>>> Validity
> >>>>> Not Before: Oct 7 08:42:05 2014 GMT
> >>>>> Not After : Oct 2 08:42:05 2015 GMT
> >>>>> Subject: C=AU, ST=Some-State, O=intermediate,
> CN=intermediate
> >>>>> Subject Public Key Info:
> >>>>> Public Key Algorithm: rsaEncryption
> >>>>> Public-Key: (1024 bit)
> >>>>> Modulus:
> >>>>> 00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8:
> >>>>> f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a:
> >>>>> df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6:
> >>>>> 2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82:
> >>>>> df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40:
> >>>>> 14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d:
> >>>>> 78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69:
> >>>>> f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9:
> >>>>> 3a:fd:f3:d1:f0:27:49:f4:c3
> >>>>> Exponent: 65537 (0x10001)
> >>>>> Signature Algorithm: sha1WithRSAEncryption
> >>>>> 0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d:
> >>>>> 0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29:
> >>>>> 5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95:
> >>>>> dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de:
> >>>>> 96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec:
> >>>>> 51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c:
> >>>>> 8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78:
> >>>>> 57:8d
> >>>>>
> >>>>>
> >>>>> $ openssl x509 -noout -in issuer.pem -text
> >>>>> Certificate:
> >>>>> Data:
> >>>>> Version: 1 (0x0)
> >>>>> Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6)
> >>>>> Signature Algorithm: sha1WithRSAEncryption
> >>>>> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
> >>>>> Validity
> >>>>> Not Before: Oct 7 08:40:29 2014 GMT
> >>>>> Not After : Oct 7 08:40:29 2015 GMT
> >>>>> Subject: C=AU, ST=Some-State, O=issuer, OU=signing,
> CN=issuer
> >>>>> Subject Public Key Info:
> >>>>> Public Key Algorithm: rsaEncryption
> >>>>> Public-Key: (1024 bit)
> >>>>> Modulus:
> >>>>> 00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18:
> >>>>> 7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2:
> >>>>> 72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89:
> >>>>> 26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d:
> >>>>> af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41:
> >>>>> e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97:
> >>>>> d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49:
> >>>>> af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9:
> >>>>> 05:d0:5c:50:0f:8f:3f:c4:d5
> >>>>> Exponent: 65537 (0x10001)
> >>>>> Signature Algorithm: sha1WithRSAEncryption
> >>>>> 3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9:
> >>>>> 70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c:
> >>>>> 96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38:
> >>>>> 82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82:
> >>>>> 9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62:
> >>>>> f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9:
> >>>>> 40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a:
> >>>>> 68:bf
> >>>>
> >>>>
> >>>> And the output from the bellow command executed from the client
> you are running wget from:
> >>>>
> >>>> openssl s_client -connect <your_server>:443
> >>>>
> >>>> You should see some output with lots of information regarding the
> ssl connection, the server certificate and something like this:
> >>>>
> >>>> ---
> >>>> Certificate chain
> >>>> 0 s:/C=AU/ST=New South Wales/L=Sydney/O=<MyCorporation> Pty
> Ltd/CN=*.<mydomain>.com
> >>>> i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
> >>>> 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
> >>>> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
> <http://www.digicert.com/CN=DigiCert> Global Root CA
> >>>> 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
> <http://www.digicert.com/CN=DigiCert> Global Root CA
> >>>> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
> <http://www.digicert.com/CN=DigiCert> Global Root CA
> >>>>
> >>>> which will confirm the complete chain is being received by the
> client. If you see something like this at the bottom:
> >>>>
> >>>> Verify return code: 19 (self signed certificate in certificate chain)
> >>>>
> >>>> means you haven't properly imported the CA chain on the client.
> In case of wget or curl or other terminal tools this is done on OS
> level so you would need to consult the OS documentation about
> importing certificates.
> >>>>
> >>>> You can find more about openssl tool set here:
> https://www.openssl.org/docs/apps/s_client.html, its perfect for ssl
> troubleshooting.
> >>>>
> >>>>
> >>>
> >>> $ openssl s_client -connect server:443
> >>> gethostbyname failure
> >>> CONNECTED(00000003)
> >>> depth=2 C = AU, ST = Some-State, O = issuer, OU = signing, CN = issuer
> >>> verify error:num=19:self signed certificate in certificate chain
> >>> verify return:0
> >>> ---
> >>> Certificate chain
> >>> 0 s:/C=AU/ST=Some-State/O=server/OU=IT/CN=server
> >>> i:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
> >>> 1 s:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
> >>> i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
> >>> 2 s:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
> >>> i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
> >>> ---
> >>> Server certificate
> >>> -----BEGIN CERTIFICATE-----
> >>> MIICGDCCAYECCQC3FW/u2rkWCTANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJB
> >>> VTETMBEGA1UECAwKU29tZS1TdGF0ZTEVMBMGA1UECgwMaW50ZXJtZWRpYXRlMRUw
> >>> EwYDVQQDDAxpbnRlcm1lZGlhdGUwHhcNMTQxMDA3MDg0MzQyWhcNMTUxMDAyMDg0
> >>> MzQyWjBRMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UE
> >>> CgwGc2VydmVyMQswCQYDVQQLDAJJVDEPMA0GA1UEAwwGc2VydmVyMIGfMA0GCSqG
> >>> SIb3DQEBAQUAA4GNADCBiQKBgQCV0xy3rEnMOCxHaKKyGG12gDydogPMS9/AboE/
> >>> eoG+4Tg0X+AbTuLcpcbZu7CGO5g95wNCx6TLBfCWgOYTTr1P5HPqcnwMkCN6XnpG
> >>> fedkPB1UeubZh53j+ESc3whk1x2hUMP9qp0bhD7NHbmBunBqlcdjqxt7HyY/Nswp
> >>> 8GkreQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAE5SlQFID8e9UW7mnvY8tBYQprV1
> >>> LrJJvOdQRtWX8ejttx24GjMvo37KQRoqdEqjgQSZwsh26qaRjyGSTGKtDFdDc7U8
> >>> DWyCy8HAdNityxIfL5pJRVoGBf6aE7nT4RfmZ4gY/dzFZ5qUm0HPDMqIT7X+fuIe
> >>> YdtP4bzc8AetHHz+
> >>> -----END CERTIFICATE-----
> >>> subject=/C=AU/ST=Some-State/O=server/OU=IT/CN=server
> >>> issuer=/C=AU/ST=Some-State/O=intermediate/CN=intermediate
> >>> ---
> >>> No client certificate CA names sent
> >>> ---
> >>> SSL handshake has read 2391 bytes and written 498 bytes
> >>> ---
> >>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
> >>> Server public key is 1024 bit
> >>> Secure Renegotiation IS supported
> >>> Compression: NONE
> >>> Expansion: NONE
> >>> SSL-Session:
> >>> Protocol : TLSv1.2
> >>> Cipher : DHE-RSA-AES256-GCM-SHA384
> >>> Session-ID:
> FA13516B3E695D88CFC650899A5EE7D2DEE4D38DCDFD2848D688A0AAB4D2A90C
> >>> Session-ID-ctx:
> >>> Master-Key:
> 5E39DF223E5A23B4088F2CE3D65A530F0D936860D8F94BB123E0483430CF3C42B7F7F40B246B6B7370551A2B702CB47A
> >>> Key-Arg : None
> >>> PSK identity: None
> >>> PSK identity hint: None
> >>> SRP username: None
> >>> TLS session ticket lifetime hint: 300 (seconds)
> >>> TLS session ticket:
> >>> 0000 - b9 a3 67 f3 a1 e1 2f 40-90 64 09 db ef 26 4d b2
> ..g.../@.d...&M.
> >>> 0010 - e8 a3 c2 25 30 d6 df af-8c 4d d3 19 20 83 bb c3
> ...%0....M.. ...
> >>> 0020 - 6f a9 51 a3 3a 2f f5 43-1e a8 9d 1e 49 25 67 43
> o.Q.:/.C....I%gC
> >>> 0030 - f0 05 3f 75 50 c8 49 2b-be 44 d2 72 58 14 2e f6
> ..?uP.I+.D.rX...
> >>> 0040 - 55 a5 ba 0a 34 34 92 9f-cc 8b c1 30 55 f1 69 c0
> U...44.....0U.i.
> >>> 0050 - df f8 3d 08 38 37 11 46-90 9d 88 6c ce 48 5d 79
> ..=.87.F...l.H]y
> >>> 0060 - 96 bb 5a 23 56 4d e9 c3-2f 17 d9 11 45 47 fb 2b
> ..Z#VM../...EG.+
> >>> 0070 - 05 1a cb 92 52 13 52 e6-72 16 44 51 3f 66 90 88
> ....R.R.r.DQ?f..
> >>> 0080 - f9 2e 46 ad 44 23 5b 75-f9 69 7c 6b c0 0f 83 42
> ..F.D#[u.i|k...B
> >>> 0090 - 33 c0 c1 6b 6a f8 23 55-ee 18 0c 32 f9 5a 81 6b
> 3..kj.#U...2.Z.k
> >>> 00a0 - 1b 4e a4 42 14 56 54 66-1d 20 2e 53 95 df 24 f5
> .N.B.VTf. .S..$.
> >>> 00b0 - c6 4c 8a e2 ed bc 21 d9-ef a1 8c fb 51 36 51 8d
> .L....!.....Q6Q.
> >>>
> >>> Start Time: 1412751118
> >>> Timeout : 300 (sec)
> >>> Verify return code: 19 (self signed certificate in certificate
> chain)
> >>> ---
> >>> DONE
> >>>
> >>> I even tried copying issuer.pem to /etc/ssl/certs
> >>>
> >>> With the same error no. 19 in the chain.
> >>>
> >>> Thanks for this command. It's truly useful. That FF extension
> shows only 1 certificate received.
> >>
> >>
> >> You need to point the tool to the CA path like this:
> >>
> >> $ openssl s_client -connect server:443 -CApath /etc/ssl/certs
> >>
> >> then the cert will get properly validated.
> >>
> >
> > I pointed it to the location where all of my relevant *.pem is there
> And I still get error 19.
>
> Ok repeating again, you need to put the whole ca chain in
> /etc/ssl/certs in this case the CA_chain.pem file as I created it
> above, same as you did in the browser. I don't know why are you so
> confused it is very simple: the client no matter if it is a
> application or browser needs to know about the WHOLE chain of ca
> certificates involved in signing the server's one. Not just the issuer
> not just the intermediate but both of them.
>
> I really recommend you find some good documentation about how the
> certificates work as it looks like you are misinterpreting the roles
> of the web server and the browser in the whole process of the
> certificate verification.
>
I'm getting the same Error no. 19.
But doing this is pointless, it's not what I'm trying to do.
intermediate.pem is not expected to be installed in the browser, but
it's signed by issuer.pem, which's installed in the browser.
server.pem is signed by intermediate.pem
intermediate.pem must get installed automatically in the browsers (at
least in FF), but instead these browsers don't see the certificate.
Re: [users@httpd] Cannot get certificate chain to work.
Posted by Igor Cicimov <ic...@gmail.com>.
On 08/10/2014 9:16 PM, "dE" <de...@gmail.com> wrote:
>
> On 10/08/14 14:33, Igor Cicimov wrote:
>>
>>
>>
>> On Wed, Oct 8, 2014 at 6:03 PM, dE <de...@gmail.com> wrote:
>>>
>>> On 10/08/14 10:18, Igor Cicimov wrote:
>>>>
>>>> On Wed, Oct 8, 2014 at 2:27 PM, dE <de...@gmail.com> wrote:
>>>>>
>>>>> On 10/08/14 05:18, Igor Cicimov wrote:
>>>>>>
>>>>>>
>>>>>> On Wed, Oct 8, 2014 at 1:59 AM, dE <de...@gmail.com> wrote:
>>>>>>>
>>>>>>> On 10/07/14 18:12, Igor Cicimov wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Oct 7, 2014 at 2:51 AM, dE <de...@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>> Hi.
>>>>>>>>>
>>>>>>>>> I'm in a situation where I got 3 certificates
>>>>>>>>>
>>>>>>>>> server.pem -- the end user certificate which's sent by the server
to the client.
