Re: Cannot get certificate chain to work.

[dE <de.techno@xxxxxxxxx>]

On 10/08/14 17:53, Igor Cicimov wrote:

On 08/10/2014 9:16 PM, "dE" <de.techno@xxxxxxxxx> wrote:
>
> On 10/08/14 14:33, Igor Cicimov wrote:
>>
>>
>>
>> On Wed, Oct 8, 2014 at 6:03 PM, dE <de.techno@xxxxxxxxx> wrote:
>>>
>>> On 10/08/14 10:18, Igor Cicimov wrote:
>>>>
>>>> On Wed, Oct 8, 2014 at 2:27 PM, dE <de.techno@xxxxxxxxx> wrote:
>>>>>
>>>>> On 10/08/14 05:18, Igor Cicimov wrote:
>>>>>>
>>>>>>
>>>>>> On Wed, Oct 8, 2014 at 1:59 AM, dE <de.techno@xxxxxxxxx> wrote:
>>>>>>>
>>>>>>> On 10/07/14 18:12, Igor Cicimov wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Oct 7, 2014 at 2:51 AM, dE <de.techno@xxxxxxxxx> wrote:
>>>>>>>>>
>>>>>>>>> Hi.
>>>>>>>>>
>>>>>>>>> I'm in a situation where I got 3 certificates
>>>>>>>>>
>>>>>>>>> server.pem -- the end user certificate which's sent by the server to the client.
>>>>>>>>> intermediate.pem -- server.pem is signed by intermediate.pem's private key.
>>>>>>>>> issuer.pem -- intermediate.pem is signed by issuer.pem's private key.
>>>>>>>>>
>>>>>>>>> combined.pem is created by --
>>>>>>>>>
>>>>>>>>> cat server.pem intermediate.pem > combined.pem
>>>>>>>>>
>>>>>>>>> Issuer.pem is installed in the web browser.
>>>>>>>>>
>>>>>>>>> The chain is working, I can verify this via the SSL command --
>>>>>>>>>
>>>>>>>>> cat intermediate.pem issuer.pem > cert_bundle.pem
>>>>>>>>> openssl verify -CAfile cert_bundle.pem server.pem
>>>>>>>>> server.pem: OK
>>>>>>>>>
>>>>>>>>> However the browsers (FF, Chrome, Konqueror and wget) fail authentication, claiming there are no certificates to verity server.pem's signature.
>>>>>>>>>
>>>>>>>>> I'm using Apache 2.4.10 with the following --
>>>>>>>>>
>>>>>>>>> SSLCertificateFile /tmp/combined.pem
>>>>>>>>> SSLCertificateKeyFile /tmp/server.key
>>>>>>>>>
>>>>>>>>
>>>>>>>> Try this:
>>>>>>>>
>>>>>>>> $ cat issuer.pem intermediate.pem > CA_chain.pem
>>>>>>>>
>>>>>>>>   SSLCertificateFile server.pem
>>>>>>>>   SSLCertificateKeyFile server.key
>>>>>>>>   SSLCertificateChainFile CA_chain.pem
>>>>>>>>
>>>>>>>
>>>>>>> Tried this on Apache 2.2 (SSLCertificateChainFile does not work with 2.4) with the same issue.
>>>>>>
>>>>>>  
>>>>>> Hmm in that case you have something mixed up or simply this can not work for self signed certificates since this is exactly what I'm using on Apache 2.2.24/26 on all our company web sites: a certificate signed by CA authority and a chain certificate file where the authorities CA and Intermediate certs have been concatenated.
>>>>>>
>>>>>> Can you show us the output of:
>>>>>>
>>>>>> openssl x509 -noout -in cert.pem -text
>>>>>>
>>>>>> for all your sertificates?