>>>>>>>>> intermediate.pem -- server.pem is signed by intermediate.pem's
private key.
>>>>>>>>> issuer.pem -- intermediate.pem is signed by issuer.pem's private
key.
>>>>>>>>>
>>>>>>>>> combined.pem is created by --
>>>>>>>>>
>>>>>>>>> cat server.pem intermediate.pem > combined.pem
>>>>>>>>>
>>>>>>>>> Issuer.pem is installed in the web browser.
>>>>>>>>>
>>>>>>>>> The chain is working, I can verify this via the SSL command --
>>>>>>>>>
>>>>>>>>> cat intermediate.pem issuer.pem > cert_bundle.pem
>>>>>>>>> openssl verify -CAfile cert_bundle.pem server.pem
>>>>>>>>> server.pem: OK
>>>>>>>>>
>>>>>>>>> However the browsers (FF, Chrome, Konqueror and wget) fail
authentication, claiming there are no certificates to verity server.pem's
signature.
>>>>>>>>>
>>>>>>>>> I'm using Apache 2.4.10 with the following --
>>>>>>>>>
>>>>>>>>> SSLCertificateFile /tmp/combined.pem
>>>>>>>>> SSLCertificateKeyFile /tmp/server.key
>>>>>>>>>
>>>>>>>>
>>>>>>>> Try this:
>>>>>>>>
>>>>>>>> $ cat issuer.pem intermediate.pem > CA_chain.pem
>>>>>>>>
>>>>>>>> SSLCertificateFile server.pem
>>>>>>>> SSLCertificateKeyFile server.key
>>>>>>>> SSLCertificateChainFile CA_chain.pem
>>>>>>>>
>>>>>>>
>>>>>>> Tried this on Apache 2.2 (SSLCertificateChainFile does not work
with 2.4) with the same issue.
>>>>>>
>>>>>>
>>>>>> Hmm in that case you have something mixed up or simply this can not
work for self signed certificates since this is exactly what I'm using on
Apache 2.2.24/26 on all our company web sites: a certificate signed by CA
authority and a chain certificate file where the authorities CA and
Intermediate certs have been concatenated.
>>>>>>
>>>>>> Can you show us the output of:
>>>>>>
>>>>>> openssl x509 -noout -in cert.pem -text
>>>>>>
>>>>>> for all your sertificates?
>>>>>>
>>>>>
>>>>> $ openssl x509 -noout -in server.pem -text
>>>>> Certificate:
>>>>> Data:
>>>>> Version: 1 (0x0)
>>>>> Serial Number: 13192573755114198537 (0xb7156feedab91609)
>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>> Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>>>>> Validity
>>>>> Not Before: Oct 7 08:43:42 2014 GMT
>>>>> Not After : Oct 2 08:43:42 2015 GMT
>>>>> Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
>>>>> Subject Public Key Info:
>>>>> Public Key Algorithm: rsaEncryption
>>>>> Public-Key: (1024 bit)
>>>>> Modulus:
>>>>> 00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18:
>>>>> 6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a:
>>>>> 81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb:
>>>>> b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80:
>>>>> e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e:
>>>>> 7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8:
>>>>> 44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84:
>>>>> 3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f:
>>>>> 26:3f:36:cc:29:f0:69:2b:79
>>>>> Exponent: 65537 (0x10001)
>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>> 4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6:
>>>>> b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a:
>>>>> 33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea:
>>>>> a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb:
>>>>> c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13:
>>>>> b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c:
>>>>> ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c:
>>>>> 7c:fe
>>>>>
>>>>>
>>>>> $ openssl x509 -noout -in intermediate.pem -text
>>>>> Certificate:
>>>>> Data:
>>>>> Version: 1 (0x0)
>>>>> Serial Number: 11894061023072807904 (0xa510317ba912ebe0)
>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>>>>> Validity
>>>>> Not Before: Oct 7 08:42:05 2014 GMT
>>>>> Not After : Oct 2 08:42:05 2015 GMT
>>>>> Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>>>>> Subject Public Key Info:
>>>>> Public Key Algorithm: rsaEncryption
>>>>> Public-Key: (1024 bit)
>>>>> Modulus:
>>>>> 00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8:
>>>>> f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a:
>>>>> df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6:
>>>>> 2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82:
>>>>> df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40:
>>>>> 14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d:
>>>>> 78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69:
>>>>> f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9:
>>>>> 3a:fd:f3:d1:f0:27:49:f4:c3
>>>>> Exponent: 65537 (0x10001)
>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>> 0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d:
>>>>> 0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29:
>>>>> 5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95:
>>>>> dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de:
>>>>> 96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec:
>>>>> 51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c:
>>>>> 8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78:
>>>>> 57:8d
>>>>>
>>>>>
>>>>> $ openssl x509 -noout -in issuer.pem -text
>>>>> Certificate:
>>>>> Data:
>>>>> Version: 1 (0x0)
>>>>> Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6)
>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>>>>> Validity
>>>>> Not Before: Oct 7 08:40:29 2014 GMT
>>>>> Not After : Oct 7 08:40:29 2015 GMT
>>>>> Subject: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>>>>> Subject Public Key Info:
>>>>> Public Key Algorithm: rsaEncryption
>>>>> Public-Key: (1024 bit)
>>>>> Modulus:
>>>>> 00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18:
>>>>> 7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2:
>>>>> 72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89:
>>>>> 26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d:
>>>>> af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41:
>>>>> e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97:
>>>>> d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49:
>>>>> af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9:
>>>>> 05:d0:5c:50:0f:8f:3f:c4:d5
>>>>> Exponent: 65537 (0x10001)
>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>> 3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9:
>>>>> 70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c:
>>>>> 96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38:
>>>>> 82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82:
>>>>> 9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62:
>>>>> f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9:
>>>>> 40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a:
>>>>> 68:bf
>>>>
>>>>
>>>> And the output from the bellow command executed from the client you
are running wget from:
>>>>
>>>> openssl s_client -connect <your_server>:443
>>>>
>>>> You should see some output with lots of information regarding the ssl
connection, the server certificate and something like this:
>>>>
>>>> ---
>>>> Certificate chain
>>>> 0 s:/C=AU/ST=New South Wales/L=Sydney/O=<MyCorporation> Pty
Ltd/CN=*.<mydomain>.com
>>>> i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
>>>> 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
>>>> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root
CA
>>>> 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root
CA
>>>> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root
CA
>>>>
>>>> which will confirm the complete chain is being received by the client.
If you see something like this at the bottom:
>>>>
>>>> Verify return code: 19 (self signed certificate in certificate chain)
>>>>
>>>> means you haven't properly imported the CA chain on the client. In
case of wget or curl or other terminal tools this is done on OS level so
you would need to consult the OS documentation about importing certificates.
>>>>
>>>> You can find more about openssl tool set here:
https://www.openssl.org/docs/apps/s_client.html, its perfect for ssl
troubleshooting.
>>>>
>>>>
>>>
>>> $ openssl s_client -connect server:443
>>> gethostbyname failure
>>> CONNECTED(00000003)
>>> depth=2 C = AU, ST = Some-State, O = issuer, OU = signing, CN = issuer
>>> verify error:num=19:self signed certificate in certificate chain
>>> verify return:0
>>> ---
>>> Certificate chain
>>> 0 s:/C=AU/ST=Some-State/O=server/OU=IT/CN=server
>>> i:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>>> 1 s:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>>> i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>>> 2 s:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>>> i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>>> ---
>>> Server certificate
>>> -----BEGIN CERTIFICATE-----
>>> MIICGDCCAYECCQC3FW/u2rkWCTANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJB
>>> VTETMBEGA1UECAwKU29tZS1TdGF0ZTEVMBMGA1UECgwMaW50ZXJtZWRpYXRlMRUw
>>> EwYDVQQDDAxpbnRlcm1lZGlhdGUwHhcNMTQxMDA3MDg0MzQyWhcNMTUxMDAyMDg0
>>> MzQyWjBRMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UE
>>> CgwGc2VydmVyMQswCQYDVQQLDAJJVDEPMA0GA1UEAwwGc2VydmVyMIGfMA0GCSqG
>>> SIb3DQEBAQUAA4GNADCBiQKBgQCV0xy3rEnMOCxHaKKyGG12gDydogPMS9/AboE/
>>> eoG+4Tg0X+AbTuLcpcbZu7CGO5g95wNCx6TLBfCWgOYTTr1P5HPqcnwMkCN6XnpG
>>> fedkPB1UeubZh53j+ESc3whk1x2hUMP9qp0bhD7NHbmBunBqlcdjqxt7HyY/Nswp
>>> 8GkreQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAE5SlQFID8e9UW7mnvY8tBYQprV1
>>> LrJJvOdQRtWX8ejttx24GjMvo37KQRoqdEqjgQSZwsh26qaRjyGSTGKtDFdDc7U8
>>> DWyCy8HAdNityxIfL5pJRVoGBf6aE7nT4RfmZ4gY/dzFZ5qUm0HPDMqIT7X+fuIe
>>> YdtP4bzc8AetHHz+
>>> -----END CERTIFICATE-----
>>> subject=/C=AU/ST=Some-State/O=server/OU=IT/CN=server
>>> issuer=/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 2391 bytes and written 498 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
>>> Server public key is 1024 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>> Protocol : TLSv1.2
>>> Cipher : DHE-RSA-AES256-GCM-SHA384
>>> Session-ID:
FA13516B3E695D88CFC650899A5EE7D2DEE4D38DCDFD2848D688A0AAB4D2A90C
>>> Session-ID-ctx:
>>> Master-Key:
5E39DF223E5A23B4088F2CE3D65A530F0D936860D8F94BB123E0483430CF3C42B7F7F40B246B6B7370551A2B702CB47A
>>> Key-Arg : None
>>> PSK identity: None
>>> PSK identity hint: None
>>> SRP username: None
>>> TLS session ticket lifetime hint: 300 (seconds)
>>> TLS session ticket:
>>> 0000 - b9 a3 67 f3 a1 e1 2f 40-90 64 09 db ef 26 4d b2
..g.../@.d...&M.
>>> 0010 - e8 a3 c2 25 30 d6 df af-8c 4d d3 19 20 83 bb c3
...%0....M.. ...
>>> 0020 - 6f a9 51 a3 3a 2f f5 43-1e a8 9d 1e 49 25 67 43
o.Q.:/.C....I%gC
>>> 0030 - f0 05 3f 75 50 c8 49 2b-be 44 d2 72 58 14 2e f6
..?uP.I+.D.rX...
>>> 0040 - 55 a5 ba 0a 34 34 92 9f-cc 8b c1 30 55 f1 69 c0
U...44.....0U.i.
>>> 0050 - df f8 3d 08 38 37 11 46-90 9d 88 6c ce 48 5d 79
..=.87.F...l.H]y
>>> 0060 - 96 bb 5a 23 56 4d e9 c3-2f 17 d9 11 45 47 fb 2b
..Z#VM../...EG.+
>>> 0070 - 05 1a cb 92 52 13 52 e6-72 16 44 51 3f 66 90 88
....R.R.r.DQ?f..
>>> 0080 - f9 2e 46 ad 44 23 5b 75-f9 69 7c 6b c0 0f 83 42
..F.D#[u.i|k...B
>>> 0090 - 33 c0 c1 6b 6a f8 23 55-ee 18 0c 32 f9 5a 81 6b
3..kj.#U...2.Z.k
>>> 00a0 - 1b 4e a4 42 14 56 54 66-1d 20 2e 53 95 df 24 f5 .N.B.VTf.
.S..$.
>>> 00b0 - c6 4c 8a e2 ed bc 21 d9-ef a1 8c fb 51 36 51 8d
.L....!.....Q6Q.
>>>
>>> Start Time: 1412751118
>>> Timeout : 300 (sec)
>>> Verify return code: 19 (self signed certificate in certificate
chain)
>>> ---
>>> DONE
>>>
>>> I even tried copying issuer.pem to /etc/ssl/certs
>>>
>>> With the same error no. 19 in the chain.
>>>
>>> Thanks for this command. It's truly useful. That FF extension shows
only 1 certificate received.
>>
>>
>> You need to point the tool to the CA path like this:
>>
>> $ openssl s_client -connect server:443 -CApath /etc/ssl/certs
>>
>> then the cert will get properly validated.
>>
>
> I pointed it to the location where all of my relevant *.pem is there And
I still get error 19.
Ok repeating again, you need to put the whole ca chain in /etc/ssl/certs in
this case the CA_chain.pem file as I created it above, same as you did in
the browser. I don't know why are you so confused it is very simple: the
client no matter if it is a application or browser needs to know about the
WHOLE chain of ca certificates involved in signing the server's one. Not
just the issuer not just the intermediate but both of them.
I really recommend you find some good documentation about how the
certificates work as it looks like you are misinterpreting the roles of the
web server and the browser in the whole process of the certificate
verification.
Re: [users@httpd] Cannot get certificate chain to work.
Posted by dE <de...@gmail.com>.
On 10/08/14 14:33, Igor Cicimov wrote:
>
>
> On Wed, Oct 8, 2014 at 6:03 PM, dE <de.techno@gmail.com
> <ma...@gmail.com>> wrote:
>
> On 10/08/14 10:18, Igor Cicimov wrote:
>> On Wed, Oct 8, 2014 at 2:27 PM, dE <de.techno@gmail.com
>> <ma...@gmail.com>> wrote:
>>
>> On 10/08/14 05:18, Igor Cicimov wrote:
>>>
>>> On Wed, Oct 8, 2014 at 1:59 AM, dE <de.techno@gmail.com
>>> <ma...@gmail.com>> wrote:
>>>
>>> On 10/07/14 18:12, Igor Cicimov wrote:
>>>>
>>>>
>>>> On Tue, Oct 7, 2014 at 2:51 AM, dE <de.techno@gmail.com
>>>> <ma...@gmail.com>> wrote:
>>>>
>>>> Hi.
>>>>
>>>> I'm in a situation where I got 3 certificates
>>>>
>>>> server.pem -- the end user certificate which's sent
>>>> by the server to the client.
>>>> intermediate.pem -- server.pem is signed by
>>>> intermediate.pem's private key.
>>>> issuer.pem -- intermediate.pem is signed by
>>>> issuer.pem's private key.
>>>>
>>>> combined.pem is created by --
>>>>
>>>> cat server.pem intermediate.pem > combined.pem
>>>>
>>>> Issuer.pem is installed in the web browser.
>>>>
>>>> The chain is working, I can verify this via the SSL
>>>> command --
>>>>
>>>> cat intermediate.pem issuer.pem > cert_bundle.pem
>>>> openssl verify -CAfile cert_bundle.pem server.pem
>>>> server.pem: OK
>>>>
>>>> However the browsers (FF, Chrome, Konqueror and
>>>> wget) fail authentication, claiming there are no
>>>> certificates to verity server.pem's signature.
>>>>
>>>> I'm using Apache 2.4.10 with the following --
>>>>
>>>> SSLCertificateFile /tmp/combined.pem
>>>> SSLCertificateKeyFile /tmp/server.key
>>>>
>>>>
>>>> Try this:
>>>>
>>>> $ cat issuer.pem intermediate.pem > CA_chain.pem
>>>>
>>>> SSLCertificateFile server.pem
>>>> SSLCertificateKeyFile server.key
>>>> SSLCertificateChainFile CA_chain.pem
>>>>
>>>
>>> Tried this on Apache 2.2 (SSLCertificateChainFile does
>>> not work with 2.4) with the same issue.
>>>
>>> Hmm in that case you have something mixed up or simply this
>>> can not work for self signed certificates since this is
>>> exactly what I'm using on Apache 2.2.24/26 on all our
>>> company web sites: a certificate signed by CA authority and
>>> a chain certificate file where the authorities CA and
>>> Intermediate certs have been concatenated.
>>>
>>> Can you show us the output of:
>>>
>>> openssl x509 -noout -in cert.pem -text
>>>
>>> for all your sertificates?
>>>
>>
>> $ openssl x509 -noout -in server.pem -text
>> Certificate:
>> Data:
>> Version: 1 (0x0)
>> Serial Number: 13192573755114198537 (0xb7156feedab91609)
>> Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=AU, ST=Some-State, O=intermediate,
>> CN=intermediate
>> Validity
>> Not Before: Oct 7 08:43:42 2014 GMT
>> Not After : Oct 2 08:43:42 2015 GMT
>> Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> Public-Key: (1024 bit)
>> Modulus:
>> 00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18:
>> 6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a:
>> 81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb:
>> b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80:
>> e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e:
>> 7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8:
>> 44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84:
>> 3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f:
>> 26:3f:36:cc:29:f0:69:2b:79
>> Exponent: 65537 (0x10001)
>> Signature Algorithm: sha1WithRSAEncryption
>> 4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6:
>> b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a:
>> 33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea:
>> a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb:
>> c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13:
>> b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c:
>> ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c:
>> 7c:fe
>>
>>
>> $ openssl x509 -noout -in intermediate.pem -text
>> Certificate:
>> Data:
>> Version: 1 (0x0)
>> Serial Number: 11894061023072807904 (0xa510317ba912ebe0)
>> Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing,
>> CN=issuer
>> Validity
>> Not Before: Oct 7 08:42:05 2014 GMT
>> Not After : Oct 2 08:42:05 2015 GMT
>> Subject: C=AU, ST=Some-State, O=intermediate,
>> CN=intermediate
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> Public-Key: (1024 bit)
>> Modulus:
>> 00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8:
>> f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a:
>> df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6:
>> 2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82:
>> df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40:
>> 14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d:
>> 78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69:
>> f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9:
>> 3a:fd:f3:d1:f0:27:49:f4:c3
>> Exponent: 65537 (0x10001)
>> Signature Algorithm: sha1WithRSAEncryption
>> 0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d:
>> 0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29:
>> 5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95:
>> dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de:
>> 96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec:
>> 51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c:
>> 8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78:
>> 57:8d
>>
>>
>> $ openssl x509 -noout -in issuer.pem -text
>> Certificate:
>> Data:
>> Version: 1 (0x0)
>> Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6)
>> Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing,
>> CN=issuer
>> Validity
>> Not Before: Oct 7 08:40:29 2014 GMT
>> Not After : Oct 7 08:40:29 2015 GMT
>> Subject: C=AU, ST=Some-State, O=issuer, OU=signing,
>> CN=issuer
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> Public-Key: (1024 bit)
>> Modulus:
>> 00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18:
>> 7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2:
>> 72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89:
>> 26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d:
>> af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41:
>> e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97:
>> d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49:
>> af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9:
>> 05:d0:5c:50:0f:8f:3f:c4:d5
>> Exponent: 65537 (0x10001)
>> Signature Algorithm: sha1WithRSAEncryption
>> 3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9:
>> 70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c:
>> 96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38:
>> 82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82:
>> 9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62:
>> f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9:
>> 40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a:
>> 68:bf
>>
>>
>> And the output from the bellow command executed from the client
>> you are running wget from:
>>
>> openssl s_client -connect <your_server>:443
>>
>> You should see some output with lots of information regarding the
>> ssl connection, the server certificate and something like this:
>>
>> ---
>> Certificate chain
>> 0 s:/C=AU/ST=New South Wales/L=Sydney/O=<MyCorporation> Pty
>> Ltd/CN=*.<mydomain>.com
>> i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
>> 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
>> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
>> <http://www.digicert.com/CN=DigiCert> Global Root CA
>> 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
>> <http://www.digicert.com/CN=DigiCert> Global Root CA
>> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
>> <http://www.digicert.com/CN=DigiCert> Global Root CA
>>
>> which will confirm the complete chain is being received by the
>> client. If you see something like this at the bottom:
>>
>> Verify return code: 19 (self signed certificate in certificate chain)
>>
>> means you haven't properly imported the CA chain on the client.
>> In case of wget or curl or other terminal tools this is done on
>> OS level so you would need to consult the OS documentation about
>> importing certificates.
>>
>> You can find more about openssl tool set here:
>> https://www.openssl.org/docs/apps/s_client.html, its perfect for
>> ssl troubleshooting.
>>
>>
>
> $ openssl s_client -connect server:443
> gethostbyname failure
> CONNECTED(00000003)
> depth=2 C = AU, ST = Some-State, O = issuer, OU = signing, CN = issuer
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
> 0 s:/C=AU/ST=Some-State/O=server/OU=IT/CN=server
> i:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
> 1 s:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
> i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
> 2 s:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
> i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIICGDCCAYECCQC3FW/u2rkWCTANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJB
> VTETMBEGA1UECAwKU29tZS1TdGF0ZTEVMBMGA1UECgwMaW50ZXJtZWRpYXRlMRUw
> EwYDVQQDDAxpbnRlcm1lZGlhdGUwHhcNMTQxMDA3MDg0MzQyWhcNMTUxMDAyMDg0
> MzQyWjBRMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UE
> CgwGc2VydmVyMQswCQYDVQQLDAJJVDEPMA0GA1UEAwwGc2VydmVyMIGfMA0GCSqG
> SIb3DQEBAQUAA4GNADCBiQKBgQCV0xy3rEnMOCxHaKKyGG12gDydogPMS9/AboE/
> eoG+4Tg0X+AbTuLcpcbZu7CGO5g95wNCx6TLBfCWgOYTTr1P5HPqcnwMkCN6XnpG
> fedkPB1UeubZh53j+ESc3whk1x2hUMP9qp0bhD7NHbmBunBqlcdjqxt7HyY/Nswp
> 8GkreQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAE5SlQFID8e9UW7mnvY8tBYQprV1
> LrJJvOdQRtWX8ejttx24GjMvo37KQRoqdEqjgQSZwsh26qaRjyGSTGKtDFdDc7U8
> DWyCy8HAdNityxIfL5pJRVoGBf6aE7nT4RfmZ4gY/dzFZ5qUm0HPDMqIT7X+fuIe
> YdtP4bzc8AetHHz+
> -----END CERTIFICATE-----
> subject=/C=AU/ST=Some-State/O=server/OU=IT/CN=server
> issuer=/C=AU/ST=Some-State/O=intermediate/CN=intermediate
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2391 bytes and written 498 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
> Server public key is 1024 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : DHE-RSA-AES256-GCM-SHA384
> Session-ID:
> FA13516B3E695D88CFC650899A5EE7D2DEE4D38DCDFD2848D688A0AAB4D2A90C
> Session-ID-ctx:
> Master-Key:
> 5E39DF223E5A23B4088F2CE3D65A530F0D936860D8F94BB123E0483430CF3C42B7F7F40B246B6B7370551A2B702CB47A
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 300 (seconds)
> TLS session ticket:
> 0000 - b9 a3 67 f3 a1 e1 2f 40-90 64 09 db ef 26 4d b2
> ..g.../@.d...&M.
> 0010 - e8 a3 c2 25 30 d6 df af-8c 4d d3 19 20 83 bb c3
> ...%0....M.. ...
> 0020 - 6f a9 51 a3 3a 2f f5 43-1e a8 9d 1e 49 25 67 43
> o.Q.:/.C....I%gC
> 0030 - f0 05 3f 75 50 c8 49 2b-be 44 d2 72 58 14 2e f6
> ..?uP.I+.D.rX...
> 0040 - 55 a5 ba 0a 34 34 92 9f-cc 8b c1 30 55 f1 69 c0
> U...44.....0U.i.
> 0050 - df f8 3d 08 38 37 11 46-90 9d 88 6c ce 48 5d 79
> ..=.87.F...l.H]y
> 0060 - 96 bb 5a 23 56 4d e9 c3-2f 17 d9 11 45 47 fb 2b
> ..Z#VM../...EG.+
> 0070 - 05 1a cb 92 52 13 52 e6-72 16 44 51 3f 66 90 88
> ....R.R.r.DQ?f..
> 0080 - f9 2e 46 ad 44 23 5b 75-f9 69 7c 6b c0 0f 83 42
> ..F.D#[u.i|k...B
> 0090 - 33 c0 c1 6b 6a f8 23 55-ee 18 0c 32 f9 5a 81 6b
> 3..kj.#U...2.Z.k
> 00a0 - 1b 4e a4 42 14 56 54 66-1d 20 2e 53 95 df 24 f5
> .N.B.VTf. .S..$.