>>>>>>
>>>>>
>>>>> $ openssl x509 -noout -in server.pem -text       
>>>>> Certificate:
>>>>>     Data:
>>>>>         Version: 1 (0x0)
>>>>>         Serial Number: 13192573755114198537 (0xb7156feedab91609)
>>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>>         Issuer: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>>>>>         Validity
>>>>>             Not Before: Oct  7 08:43:42 2014 GMT
>>>>>             Not After : Oct  2 08:43:42 2015 GMT
>>>>>         Subject: C=AU, ST=Some-State, O=server, OU=IT, CN=server
>>>>>         Subject Public Key Info:
>>>>>             Public Key Algorithm: rsaEncryption
>>>>>                 Public-Key: (1024 bit)
>>>>>                 Modulus:
>>>>>                     00:95:d3:1c:b7:ac:49:cc:38:2c:47:68:a2:b2:18:
>>>>>                     6d:76:80:3c:9d:a2:03:cc:4b:df:c0:6e:81:3f:7a:
>>>>>                     81:be:e1:38:34:5f:e0:1b:4e:e2:dc:a5:c6:d9:bb:
>>>>>                     b0:86:3b:98:3d:e7:03:42:c7:a4:cb:05:f0:96:80:
>>>>>                     e6:13:4e:bd:4f:e4:73:ea:72:7c:0c:90:23:7a:5e:
>>>>>                     7a:46:7d:e7:64:3c:1d:54:7a:e6:d9:87:9d:e3:f8:
>>>>>                     44:9c:df:08:64:d7:1d:a1:50:c3:fd:aa:9d:1b:84:
>>>>>                     3e:cd:1d:b9:81:ba:70:6a:95:c7:63:ab:1b:7b:1f:
>>>>>                     26:3f:36:cc:29:f0:69:2b:79
>>>>>                 Exponent: 65537 (0x10001)
>>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>>          4e:52:95:01:48:0f:c7:bd:51:6e:e6:9e:f6:3c:b4:16:10:a6:
>>>>>          b5:75:2e:b2:49:bc:e7:50:46:d5:97:f1:e8:ed:b7:1d:b8:1a:
>>>>>          33:2f:a3:7e:ca:41:1a:2a:74:4a:a3:81:04:99:c2:c8:76:ea:
>>>>>          a6:91:8f:21:92:4c:62:ad:0c:57:43:73:b5:3c:0d:6c:82:cb:
>>>>>          c1:c0:74:d8:ad:cb:12:1f:2f:9a:49:45:5a:06:05:fe:9a:13:
>>>>>          b9:d3:e1:17:e6:67:88:18:fd:dc:c5:67:9a:94:9b:41:cf:0c:
>>>>>          ca:88:4f:b5:fe:7e:e2:1e:61:db:4f:e1:bc:dc:f0:07:ad:1c:
>>>>>          7c:fe
>>>>>
>>>>>
>>>>> $ openssl x509 -noout -in intermediate.pem -text         
>>>>> Certificate:
>>>>>     Data:
>>>>>         Version: 1 (0x0)
>>>>>         Serial Number: 11894061023072807904 (0xa510317ba912ebe0)
>>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>>         Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>>>>>         Validity
>>>>>             Not Before: Oct  7 08:42:05 2014 GMT
>>>>>             Not After : Oct  2 08:42:05 2015 GMT
>>>>>         Subject: C=AU, ST=Some-State, O=intermediate, CN=intermediate
>>>>>         Subject Public Key Info:
>>>>>             Public Key Algorithm: rsaEncryption
>>>>>                 Public-Key: (1024 bit)
>>>>>                 Modulus:
>>>>>                     00:b6:52:95:bf:09:25:1b:dc:28:d9:b1:a8:24:f8:
>>>>>                     f5:fb:f6:11:3e:22:74:f4:58:d1:dd:e3:4c:be:9a:
>>>>>                     df:dc:e6:3a:6d:50:75:0f:87:6c:b9:f6:8a:cb:c6:
>>>>>                     2d:df:2c:22:bf:17:f1:bd:94:78:8c:e4:ef:b3:82:
>>>>>                     df:23:00:30:07:d7:59:9b:44:9b:2a:77:5f:85:40:
>>>>>                     14:df:2f:89:66:7a:d5:e4:5a:d7:82:0c:bd:7c:6d:
>>>>>                     78:36:c6:d9:8e:c1:31:24:44:35:9b:9d:47:50:69:
>>>>>                     f2:d4:1b:5a:53:a5:e5:0e:d6:fc:ed:0e:60:15:b9:
>>>>>                     3a:fd:f3:d1:f0:27:49:f4:c3
>>>>>                 Exponent: 65537 (0x10001)
>>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>>          0c:5d:ce:59:75:d2:1a:cb:0c:2a:04:c3:73:3e:4a:42:d5:2d:
>>>>>          0f:84:5e:38:2c:5f:51:43:3a:ff:6e:17:b6:b1:3b:93:01:29:
>>>>>          5b:28:4f:a7:ac:51:e4:22:8e:31:72:f4:89:cc:3a:37:2a:95:
>>>>>          dc:11:96:70:28:c7:31:25:9e:6e:7f:ce:67:e4:3d:06:6a:de:
>>>>>          96:df:33:32:e9:98:02:1a:a5:c6:b4:55:dc:2f:4a:2a:44:ec:
>>>>>          51:59:0c:a1:92:dd:83:1d:ad:2b:4f:63:a4:68:4a:7f:f6:8c:
>>>>>          8e:44:01:d6:60:95:8a:f1:dc:d4:7f:81:bc:36:12:15:5b:78:
>>>>>          57:8d
>>>>>
>>>>>
>>>>> $ openssl x509 -noout -in issuer.pem -text            
>>>>> Certificate:
>>>>>     Data:
>>>>>         Version: 1 (0x0)
>>>>>         Serial Number: 18284349327322698662 (0xfdbf0ed6ac38d3a6)
>>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>>         Issuer: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>>>>>         Validity
>>>>>             Not Before: Oct  7 08:40:29 2014 GMT
>>>>>             Not After : Oct  7 08:40:29 2015 GMT
>>>>>         Subject: C=AU, ST=Some-State, O=issuer, OU=signing, CN=issuer
>>>>>         Subject Public Key Info:
>>>>>             Public Key Algorithm: rsaEncryption
>>>>>                 Public-Key: (1024 bit)
>>>>>                 Modulus:
>>>>>                     00:bc:b7:71:69:93:a3:17:ed:29:e3:c6:32:ac:18:
>>>>>                     7d:ec:ea:88:0b:51:ef:4b:0e:16:7b:77:a8:cf:e2:
>>>>>                     72:4b:0c:94:e7:08:17:9f:a0:22:2c:ac:cb:0b:89:
>>>>>                     26:04:59:75:46:c2:56:b6:81:b5:1c:26:f1:eb:8d:
>>>>>                     af:17:08:25:14:72:2b:b0:91:f6:12:7f:a4:9f:41:
>>>>>                     e0:44:1a:1f:00:60:e2:35:e5:d8:39:4c:1f:3d:97:
>>>>>                     d5:76:4d:cf:70:c8:34:fd:06:06:6e:88:34:eb:49:
>>>>>                     af:b9:96:71:89:c4:9b:f4:14:f5:91:32:23:67:b9:
>>>>>                     05:d0:5c:50:0f:8f:3f:c4:d5
>>>>>                 Exponent: 65537 (0x10001)
>>>>>     Signature Algorithm: sha1WithRSAEncryption
>>>>>          3f:c6:9c:5d:28:43:3d:8a:9c:8c:24:96:19:ec:66:97:59:a9:
>>>>>          70:79:c9:60:59:36:47:66:22:1a:cb:6e:8e:ac:dd:97:42:5c:
>>>>>          96:30:40:77:60:49:3c:07:0d:02:b2:96:c6:8d:1f:ee:62:38:
>>>>>          82:3c:ec:f4:d1:b2:4c:16:5e:84:fc:c8:ab:c6:b1:ac:99:82:
>>>>>          9a:be:3f:e4:b9:58:fd:8b:fd:9f:1e:fb:9f:39:05:11:1e:62:
>>>>>          f2:08:e9:ed:c5:dc:b3:ef:71:38:fa:1d:a7:9d:2d:96:c5:c9:
>>>>>          40:b1:cb:30:45:2f:f4:80:5b:23:0a:bf:b5:a3:5a:b4:4f:4a:
>>>>>          68:bf
>>>>
>>>>
>>>> And the output from the bellow command executed from the client you are running wget from:
>>>>
>>>> openssl s_client -connect <your_server>:443
>>>>
>>>> You should see some output with lots of information regarding the ssl connection, the server certificate and something like this:
>>>>
>>>> ---
>>>> Certificate chain
>>>>  0 s:/C=AU/ST=New South Wales/L=Sydney/O=<MyCorporation> Pty Ltd/CN=*.<mydomain>.com
>>>>    i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
>>>>  1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
>>>>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
>>>>  2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
>>>>    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
>>>>
>>>> which will confirm the complete chain is being received by the client. If you see something like this at the bottom:
>>>>
>>>> Verify return code: 19 (self signed certificate in certificate chain)
>>>>
>>>> means you haven't properly imported the CA chain on the client. In case of wget or curl or other terminal tools this is done on OS level so you would need to consult the OS documentation about importing certificates.
>>>>
>>>> You can find more about openssl tool set here: https://www.openssl.org/docs/apps/s_client.html, its perfect for ssl troubleshooting.