> 00b0 - c6 4c 8a e2 ed bc 21 d9-ef a1 8c fb 51 36 51 8d
> .L....!.....Q6Q.
>
> Start Time: 1412751118
> Timeout : 300 (sec)
> Verify return code: 19 (self signed certificate in certificate
> chain)
> ---
> DONE
>
> I even tried copying issuer.pem to /etc/ssl/certs
>
> With the same error no. 19 in the chain.
>
> Thanks for this command. It's truly useful. That FF extension
> shows only 1 certificate received.
>
>
> You need to point the tool to the CA path like this:
>
> $ openssl s_client -connect server:443 -CApath /etc/ssl/certs
>
> then the cert will get properly validated.
>
I pointed it to the location where all of my relevant *.pem is there And
I still get error 19.
Re: [users@httpd] Cannot get certificate chain to work.
Posted by Igor Cicimov <ic...@gmail.com>.
On Wed, Oct 8, 2014 at 6:03 PM, dE <de...@gmail.com> wrote:
> On 10/08/14 10:18, Igor Cicimov wrote:
>
> On Wed, Oct 8, 2014 at 2:27 PM, dE <de...@gmail.com> wrote:
>
>> On 10/08/14 05:18, Igor Cicimov wrote:
>>
>>
>> On Wed, Oct 8, 2014 at 1:59 AM, dE <de...@gmail.com> wrote:
>>
>>> On 10/07/14 18:12, Igor Cicimov wrote:
>>>
>>>
>>>
>>> On Tue, Oct 7, 2014 at 2:51 AM, dE <de...@gmail.com> wrote:
>>>
>>>> Hi.
>>>>
>>>> I'm in a situation where I got 3 certificates
>>>>
>>>> server.pem -- the end user certificate which's sent by the server to
>>>> the client.
>>>> intermediate.pem -- server.pem is signed by intermediate.pem's private
>>>> key.
>>>> issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
>>>>
>>>> combined.pem is created by --
>>>>
>>>> cat server.pem intermediate.pem > combined.pem
>>>>
>>>> Issuer.pem is installed in the web browser.
>>>>
>>>> The chain is working, I can verify this via the SSL command --
>>>>
>>>> cat intermediate.pem issuer.pem > cert_bundle.pem
>>>> openssl verify -CAfile cert_bundle.pem server.pem
>>>> server.pem: OK
>>>>
>>>> However the browsers (FF, Chrome, Konqueror and wget) fail
>>>> authentication, claiming there are no certificates to verity server.pem's
>>>> signature.
>>>>
>>>> I'm using Apache 2.4.10 with the following --
>>>>
>>>> SSLCertificateFile /tmp/combined.pem
>>>> SSLCertificateKeyFile /tmp/server.key
>>>>
>>>>
>>> Try this:
>>>
>>> $ cat issuer.pem intermediate.pem > CA_chain.pem
>>>
>>> SSLCertificateFile server.pem
>>> SSLCertificateKeyFile server.key
>>> SSLCertificateChainFile CA_chain.pem
>>>
>>>
>>> Tried this on Apache 2.2 (SSLCertificateChainFile does not work with
>>> 2.4) with the same issue.
>>>
>>
>> Hmm in that case you have something mixed up or simply this can not work
>> for self signed certificates since this is exactly what I'm using on Apache
>> 2.2.24/26 on all our company web sites: a certificate signed by CA
>> authority and a chain certificate file where the authorities CA and
>> Intermediate certs have been concatenated.
>>
>> Can you show us the output of:
>>
>> openssl x509 -noout -in cert.pem -text
>>
>> for all your sertificates?
>>
>>
>> $ openssl x509 -noout -in server.pem -text
>> Certificate:
>> Data:
>> Version: 1 (0x0)
>> Serial Number: 13192573755114198537 (0xb7156feedab91609)
>> Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>> Validity
>> Not Before: Oct 7 08:43:42 2014 GMT
>> Not After : Oct 2 08:43:42 2015 GMT
>> Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> Public-Key: (1024 bit)
>> Modulus:
>> 00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18:
>> 6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a:
>> 81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb:
>> b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80:
>> e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e:
>> 7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8:
>> 44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84:
>> 3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f:
>> 26:3f:36:cc:29:f0:69:2b:79
>> Exponent: 65537 (0x10001)
>> Signature Algorithm: sha1WithRSAEncryption
>> 4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6:
>> b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a:
>> 33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea:
>> a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb:
>> c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13:
>> b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c:
>> ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c:
>> 7c:fe
>>
>>
>> $ openssl x509 -noout -in intermediate.pem -text
>> Certificate:
>> Data:
>> Version: 1 (0x0)
>> Serial Number: 11894061023072807904 (0xa510317ba912ebe0)
>> Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>> Validity
>> Not Before: Oct 7 08:42:05 2014 GMT
>> Not After : Oct 2 08:42:05 2015 GMT
>> Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> Public-Key: (1024 bit)
>> Modulus:
>> 00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8:
>> f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a:
>> df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6:
>> 2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82:
>> df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40:
>> 14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d:
>> 78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69:
>> f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9:
>> 3a:fd:f3:d1:f0:27:49:f4:c3
>> Exponent: 65537 (0x10001)
>> Signature Algorithm: sha1WithRSAEncryption
>> 0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d:
>> 0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29:
>> 5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95:
>> dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de:
>> 96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec:
>> 51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c:
>> 8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78:
>> 57:8d
>>
>>
>> $ openssl x509 -noout -in issuer.pem -text
>> Certificate:
>> Data:
>> Version: 1 (0x0)
>> Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6)
>> Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>> Validity
>> Not Before: Oct 7 08:40:29 2014 GMT
>> Not After : Oct 7 08:40:29 2015 GMT
>> Subject: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> Public-Key: (1024 bit)
>> Modulus:
>> 00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18:
>> 7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2:
>> 72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89:
>> 26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d:
>> af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41:
>> e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97:
>> d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49:
>> af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9:
>> 05:d0:5c:50:0f:8f:3f:c4:d5
>> Exponent: 65537 (0x10001)
>> Signature Algorithm: sha1WithRSAEncryption
>> 3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9:
>> 70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c:
>> 96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38:
>> 82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82:
>> 9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62:
>> f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9:
>> 40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a:
>> 68:bf
>>
>
> And the output from the bellow command executed from the client you are
> running wget from:
>
> openssl s_client -connect <your_server>:443
>
> You should see some output with lots of information regarding the ssl
> connection, the server certificate and something like this:
>
> ---
> Certificate chain
> 0 s:/C=AU/ST=New South Wales/L=Sydney/O=<MyCorporation> Pty
> Ltd/CN=*.<mydomain>.com
> i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
> 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
> 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
>
> which will confirm the complete chain is being received by the client.
> If you see something like this at the bottom:
>
> Verify return code: 19 (self signed certificate in certificate chain)
>
> means you haven't properly imported the CA chain on the client. In case
> of wget or curl or other terminal tools this is done on OS level so you
> would need to consult the OS documentation about importing certificates.
>
> You can find more about openssl tool set here:
> https://www.openssl.org/docs/apps/s_client.html, its perfect for ssl
> troubleshooting.
>
>
>
> $ openssl s_client -connect server:443
> gethostbyname failure
> CONNECTED(00000003)
> depth=2 C = AU, ST = Some-State, O = issuer, OU = signing, CN = issuer
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
> 0 s:/C=AU/ST=Some-State/O=server/OU=IT/CN=server
> i:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
> 1 s:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
> i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
> 2 s:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
> i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIICGDCCAYECCQC3FW/u2rkWCTANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJB
> VTETMBEGA1UECAwKU29tZS1TdGF0ZTEVMBMGA1UECgwMaW50ZXJtZWRpYXRlMRUw
> EwYDVQQDDAxpbnRlcm1lZGlhdGUwHhcNMTQxMDA3MDg0MzQyWhcNMTUxMDAyMDg0
> MzQyWjBRMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UE
> CgwGc2VydmVyMQswCQYDVQQLDAJJVDEPMA0GA1UEAwwGc2VydmVyMIGfMA0GCSqG
> SIb3DQEBAQUAA4GNADCBiQKBgQCV0xy3rEnMOCxHaKKyGG12gDydogPMS9/AboE/
> eoG+4Tg0X+AbTuLcpcbZu7CGO5g95wNCx6TLBfCWgOYTTr1P5HPqcnwMkCN6XnpG
> fedkPB1UeubZh53j+ESc3whk1x2hUMP9qp0bhD7NHbmBunBqlcdjqxt7HyY/Nswp
> 8GkreQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAE5SlQFID8e9UW7mnvY8tBYQprV1
> LrJJvOdQRtWX8ejttx24GjMvo37KQRoqdEqjgQSZwsh26qaRjyGSTGKtDFdDc7U8
> DWyCy8HAdNityxIfL5pJRVoGBf6aE7nT4RfmZ4gY/dzFZ5qUm0HPDMqIT7X+fuIe
> YdtP4bzc8AetHHz+
> -----END CERTIFICATE-----
> subject=/C=AU/ST=Some-State/O=server/OU=IT/CN=server
> issuer=/C=AU/ST=Some-State/O=intermediate/CN=intermediate
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2391 bytes and written 498 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
> Server public key is 1024 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : DHE-RSA-AES256-GCM-SHA384
> Session-ID:
> FA13516B3E695D88CFC650899A5EE7D2DEE4D38DCDFD2848D688A0AAB4D2A90C
> Session-ID-ctx:
> Master-Key:
> 5E39DF223E5A23B4088F2CE3D65A530F0D936860D8F94BB123E0483430CF3C42B7F7F40B246B6B7370551A2B702CB47A
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 300 (seconds)
> TLS session ticket:
> 0000 - b9 a3 67 f3 a1 e1 2f 40-90 64 09 db ef 26 4d b2
> ..g.../@.d...&M.
> 0010 - e8 a3 c2 25 30 d6 df af-8c 4d d3 19 20 83 bb c3 ...%0....M..
> ...
> 0020 - 6f a9 51 a3 3a 2f f5 43-1e a8 9d 1e 49 25 67 43
> o.Q.:/.C....I%gC
> 0030 - f0 05 3f 75 50 c8 49 2b-be 44 d2 72 58 14 2e f6
> ..?uP.I+.D.rX...
> 0040 - 55 a5 ba 0a 34 34 92 9f-cc 8b c1 30 55 f1 69 c0
> U...44.....0U.i.
> 0050 - df f8 3d 08 38 37 11 46-90 9d 88 6c ce 48 5d 79
> ..=.87.F...l.H]y
> 0060 - 96 bb 5a 23 56 4d e9 c3-2f 17 d9 11 45 47 fb 2b
> ..Z#VM../...EG.+
> 0070 - 05 1a cb 92 52 13 52 e6-72 16 44 51 3f 66 90 88
> ....R.R.r.DQ?f..
> 0080 - f9 2e 46 ad 44 23 5b 75-f9 69 7c 6b c0 0f 83 42
> ..F.D#[u.i|k...B
> 0090 - 33 c0 c1 6b 6a f8 23 55-ee 18 0c 32 f9 5a 81 6b
> 3..kj.#U...2.Z.k
> 00a0 - 1b 4e a4 42 14 56 54 66-1d 20 2e 53 95 df 24 f5 .N.B.VTf.
> .S..$.
> 00b0 - c6 4c 8a e2 ed bc 21 d9-ef a1 8c fb 51 36 51 8d
> .L....!.....Q6Q.
>
> Start Time: 1412751118
> Timeout : 300 (sec)
> Verify return code: 19 (self signed certificate in certificate chain)
> ---
> DONE
>
> I even tried copying issuer.pem to /etc/ssl/certs
>
> With the same error no. 19 in the chain.
>
> Thanks for this command. It's truly useful. That FF extension shows only 1
> certificate received.
>
You need to point the tool to the CA path like this:
$ openssl s_client -connect server:443 -CApath /etc/ssl/certs
then the cert will get properly validated.
Re: [users@httpd] Cannot get certificate chain to work.
Posted by dE <de...@gmail.com>.
On 10/08/14 10:18, Igor Cicimov wrote:
> On Wed, Oct 8, 2014 at 2:27 PM, dE <de.techno@gmail.com
> <ma...@gmail.com>> wrote:
>
> On 10/08/14 05:18, Igor Cicimov wrote:
>>
>> On Wed, Oct 8, 2014 at 1:59 AM, dE <de.techno@gmail.com
>> <ma...@gmail.com>> wrote:
>>
>> On 10/07/14 18:12, Igor Cicimov wrote:
>>>
>>>
>>> On Tue, Oct 7, 2014 at 2:51 AM, dE <de.techno@gmail.com
>>> <ma...@gmail.com>> wrote:
>>>
>>> Hi.
>>>
>>> I'm in a situation where I got 3 certificates
>>>
>>> server.pem -- the end user certificate which's sent by
>>> the server to the client.
>>> intermediate.pem -- server.pem is signed by
>>> intermediate.pem's private key.
>>> issuer.pem -- intermediate.pem is signed by issuer.pem's
>>> private key.
>>>
>>> combined.pem is created by --
>>>
>>> cat server.pem intermediate.pem > combined.pem
>>>
>>> Issuer.pem is installed in the web browser.
>>>
>>> The chain is working, I can verify this via the SSL
>>> command --
>>>
>>> cat intermediate.pem issuer.pem > cert_bundle.pem
>>> openssl verify -CAfile cert_bundle.pem server.pem
>>> server.pem: OK
>>>
>>> However the browsers (FF, Chrome, Konqueror and wget)
>>> fail authentication, claiming there are no certificates
>>> to verity server.pem's signature.
>>>
>>> I'm using Apache 2.4.10 with the following --
>>>
>>> SSLCertificateFile /tmp/combined.pem
>>> SSLCertificateKeyFile /tmp/server.key
>>>
>>>
>>> Try this:
>>>
>>> $ cat issuer.pem intermediate.pem > CA_chain.pem
>>>
>>> SSLCertificateFile server.pem
>>> SSLCertificateKeyFile server.key
>>> SSLCertificateChainFile CA_chain.pem
>>>
>>
>> Tried this on Apache 2.2 (SSLCertificateChainFile does not
>> work with 2.4) with the same issue.
>>
>> Hmm in that case you have something mixed up or simply this can
>> not work for self signed certificates since this is exactly what
>> I'm using on Apache 2.2.24/26 on all our company web sites: a
>> certificate signed by CA authority and a chain certificate file
>> where the authorities CA and Intermediate certs have been
>> concatenated.
>>
>> Can you show us the output of:
>>
>> openssl x509 -noout -in cert.pem -text
>>
>> for all your sertificates?
>>
>
> $ openssl x509 -noout -in server.pem -text
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number: 13192573755114198537 (0xb7156feedab91609)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
> Validity
> Not Before: Oct 7 08:43:42 2014 GMT
> Not After : Oct 2 08:43:42 2015 GMT
> Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (1024 bit)
> Modulus:
> 00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18:
> 6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a:
> 81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb:
> b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80:
> e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e:
> 7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8:
> 44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84:
> 3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f:
> 26:3f:36:cc:29:f0:69:2b:79
> Exponent: 65537 (0x10001)
> Signature Algorithm: sha1WithRSAEncryption
> 4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6:
> b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a:
> 33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea:
> a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb:
> c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13:
> b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c:
> ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c:
> 7c:fe
>
>
> $ openssl x509 -noout -in intermediate.pem -text
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number: 11894061023072807904 (0xa510317ba912ebe0)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
> Validity
> Not Before: Oct 7 08:42:05 2014 GMT
> Not After : Oct 2 08:42:05 2015 GMT
> Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (1024 bit)
> Modulus:
> 00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8:
> f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a:
> df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6:
> 2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82:
> df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40:
> 14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d:
> 78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69:
> f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9:
> 3a:fd:f3:d1:f0:27:49:f4:c3
> Exponent: 65537 (0x10001)
> Signature Algorithm: sha1WithRSAEncryption
> 0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d:
> 0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29:
> 5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95:
> dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de:
> 96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec:
> 51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c:
> 8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78:
> 57:8d
>
>
> $ openssl x509 -noout -in issuer.pem -text
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
> Validity
> Not Before: Oct 7 08:40:29 2014 GMT
> Not After : Oct 7 08:40:29 2015 GMT
> Subject: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (1024 bit)
> Modulus:
> 00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18:
> 7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2:
> 72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89:
> 26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d:
> af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41:
> e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97:
> d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49:
> af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9:
> 05:d0:5c:50:0f:8f:3f:c4:d5
> Exponent: 65537 (0x10001)
> Signature Algorithm: sha1WithRSAEncryption
> 3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9:
> 70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c:
> 96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38:
> 82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82:
> 9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62:
> f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9:
> 40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a:
> 68:bf
>
>
> And the output from the bellow command executed from the client you
> are running wget from:
>
> openssl s_client -connect <your_server>:443
>
> You should see some output with lots of information regarding the ssl
> connection, the server certificate and something like this:
>
> ---
> Certificate chain
> 0 s:/C=AU/ST=New South Wales/L=Sydney/O=<MyCorporation> Pty
> Ltd/CN=*.<mydomain>.com
> i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
> 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
> <http://www.digicert.com/CN=DigiCert> Global Root CA
> 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
> <http://www.digicert.com/CN=DigiCert> Global Root CA
> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
> <http://www.digicert.com/CN=DigiCert> Global Root CA
>
> which will confirm the complete chain is being received by the client.
> If you see something like this at the bottom:
>
> Verify return code: 19 (self signed certificate in certificate chain)
>
> means you haven't properly imported the CA chain on the client. In
> case of wget or curl or other terminal tools this is done on OS level
> so you would need to consult the OS documentation about importing
> certificates.
>
> You can find more about openssl tool set here:
> https://www.openssl.org/docs/apps/s_client.html, its perfect for ssl
> troubleshooting.
>
>
$ openssl s_client -connect server:443
gethostbyname failure
CONNECTED(00000003)
depth=2 C = AU, ST = Some-State, O = issuer, OU = signing, CN = issuer
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=AU/ST=Some-State/O=server/OU=IT/CN=server
i:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
1 s:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
2 s:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICGDCCAYECCQC3FW/u2rkWCTANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJB
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEVMBMGA1UECgwMaW50ZXJtZWRpYXRlMRUw
EwYDVQQDDAxpbnRlcm1lZGlhdGUwHhcNMTQxMDA3MDg0MzQyWhcNMTUxMDAyMDg0
MzQyWjBRMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UE
CgwGc2VydmVyMQswCQYDVQQLDAJJVDEPMA0GA1UEAwwGc2VydmVyMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCV0xy3rEnMOCxHaKKyGG12gDydogPMS9/AboE/
eoG+4Tg0X+AbTuLcpcbZu7CGO5g95wNCx6TLBfCWgOYTTr1P5HPqcnwMkCN6XnpG
fedkPB1UeubZh53j+ESc3whk1x2hUMP9qp0bhD7NHbmBunBqlcdjqxt7HyY/Nswp
8GkreQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAE5SlQFID8e9UW7mnvY8tBYQprV1
LrJJvOdQRtWX8ejttx24GjMvo37KQRoqdEqjgQSZwsh26qaRjyGSTGKtDFdDc7U8
DWyCy8HAdNityxIfL5pJRVoGBf6aE7nT4RfmZ4gY/dzFZ5qUm0HPDMqIT7X+fuIe
YdtP4bzc8AetHHz+
-----END CERTIFICATE-----
subject=/C=AU/ST=Some-State/O=server/OU=IT/CN=server
issuer=/C=AU/ST=Some-State/O=intermediate/CN=intermediate
---
No client certificate CA names sent
---
SSL handshake has read 2391 bytes and written 498 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID:
FA13516B3E695D88CFC650899A5EE7D2DEE4D38DCDFD2848D688A0AAB4D2A90C
Session-ID-ctx:
Master-Key:
5E39DF223E5A23B4088F2CE3D65A530F0D936860D8F94BB123E0483430CF3C42B7F7F40B246B6B7370551A2B702CB47A
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - b9 a3 67 f3 a1 e1 2f 40-90 64 09 db ef 26 4d b2 ..g.../@.d...&M.
0010 - e8 a3 c2 25 30 d6 df af-8c 4d d3 19 20 83 bb c3 ...%0....M.. ...
0020 - 6f a9 51 a3 3a 2f f5 43-1e a8 9d 1e 49 25 67 43 o.Q.:/.C....I%gC
0030 - f0 05 3f 75 50 c8 49 2b-be 44 d2 72 58 14 2e f6 ..?uP.I+.D.rX...
0040 - 55 a5 ba 0a 34 34 92 9f-cc 8b c1 30 55 f1 69 c0 U...44.....0U.i.
0050 - df f8 3d 08 38 37 11 46-90 9d 88 6c ce 48 5d 79 ..=.87.F...l.H]y
0060 - 96 bb 5a 23 56 4d e9 c3-2f 17 d9 11 45 47 fb 2b ..Z#VM../...EG.+
0070 - 05 1a cb 92 52 13 52 e6-72 16 44 51 3f 66 90 88 ....R.R.r.DQ?f..
0080 - f9 2e 46 ad 44 23 5b 75-f9 69 7c 6b c0 0f 83 42 ..F.D#[u.i|k...B
0090 - 33 c0 c1 6b 6a f8 23 55-ee 18 0c 32 f9 5a 81 6b 3..kj.#U...2.Z.k
00a0 - 1b 4e a4 42 14 56 54 66-1d 20 2e 53 95 df 24 f5 .N.B.VTf. .S..$.
00b0 - c6 4c 8a e2 ed bc 21 d9-ef a1 8c fb 51 36 51 8d .L....!.....Q6Q.
Start Time: 1412751118
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
DONE
I even tried copying issuer.pem to /etc/ssl/certs
With the same error no. 19 in the chain.
Thanks for this command. It's truly useful. That FF extension shows only
1 certificate received.
Re: [users@httpd] Cannot get certificate chain to work.
Posted by dE <de...@gmail.com>.
On 10/08/14 14:35, Igor Cicimov wrote:
>
>
> On Wed, Oct 8, 2014 at 6:05 PM, dE <de.techno@gmail.com
> <ma...@gmail.com>> wrote:
>
> On 10/08/14 10:19, Igor Cicimov wrote:
>>
>>
>> You can find more about openssl tool set here:
>> https://www.openssl.org/docs/apps/s_client.html, its perfect
>> for ssl troubleshooting.
>>
>> By the way, did you import the CA_chain.pem in the browsers?
>>
>
> I thought browser only needs to have the self signed root CA. If I
> have intermediate.pem installed, then of course things go as
> expected; but this should be a certificate chain as provided by
> Apache.
>
>
> Apache does provide the certificate chain to the client/browser but
> the client/browser needs something to compare it against otherwise how
> is it going to know to trust it or not?
>
issuer.pem is installed in the browser. It's provided by the root CA.
Apache should (and it does) send both intermediate.pem and server.pem so
the client can link to the chain.
Re: [users@httpd] Cannot get certificate chain to work.
Posted by Igor Cicimov <ic...@gmail.com>.
On Wed, Oct 8, 2014 at 6:05 PM, dE <de...@gmail.com> wrote:
> On 10/08/14 10:19, Igor Cicimov wrote:
>
>
>
>> You can find more about openssl tool set here:
>> https://www.openssl.org/docs/apps/s_client.html, its perfect for ssl
>> troubleshooting.
>>
>> By the way, did you import the CA_chain.pem in the browsers?
>
>
> I thought browser only needs to have the self signed root CA. If I have
> intermediate.pem installed, then of course things go as expected; but this
> should be a certificate chain as provided by Apache.
>
Apache does provide the certificate chain to the client/browser but the
client/browser needs something to compare it against otherwise how is it
going to know to trust it or not?
Re: [users@httpd] Cannot get certificate chain to work.
Posted by dE <de...@gmail.com>.
On 10/08/14 10:19, Igor Cicimov wrote:
>
>
> You can find more about openssl tool set here:
> https://www.openssl.org/docs/apps/s_client.html, its perfect for
> ssl troubleshooting.
>
> By the way, did you import the CA_chain.pem in the browsers?
>
I thought browser only needs to have the self signed root CA. If I have
intermediate.pem installed, then of course things go as expected; but
this should be a certificate chain as provided by Apache.
Re: [users@httpd] Cannot get certificate chain to work.
Posted by Igor Cicimov <ic...@gmail.com>.
>
> You can find more about openssl tool set here:
> https://www.openssl.org/docs/apps/s_client.html, its perfect for ssl
> troubleshooting.
>
> By the way, did you import the CA_chain.pem in the browsers?
Re: [users@httpd] Cannot get certificate chain to work.
Posted by Igor Cicimov <ic...@gmail.com>.
On Wed, Oct 8, 2014 at 2:27 PM, dE <de...@gmail.com> wrote:
> On 10/08/14 05:18, Igor Cicimov wrote:
>
>
> On Wed, Oct 8, 2014 at 1:59 AM, dE <de...@gmail.com> wrote:
>
>> On 10/07/14 18:12, Igor Cicimov wrote:
>>
>>
>>
>> On Tue, Oct 7, 2014 at 2:51 AM, dE <de...@gmail.com> wrote:
>>
>>> Hi.
>>>
>>> I'm in a situation where I got 3 certificates
>>>
>>> server.pem -- the end user certificate which's sent by the server to the
>>> client.
>>> intermediate.pem -- server.pem is signed by intermediate.pem's private
>>> key.
>>> issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
>>>
>>> combined.pem is created by --
>>>
>>> cat server.pem intermediate.pem > combined.pem
>>>
>>> Issuer.pem is installed in the web browser.
>>>
>>> The chain is working, I can verify this via the SSL command --
>>>
>>> cat intermediate.pem issuer.pem > cert_bundle.pem
>>> openssl verify -CAfile cert_bundle.pem server.pem
>>> server.pem: OK
>>>
>>> However the browsers (FF, Chrome, Konqueror and wget) fail
>>> authentication, claiming there are no certificates to verity server.pem's
>>> signature.
>>>
>>> I'm using Apache 2.4.10 with the following --
>>>
>>> SSLCertificateFile /tmp/combined.pem
>>> SSLCertificateKeyFile /tmp/server.key
>>>
>>>
>> Try this:
>>
>> $ cat issuer.pem intermediate.pem > CA_chain.pem
>>
>> SSLCertificateFile server.pem
>> SSLCertificateKeyFile server.key
>> SSLCertificateChainFile CA_chain.pem
>>
>>
>> Tried this on Apache 2.2 (SSLCertificateChainFile does not work with
>> 2.4) with the same issue.
>>
>
> Hmm in that case you have something mixed up or simply this can not work
> for self signed certificates since this is exactly what I'm using on Apache
> 2.2.24/26 on all our company web sites: a certificate signed by CA
> authority and a chain certificate file where the authorities CA and
> Intermediate certs have been concatenated.
>
> Can you show us the output of:
>
> openssl x509 -noout -in cert.pem -text
>
> for all your sertificates?
>
>
> $ openssl x509 -noout -in server.pem -text
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number: 13192573755114198537 (0xb7156feedab91609)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
> Validity
> Not Before: Oct 7 08:43:42 2014 GMT
> Not After : Oct 2 08:43:42 2015 GMT
> Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (1024 bit)
> Modulus:
> 00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18:
> 6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a:
> 81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb:
> b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80:
> e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e:
> 7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8:
> 44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84:
> 3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f:
> 26:3f:36:cc:29:f0:69:2b:79
> Exponent: 65537 (0x10001)
> Signature Algorithm: sha1WithRSAEncryption
> 4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6:
> b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a:
> 33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea:
> a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb:
> c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13:
> b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c:
> ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c:
> 7c:fe
>
>
> $ openssl x509 -noout -in intermediate.pem -text
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number: 11894061023072807904 (0xa510317ba912ebe0)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
> Validity
> Not Before: Oct 7 08:42:05 2014 GMT
> Not After : Oct 2 08:42:05 2015 GMT
> Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (1024 bit)
> Modulus:
> 00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8:
> f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a:
> df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6:
> 2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82:
> df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40:
> 14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d:
> 78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69:
> f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9:
> 3a:fd:f3:d1:f0:27:49:f4:c3
> Exponent: 65537 (0x10001)
> Signature Algorithm: sha1WithRSAEncryption
> 0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d:
> 0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29:
> 5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95:
> dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de:
> 96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec:
> 51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c:
> 8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78:
> 57:8d
>
>
> $ openssl x509 -noout -in issuer.pem -text
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
> Validity
> Not Before: Oct 7 08:40:29 2014 GMT
> Not After : Oct 7 08:40:29 2015 GMT
> Subject: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (1024 bit)
> Modulus:
> 00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18:
> 7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2:
> 72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89:
> 26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d:
> af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41:
> e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97:
> d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49:
> af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9:
> 05:d0:5c:50:0f:8f:3f:c4:d5
> Exponent: 65537 (0x10001)
> Signature Algorithm: sha1WithRSAEncryption
> 3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9:
> 70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c:
> 96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38:
> 82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82:
> 9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62:
> f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9:
> 40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a:
> 68:bf
>
And the output from the bellow command executed from the client you are
running wget from:
openssl s_client -connect <your_server>:443
You should see some output with lots of information regarding the ssl
connection, the server certificate and something like this:
---
Certificate chain
0 s:/C=AU/ST=New South Wales/L=Sydney/O=<MyCorporation> Pty
Ltd/CN=*.<mydomain>.com
i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
which will confirm the complete chain is being received by the client. If
you see something like this at the bottom:
Verify return code: 19 (self signed certificate in certificate chain)
means you haven't properly imported the CA chain on the client. In case of
wget or curl or other terminal tools this is done on OS level so you would
need to consult the OS documentation about importing certificates.
You can find more about openssl tool set here:
https://www.openssl.org/docs/apps/s_client.html, its perfect for ssl
troubleshooting.
Re: [users@httpd] Cannot get certificate chain to work.
Posted by dE <de...@gmail.com>.
On 10/10/14 19:00, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> dE,
>
> On 10/10/14 6:30 AM, dE wrote:
>> On 10/09/14 23:47, Christopher Schultz wrote: De,
>>
>> On 10/7/14 11:27 PM, dE wrote:
>>>>> $ openssl x509 -noout -in server.pem -text Certificate:
>>>>> Data: Version: 1 (0x0) Serial Number: 13192573755114198537
>>>>> (0xb7156feedab91609) Signature Algorithm:
>>>>> sha1WithRSAEncryption Issuer: C=AU, ST=Some-State,
>>>>> O=intermediate, CN=intermediate Validity Not Before: Oct 7
>>>>> 08:43:42 2014 GMT Not After : Oct 2 08:43:42 2015 GMT
>>>>> Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
>>>>> Subject Public Key Info: Public Key Algorithm: rsaEncryption
>>>>> Public-Key: (1024 bit)
>> 1024-bit keys?
>>
>> Perhaps the browsers are smart enough not to trust those.
>>
>>>>> $ openssl x509 -noout -in intermediate.pem -text
>>>>> Certificate: Data: Version: 1 (0x0) Serial Number:
>>>>> 11894061023072807904 (0xa510317ba912ebe0) Signature
>>>>> Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=Some-State,
>>>>> O=issuer, OU=signing, CN=issuer Validity Not Before: Oct 7
>>>>> 08:42:05 2014 GMT Not After : Oct 2 08:42:05 2015 GMT
>>>>> Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>>>>> Subject Public Key Info: Public Key Algorithm: rsaEncryption
>>>>> Public-Key: (1024 bit)
>> Hmm.
>>
>>>>> $ openssl x509 -noout -in issuer.pem -text Certificate:
>>>>> Data: Version: 1 (0x0) Serial Number: 18284349327322698662
>>>>> (0xfdbf0ed6ac38d3a6) Signature Algorithm:
>>>>> sha1WithRSAEncryption Issuer: C=AU, ST=Some-State, O=issuer,
>>>>> OU=signing, CN=issuer Validity Not Before: Oct 7 08:40:29
>>>>> 2014 GMT Not After : Oct 7 08:40:29 2015 GMT Subject: C=AU,
>>>>> ST=Some-State, O=issuer, OU=signing, CN=issuer Subject Public
>>>>> Key Info: Public Key Algorithm: rsaEncryption Public-Key:
>>>>> (1024 bit)
>> Maybe try again with 2048-bit keys or better?
>>
>> -chris
>>> ---------------------------------------------------------------------
>>>
>>>
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>> Yeah, I'll try 4096. That's the standard. But it did work when
>> only intermediate.pem was sent by the server and issuer.pem was
>> installed in the browser.
> You might want to check using SSL Labs' server scanner. It will tell
> you exactly what the server is sending, whether they are in the right
> order, at what level they are trusted, and give you advice about how
> to improve the configuration.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUN991AAoJEBzwKT+lPKRY9hYQAJ7tNxFSnI6KtRk2XdjCceQI
> tT6HFp3dxUk+JPffjAmJGamYGhMD5E11IsqLa+GT25u+ULsRfoV7ovVcOiQtvC1E
> HdKpDxeN4VUVzESRWPeBE+SdATRwpu2fJsSQ9bLfFS6Mw9Cj0GJMp9wRRWAhxz+/
> TyIhxRsTruc6Y8e2r+/M+p/QaO49/FknJpISb9m/xoKqaVg6eiMxfnDBJeJ63p0T
> u7j2wOuQDvZlW7nSRUnp4M/Z3NbIwdJAlxDnZ4d9S8tvTLESQaJpoFxhsutOdK/X
> 82pIPbsoZeP5CvBuZ/f3iISrVqEkYh9uJCawj+tdniYrrsXnOKL5diE2SMrzXmXD
> ecL+YhNedFzQp+MHVtNgHtK/ZEc35/HmnEp9qDQP3O9KmEh8y4m/qFchRP1a5EzL
> KYhS7VpV1cagmvh6vg1+3GoJcGSshdKEgQYSYQnK6KuaD+A/EZvio1eeXvdF/EWx
> 2M/8PsEi13vpf5Ev5RmfDF8ma6yO7QhXAzTCcFpGNqRD4J1mjkUxCtfkG+JydlQc
> TbDRpVFmKeo5NTZAIoIZ8br2F9RMSdV8prVOytt0Yfd+cpFZyCTr+bfq9U+rkS1p
> REuUrQvWGMlOPvr35KHXqjKmu78K0bxCapGqmzxrx2LRcHb5tnkM9CLSVvjTnfWI
> 9Xufi+4JpiEBBO43tmSX
> =seHs
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
I tried 4096 with the same problem
openssl verify -CAfile issuer.pem intermediate.pem intermediate.pem: OK
intermediate.pem does not import. First I've to try to get them imported
before putting them on the server. Otherwise it's pointless (it'll
always fail).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Cannot get certificate chain to work.
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
dE,
On 10/10/14 6:30 AM, dE wrote:
> On 10/09/14 23:47, Christopher Schultz wrote: De,
>
> On 10/7/14 11:27 PM, dE wrote:
>>>> $ openssl x509 -noout -in server.pem -text Certificate:
>>>> Data: Version: 1 (0x0) Serial Number: 13192573755114198537
>>>> (0xb7156feedab91609) Signature Algorithm:
>>>> sha1WithRSAEncryption Issuer: C=AU, ST=Some-State,
>>>> O=intermediate, CN=intermediate Validity Not Before: Oct 7
>>>> 08:43:42 2014 GMT Not After : Oct 2 08:43:42 2015 GMT
>>>> Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
>>>> Subject Public Key Info: Public Key Algorithm: rsaEncryption
>>>> Public-Key: (1024 bit)
> 1024-bit keys?
>
> Perhaps the browsers are smart enough not to trust those.
>
>>>> $ openssl x509 -noout -in intermediate.pem -text
>>>> Certificate: Data: Version: 1 (0x0) Serial Number:
>>>> 11894061023072807904 (0xa510317ba912ebe0) Signature
>>>> Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=Some-State,
>>>> O=issuer, OU=signing, CN=issuer Validity Not Before: Oct 7
>>>> 08:42:05 2014 GMT Not After : Oct 2 08:42:05 2015 GMT
>>>> Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>>>> Subject Public Key Info: Public Key Algorithm: rsaEncryption
>>>> Public-Key: (1024 bit)
> Hmm.
>
>>>> $ openssl x509 -noout -in issuer.pem -text Certificate:
>>>> Data: Version: 1 (0x0) Serial Number: 18284349327322698662
>>>> (0xfdbf0ed6ac38d3a6) Signature Algorithm:
>>>> sha1WithRSAEncryption Issuer: C=AU, ST=Some-State, O=issuer,
>>>> OU=signing, CN=issuer Validity Not Before: Oct 7 08:40:29
>>>> 2014 GMT Not After : Oct 7 08:40:29 2015 GMT Subject: C=AU,
>>>> ST=Some-State, O=issuer, OU=signing, CN=issuer Subject Public
>>>> Key Info: Public Key Algorithm: rsaEncryption Public-Key:
>>>> (1024 bit)
> Maybe try again with 2048-bit keys or better?
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> Yeah, I'll try 4096. That's the standard. But it did work when
> only intermediate.pem was sent by the server and issuer.pem was
> installed in the browser.
You might want to check using SSL Labs' server scanner. It will tell
you exactly what the server is sending, whether they are in the right
order, at what level they are trusted, and give you advice about how
to improve the configuration.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUN991AAoJEBzwKT+lPKRY9hYQAJ7tNxFSnI6KtRk2XdjCceQI
tT6HFp3dxUk+JPffjAmJGamYGhMD5E11IsqLa+GT25u+ULsRfoV7ovVcOiQtvC1E
HdKpDxeN4VUVzESRWPeBE+SdATRwpu2fJsSQ9bLfFS6Mw9Cj0GJMp9wRRWAhxz+/
TyIhxRsTruc6Y8e2r+/M+p/QaO49/FknJpISb9m/xoKqaVg6eiMxfnDBJeJ63p0T
u7j2wOuQDvZlW7nSRUnp4M/Z3NbIwdJAlxDnZ4d9S8tvTLESQaJpoFxhsutOdK/X
82pIPbsoZeP5CvBuZ/f3iISrVqEkYh9uJCawj+tdniYrrsXnOKL5diE2SMrzXmXD
ecL+YhNedFzQp+MHVtNgHtK/ZEc35/HmnEp9qDQP3O9KmEh8y4m/qFchRP1a5EzL
KYhS7VpV1cagmvh6vg1+3GoJcGSshdKEgQYSYQnK6KuaD+A/EZvio1eeXvdF/EWx
2M/8PsEi13vpf5Ev5RmfDF8ma6yO7QhXAzTCcFpGNqRD4J1mjkUxCtfkG+JydlQc
TbDRpVFmKeo5NTZAIoIZ8br2F9RMSdV8prVOytt0Yfd+cpFZyCTr+bfq9U+rkS1p
REuUrQvWGMlOPvr35KHXqjKmu78K0bxCapGqmzxrx2LRcHb5tnkM9CLSVvjTnfWI
9Xufi+4JpiEBBO43tmSX
=seHs
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Cannot get certificate chain to work.
Posted by dE <de...@gmail.com>.
On 10/09/14 23:47, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> De,
>
> On 10/7/14 11:27 PM, dE wrote:
>> $ openssl x509 -noout -in server.pem -text Certificate: Data:
>> Version: 1 (0x0) Serial Number: 13192573755114198537
>> (0xb7156feedab91609) Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>> Validity Not Before: Oct 7 08:43:42 2014 GMT Not After : Oct 2
>> 08:43:42 2015 GMT Subject: C=AU, ST=Some-State, O=server, OU=IT,
>> CN=server Subject Public Key Info: Public Key Algorithm:
>> rsaEncryption Public-Key: (1024 bit)
> 1024-bit keys?
>
> Perhaps the browsers are smart enough not to trust those.
>
>> $ openssl x509 -noout -in intermediate.pem -text Certificate:
>> Data: Version: 1 (0x0) Serial Number: 11894061023072807904
>> (0xa510317ba912ebe0) Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>> Validity Not Before: Oct 7 08:42:05 2014 GMT Not After : Oct 2
>> 08:42:05 2015 GMT Subject: C=AU, ST=Some-State, O=intermediate,
>> CN=intermediate Subject Public Key Info: Public Key Algorithm:
>> rsaEncryption Public-Key: (1024 bit)
> Hmm.
>
>> $ openssl x509 -noout -in issuer.pem -text Certificate: Data:
>> Version: 1 (0x0) Serial Number: 18284349327322698662
>> (0xfdbf0ed6ac38d3a6) Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>> Validity Not Before: Oct 7 08:40:29 2014 GMT Not After : Oct 7
>> 08:40:29 2015 GMT Subject: C=AU, ST=Some-State, O=issuer,
>> OU=signing, CN=issuer Subject Public Key Info: Public Key
>> Algorithm: rsaEncryption Public-Key: (1024 bit)
> Maybe try again with 2048-bit keys or better?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUNtE+AAoJEBzwKT+lPKRY+s8QALlighVIWTi27FSczUKYSPmN
> dlH6Ltz01C8jthaKNSA1jR3tUzx3lVqvnHbTTX0V6Y/n/rBT9E4/ZUSqND6MLBNE
> 4nwP2kG3EStCNSk2rt0Xv7iGdzIzi5zLftPfnlzzZoqBZdUc36qKDjzJVeMq79L7
> YyamixmrFN9mPI1V5FcazYIKKOU9p5Ok9g+9OPBWi6SOKilwGE9F8maU75Ale1ys
> N+pPjUj84RukGK7uWPKqmrC/GewhGaUABaaAUFkPcxIPha3asPzWam5Zxp/MTW41
> RDOGUImLaonI4F25BGxJIb7hQlBX8pN6TWtFoEAf0srP0k4M9zLB1G9+cWbgEdiv
> O67F99WZdb2PP6MJp3RMrvhnv4W46AA2cByWEuMo40zY3Et//zhkW1AO/VfkzFrD
> syGTBGQIBHGaRVfrJMs40rgatwPb5FwaPu8Us7HtStblZ7clqXAXJtLLp63N1pip
> +VocquaX7A0VcibiQ+YY89+pIYwulvonXCnQ9YUTfVR4bTDQs3T8BFjoekOTyByW
> M2mVgjNLpZmJ5KjtLbm7mKOVde3qip48TSIJXg2STq6+P3+sUbRGLc8l2kl4WOK0
> 8oQ5dnOMi/hsO4W2+MExiKWSfrP/DDyMIG6AS2/7KZP0pdWoEn5bmNl19yNKzW/f
> XoaM5WiTbUDSdux9TEvS
> =KBTz
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
Yeah, I'll try 4096. That's the standard. But it did work when only
intermediate.pem was sent by the server and issuer.pem was installed in
the browser.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Cannot get certificate chain to work.
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
De,
On 10/7/14 11:27 PM, dE wrote:
> $ openssl x509 -noout -in server.pem -text Certificate: Data:
> Version: 1 (0x0) Serial Number: 13192573755114198537
> (0xb7156feedab91609) Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
> Validity Not Before: Oct 7 08:43:42 2014 GMT Not After : Oct 2
> 08:43:42 2015 GMT Subject: C=AU, ST=Some-State, O=server, OU=IT,
> CN=server Subject Public Key Info: Public Key Algorithm:
> rsaEncryption Public-Key: (1024 bit)
1024-bit keys?
Perhaps the browsers are smart enough not to trust those.
> $ openssl x509 -noout -in intermediate.pem -text Certificate:
> Data: Version: 1 (0x0) Serial Number: 11894061023072807904
> (0xa510317ba912ebe0) Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
> Validity Not Before: Oct 7 08:42:05 2014 GMT Not After : Oct 2
> 08:42:05 2015 GMT Subject: C=AU, ST=Some-State, O=intermediate,
> CN=intermediate Subject Public Key Info: Public Key Algorithm:
> rsaEncryption Public-Key: (1024 bit)
Hmm.
> $ openssl x509 -noout -in issuer.pem -text Certificate: Data:
> Version: 1 (0x0) Serial Number: 18284349327322698662
> (0xfdbf0ed6ac38d3a6) Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
> Validity Not Before: Oct 7 08:40:29 2014 GMT Not After : Oct 7
> 08:40:29 2015 GMT Subject: C=AU, ST=Some-State, O=issuer,
> OU=signing, CN=issuer Subject Public Key Info: Public Key
> Algorithm: rsaEncryption Public-Key: (1024 bit)
Maybe try again with 2048-bit keys or better?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUNtE+AAoJEBzwKT+lPKRY+s8QALlighVIWTi27FSczUKYSPmN
dlH6Ltz01C8jthaKNSA1jR3tUzx3lVqvnHbTTX0V6Y/n/rBT9E4/ZUSqND6MLBNE
4nwP2kG3EStCNSk2rt0Xv7iGdzIzi5zLftPfnlzzZoqBZdUc36qKDjzJVeMq79L7
YyamixmrFN9mPI1V5FcazYIKKOU9p5Ok9g+9OPBWi6SOKilwGE9F8maU75Ale1ys
N+pPjUj84RukGK7uWPKqmrC/GewhGaUABaaAUFkPcxIPha3asPzWam5Zxp/MTW41
RDOGUImLaonI4F25BGxJIb7hQlBX8pN6TWtFoEAf0srP0k4M9zLB1G9+cWbgEdiv
O67F99WZdb2PP6MJp3RMrvhnv4W46AA2cByWEuMo40zY3Et//zhkW1AO/VfkzFrD
syGTBGQIBHGaRVfrJMs40rgatwPb5FwaPu8Us7HtStblZ7clqXAXJtLLp63N1pip
+VocquaX7A0VcibiQ+YY89+pIYwulvonXCnQ9YUTfVR4bTDQs3T8BFjoekOTyByW
M2mVgjNLpZmJ5KjtLbm7mKOVde3qip48TSIJXg2STq6+P3+sUbRGLc8l2kl4WOK0
8oQ5dnOMi/hsO4W2+MExiKWSfrP/DDyMIG6AS2/7KZP0pdWoEn5bmNl19yNKzW/f
XoaM5WiTbUDSdux9TEvS
=KBTz
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Cannot get certificate chain to work.
Posted by dE <de...@gmail.com>.
On 10/08/14 05:18, Igor Cicimov wrote:
>
> On Wed, Oct 8, 2014 at 1:59 AM, dE <de.techno@gmail.com
> <ma...@gmail.com>> wrote:
>
> On 10/07/14 18:12, Igor Cicimov wrote:
>>
>>
>> On Tue, Oct 7, 2014 at 2:51 AM, dE <de.techno@gmail.com
>> <ma...@gmail.com>> wrote:
>>
>> Hi.
>>
>> I'm in a situation where I got 3 certificates
>>
>> server.pem -- the end user certificate which's sent by the
>> server to the client.
>> intermediate.pem -- server.pem is signed by
>> intermediate.pem's private key.
>> issuer.pem -- intermediate.pem is signed by issuer.pem's
>> private key.
>>
>> combined.pem is created by --
>>
>> cat server.pem intermediate.pem > combined.pem
>>
>> Issuer.pem is installed in the web browser.
>>
>> The chain is working, I can verify this via the SSL command --
>>
>> cat intermediate.pem issuer.pem > cert_bundle.pem
>> openssl verify -CAfile cert_bundle.pem server.pem
>> server.pem: OK
>>
>> However the browsers (FF, Chrome, Konqueror and wget) fail
>> authentication, claiming there are no certificates to verity
>> server.pem's signature.
>>
>> I'm using Apache 2.4.10 with the following --
>>
>> SSLCertificateFile /tmp/combined.pem
>> SSLCertificateKeyFile /tmp/server.key
>>
>>
>> Try this:
>>
>> $ cat issuer.pem intermediate.pem > CA_chain.pem
>>
>> SSLCertificateFile server.pem
>> SSLCertificateKeyFile server.key
>> SSLCertificateChainFile CA_chain.pem
>>
>
> Tried this on Apache 2.2 (SSLCertificateChainFile does not work
> with 2.4) with the same issue.
>
> Hmm in that case you have something mixed up or simply this can not
> work for self signed certificates since this is exactly what I'm using
> on Apache 2.2.24/26 on all our company web sites: a certificate signed
> by CA authority and a chain certificate file where the authorities CA
> and Intermediate certs have been concatenated.
>
> Can you show us the output of:
>
> openssl x509 -noout -in cert.pem -text
>
> for all your sertificates?
>
$ openssl x509 -noout -in server.pem -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 13192573755114198537 (0xb7156feedab91609)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
Validity
Not Before: Oct 7 08:43:42 2014 GMT
Not After : Oct 2 08:43:42 2015 GMT
Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18:
6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a:
81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb:
b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80:
e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e:
7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8:
44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84:
3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f:
26:3f:36:cc:29:f0:69:2b:79
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6:
b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a:
33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea:
a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb:
c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13:
b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c:
ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c:
7c:fe
$ openssl x509 -noout -in intermediate.pem -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 11894061023072807904 (0xa510317ba912ebe0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
Validity
Not Before: Oct 7 08:42:05 2014 GMT
Not After : Oct 2 08:42:05 2015 GMT
Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8:
f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a:
df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6:
2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82:
df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40:
14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d:
78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69:
f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9:
3a:fd:f3:d1:f0:27:49:f4:c3
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d:
0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29:
5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95:
dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de:
96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec:
51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c:
8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78:
57:8d
$ openssl x509 -noout -in issuer.pem -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
Validity
Not Before: Oct 7 08:40:29 2014 GMT
Not After : Oct 7 08:40:29 2015 GMT
Subject: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18:
7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2:
72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89:
26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d:
af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41:
e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97:
d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49:
af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9:
05:d0:5c:50:0f:8f:3f:c4:d5
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9:
70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c:
96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38:
82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82:
9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62:
f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9:
40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a:
68:bf
Re: [users@httpd] Cannot get certificate chain to work.
Posted by Igor Cicimov <ic...@gmail.com>.
On Wed, Oct 8, 2014 at 1:59 AM, dE <de...@gmail.com> wrote:
> On 10/07/14 18:12, Igor Cicimov wrote:
>
>
>
> On Tue, Oct 7, 2014 at 2:51 AM, dE <de...@gmail.com> wrote:
>
>> Hi.
>>
>> I'm in a situation where I got 3 certificates
>>
>> server.pem -- the end user certificate which's sent by the server to the
>> client.
>> intermediate.pem -- server.pem is signed by intermediate.pem's private
>> key.
>> issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
>>
>> combined.pem is created by --
>>
>> cat server.pem intermediate.pem > combined.pem
>>
>> Issuer.pem is installed in the web browser.
>>
>> The chain is working, I can verify this via the SSL command --
>>
>> cat intermediate.pem issuer.pem > cert_bundle.pem
>> openssl verify -CAfile cert_bundle.pem server.pem
>> server.pem: OK
>>
>> However the browsers (FF, Chrome, Konqueror and wget) fail
>> authentication, claiming there are no certificates to verity server.pem's
>> signature.
>>
>> I'm using Apache 2.4.10 with the following --
>>
>> SSLCertificateFile /tmp/combined.pem
>> SSLCertificateKeyFile /tmp/server.key
>>
>>
> Try this:
>
> $ cat issuer.pem intermediate.pem > CA_chain.pem
>
> SSLCertificateFile server.pem
> SSLCertificateKeyFile server.key
> SSLCertificateChainFile CA_chain.pem
>
>
> Tried this on Apache 2.2 (SSLCertificateChainFile does not work with 2.4)
> with the same issue.
>
Hmm in that case you have something mixed up or simply this can not work
for self signed certificates since this is exactly what I'm using on Apache
2.2.24/26 on all our company web sites: a certificate signed by CA
authority and a chain certificate file where the authorities CA and
Intermediate certs have been concatenated.
Can you show us the output of:
openssl x509 -noout -in cert.pem -text
for all your sertificates?
Re: [users@httpd] Cannot get certificate chain to work.
Posted by dE <de...@gmail.com>.
On 10/07/14 18:12, Igor Cicimov wrote:
>
>
> On Tue, Oct 7, 2014 at 2:51 AM, dE <de.techno@gmail.com
> <ma...@gmail.com>> wrote:
>
> Hi.
>
> I'm in a situation where I got 3 certificates
>
> server.pem -- the end user certificate which's sent by the server
> to the client.
> intermediate.pem -- server.pem is signed by intermediate.pem's
> private key.
> issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
>
> combined.pem is created by --
>
> cat server.pem intermediate.pem > combined.pem
>
> Issuer.pem is installed in the web browser.
>
> The chain is working, I can verify this via the SSL command --
>
> cat intermediate.pem issuer.pem > cert_bundle.pem
> openssl verify -CAfile cert_bundle.pem server.pem
> server.pem: OK
>
> However the browsers (FF, Chrome, Konqueror and wget) fail
> authentication, claiming there are no certificates to verity
> server.pem's signature.
>
> I'm using Apache 2.4.10 with the following --
>
> SSLCertificateFile /tmp/combined.pem
> SSLCertificateKeyFile /tmp/server.key
>
>
> Try this:
>
> $ cat issuer.pem intermediate.pem > CA_chain.pem
>
> SSLCertificateFile server.pem
> SSLCertificateKeyFile server.key
> SSLCertificateChainFile CA_chain.pem
>
Tried this on Apache 2.2 (SSLCertificateChainFile does not work with
2.4) with the same issue.
Re: [users@httpd] Cannot get certificate chain to work.
Posted by Igor Cicimov <ic...@gmail.com>.
On Tue, Oct 7, 2014 at 2:51 AM, dE <de...@gmail.com> wrote:
> Hi.
>
> I'm in a situation where I got 3 certificates
>
> server.pem -- the end user certificate which's sent by the server to the
> client.
> intermediate.pem -- server.pem is signed by intermediate.pem's private key.
> issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
>
> combined.pem is created by --
>
> cat server.pem intermediate.pem > combined.pem
>
> Issuer.pem is installed in the web browser.
>
> The chain is working, I can verify this via the SSL command --
>
> cat intermediate.pem issuer.pem > cert_bundle.pem
> openssl verify -CAfile cert_bundle.pem server.pem
> server.pem: OK
>
> However the browsers (FF, Chrome, Konqueror and wget) fail authentication,
> claiming there are no certificates to verity server.pem's signature.
>
> I'm using Apache 2.4.10 with the following --
>
> SSLCertificateFile /tmp/combined.pem
> SSLCertificateKeyFile /tmp/server.key
>
>
Try this:
$ cat issuer.pem intermediate.pem > CA_chain.pem
SSLCertificateFile server.pem
SSLCertificateKeyFile server.key
SSLCertificateChainFile CA_chain.pem
[users@httpd] Re: Cannot get certificate chain to work.
Posted by dE <de...@gmail.com>.
On 10/06/14 21:21, dE wrote:
> Hi.
>
> I'm in a situation where I got 3 certificates
>
> server.pem -- the end user certificate which's sent by the server to
> the client.
> intermediate.pem -- server.pem is signed by intermediate.pem's private
> key.
> issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
>
> combined.pem is created by --
>
> cat server.pem intermediate.pem > combined.pem
>
> Issuer.pem is installed in the web browser.
>
> The chain is working, I can verify this via the SSL command --
>
> cat intermediate.pem issuer.pem > cert_bundle.pem
> openssl verify -CAfile cert_bundle.pem server.pem
> server.pem: OK
>
> However the browsers (FF, Chrome, Konqueror and wget) fail
> authentication, claiming there are no certificates to verity
> server.pem's signature.
>
> I'm using Apache 2.4.10 with the following --
>
> SSLCertificateFile /tmp/combined.pem
> SSLCertificateKeyFile /tmp/server.key
>
> I can attach *.pem if you want.
>
> Thanks for any assistance.
Ok, I got this to work.
These modern browsers tend to accept certificates from any kind of CAs
(root or non-root) only if they have an extention (version 3) and have
CA:TRUE set in basicConstraints.
These include intermediate certificates.
Re: [users@httpd] Cannot get certificate chain to work.
Posted by dE <de...@gmail.com>.
On 10/06/14 22:26, Daniel wrote:
> I found myself in a similar situation and I couldn't find the reason
> but I did find a workaround.
>
> To work around this, make a pkcs12 file with all files in it, your
> private key and the whole chain up until the root CA certificate, then
> extract them back out from that pkcs12, using the extracted files.
>
> My similar issue happened when I was generating the key and csr with
> openssl and someone else was signing my request with another
> software, all modulus matched, everything, but still for browsers the
> chain was not correctly constructed. I worked around it with the
> method I mention before.
>
> Until someone can tell you what may really be happening this may be
> worth a try for you.
>
> Good luck.
>
> 2014-10-06 17:51 GMT+02:00 dE <de.techno@gmail.com
> <ma...@gmail.com>>:
>
> Hi.
>
> I'm in a situation where I got 3 certificates
>
> server.pem -- the end user certificate which's sent by the server
> to the client.
> intermediate.pem -- server.pem is signed by intermediate.pem's
> private key.
> issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
>
> combined.pem is created by --
>
> cat server.pem intermediate.pem > combined.pem
>
> Issuer.pem is installed in the web browser.
>
> The chain is working, I can verify this via the SSL command --
>
> cat intermediate.pem issuer.pem > cert_bundle.pem
> openssl verify -CAfile cert_bundle.pem server.pem
> server.pem: OK
>
> However the browsers (FF, Chrome, Konqueror and wget) fail
> authentication, claiming there are no certificates to verity
> server.pem's signature.
>
> I'm using Apache 2.4.10 with the following --
>
> SSLCertificateFile /tmp/combined.pem
> SSLCertificateKeyFile /tmp/server.key
>
> I can attach *.pem if you want.
>
> Thanks for any assistance.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> <ma...@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org
> <ma...@httpd.apache.org>
>
>
I used the following command to create the bundle --
openssl pkcs12 -export -in server.pem -inkey server.key -in
intermediate.pem -inkey intermediate.key -out bundle.p12 -name bundle
-CAfile issuer.pem -caname issuer -chain
To extract --
openssl pkcs12 -in ../bundle.p12 -out all_combined.pem -nodes
But, when using all_combined.pem as SSLCertificateFile, I get --
[Tue Oct 07 14:50:12.760273 2014] [ssl:emerg] [pid 8357:tid
140531695941504] AH02565: Certificate and private key httpd:443:0 from
/home/all_combined.pem and /homecertificate_chaining_test/server.key do
not match
Re: [users@httpd] Cannot get certificate chain to work.
Posted by Daniel <df...@gmail.com>.
I found myself in a similar situation and I couldn't find the reason but I
did find a workaround.
To work around this, make a pkcs12 file with all files in it, your private
key and the whole chain up until the root CA certificate, then extract them
back out from that pkcs12, using the extracted files.
My similar issue happened when I was generating the key and csr with
openssl and someone else was signing my request with another software, all
modulus matched, everything, but still for browsers the chain was not
correctly constructed. I worked around it with the method I mention before.
Until someone can tell you what may really be happening this may be worth a
try for you.
Good luck.
2014-10-06 17:51 GMT+02:00 dE <de...@gmail.com>:
> Hi.
>
> I'm in a situation where I got 3 certificates
>
> server.pem -- the end user certificate which's sent by the server to the
> client.
> intermediate.pem -- server.pem is signed by intermediate.pem's private key.
> issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
>
> combined.pem is created by --
>
> cat server.pem intermediate.pem > combined.pem
>
> Issuer.pem is installed in the web browser.
>
> The chain is working, I can verify this via the SSL command --
>
> cat intermediate.pem issuer.pem > cert_bundle.pem
> openssl verify -CAfile cert_bundle.pem server.pem
> server.pem: OK
>
> However the browsers (FF, Chrome, Konqueror and wget) fail authentication,
> claiming there are no certificates to verity server.pem's signature.
>
> I'm using Apache 2.4.10 with the following --
>
> SSLCertificateFile /tmp/combined.pem
> SSLCertificateKeyFile /tmp/server.key
>
> I can attach *.pem if you want.
>
> Thanks for any assistance.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>