>>>>
>>>>
>>>
>>> $ openssl s_client -connect server:443            
>>> gethostbyname failure
>>> CONNECTED(00000003)
>>> depth=2 C = AU, ST = Some-State, O = issuer, OU = signing, CN = issuer
>>> verify error:num=19:self signed certificate in certificate chain
>>> verify return:0
>>> ---
>>> Certificate chain
>>>  0 s:/C=AU/ST=Some-State/O=server/OU=IT/CN=server
>>>    i:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>>>  1 s:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>>>    i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>>>  2 s:/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>>>    i:/C=AU/ST=Some-State/O=issuer/OU=signing/CN=issuer
>>> ---
>>> Server certificate
>>> -----BEGIN CERTIFICATE-----
>>> MIICGDCCAYECCQC3FW/u2rkWCTANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJB
>>> VTETMBEGA1UECAwKU29tZS1TdGF0ZTEVMBMGA1UECgwMaW50ZXJtZWRpYXRlMRUw
>>> EwYDVQQDDAxpbnRlcm1lZGlhdGUwHhcNMTQxMDA3MDg0MzQyWhcNMTUxMDAyMDg0
>>> MzQyWjBRMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEPMA0GA1UE
>>> CgwGc2VydmVyMQswCQYDVQQLDAJJVDEPMA0GA1UEAwwGc2VydmVyMIGfMA0GCSqG
>>> SIb3DQEBAQUAA4GNADCBiQKBgQCV0xy3rEnMOCxHaKKyGG12gDydogPMS9/AboE/
>>> eoG+4Tg0X+AbTuLcpcbZu7CGO5g95wNCx6TLBfCWgOYTTr1P5HPqcnwMkCN6XnpG
>>> fedkPB1UeubZh53j+ESc3whk1x2hUMP9qp0bhD7NHbmBunBqlcdjqxt7HyY/Nswp
>>> 8GkreQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAE5SlQFID8e9UW7mnvY8tBYQprV1
>>> LrJJvOdQRtWX8ejttx24GjMvo37KQRoqdEqjgQSZwsh26qaRjyGSTGKtDFdDc7U8
>>> DWyCy8HAdNityxIfL5pJRVoGBf6aE7nT4RfmZ4gY/dzFZ5qUm0HPDMqIT7X+fuIe
>>> YdtP4bzc8AetHHz+
>>> -----END CERTIFICATE-----
>>> subject=/C=AU/ST=Some-State/O=server/OU=IT/CN=server
>>> issuer=/C=AU/ST=Some-State/O=intermediate/CN=intermediate
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 2391 bytes and written 498 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
>>> Server public key is 1024 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>     Protocol  : TLSv1.2
>>>     Cipher    : DHE-RSA-AES256-GCM-SHA384
>>>     Session-ID: FA13516B3E695D88CFC650899A5EE7D2DEE4D38DCDFD2848D688A0AAB4D2A90C
>>>     Session-ID-ctx:
>>>     Master-Key: 5E39DF223E5A23B4088F2CE3D65A530F0D936860D8F94BB123E0483430CF3C42B7F7F40B246B6B7370551A2B702CB47A
>>>     Key-Arg   : None
>>>     PSK identity: None
>>>     PSK identity hint: None
>>>     SRP username: None
>>>     TLS session ticket lifetime hint: 300 (seconds)
>>>     TLS session ticket:
>>>     0000 - b9 a3 67 f3 a1 e1 2f 40-90 64 09 db ef 26 4d b2   ..g.../@.d...&M.
>>>     0010 - e8 a3 c2 25 30 d6 df af-8c 4d d3 19 20 83 bb c3   ...%0....M.. ...
>>>     0020 - 6f a9 51 a3 3a 2f f5 43-1e a8 9d 1e 49 25 67 43   o.Q.:/.C....I%gC
>>>     0030 - f0 05 3f 75 50 c8 49 2b-be 44 d2 72 58 14 2e f6   ..?uP.I+.D.rX...
>>>     0040 - 55 a5 ba 0a 34 34 92 9f-cc 8b c1 30 55 f1 69 c0   U...44.....0U.i.
>>>     0050 - df f8 3d 08 38 37 11 46-90 9d 88 6c ce 48 5d 79   ..=.87.F...l.H]y
>>>     0060 - 96 bb 5a 23 56 4d e9 c3-2f 17 d9 11 45 47 fb 2b   ..Z#VM../...EG.+
>>>     0070 - 05 1a cb 92 52 13 52 e6-72 16 44 51 3f 66 90 88   ....R.R.r.DQ?f..
>>>     0080 - f9 2e 46 ad 44 23 5b 75-f9 69 7c 6b c0 0f 83 42   ..F.D#[u.i|k...B
>>>     0090 - 33 c0 c1 6b 6a f8 23 55-ee 18 0c 32 f9 5a 81 6b   3..kj.#U...2.Z.k
>>>     00a0 - 1b 4e a4 42 14 56 54 66-1d 20 2e 53 95 df 24 f5   .N.B.VTf. .S..$.
>>>     00b0 - c6 4c 8a e2 ed bc 21 d9-ef a1 8c fb 51 36 51 8d   .L....!.....Q6Q.
>>>
>>>     Start Time: 1412751118
>>>     Timeout   : 300 (sec)
>>>     Verify return code: 19 (self signed certificate in certificate chain)
>>> ---
>>> DONE
>>>
>>> I even tried copying issuer.pem to /etc/ssl/certs
>>>
>>> With the same error no. 19 in the chain.
>>>
>>> Thanks for this command. It's truly useful. That FF extension shows only 1 certificate received.
>>
>>
>> You need to point the tool to the CA path like this:
>>
>> $ openssl s_client -connect server:443 -CApath /etc/ssl/certs
>>
>> then the cert will get properly validated.
>>
>
> I pointed it to the location where all of my relevant *.pem is there And I still get error 19.

Ok repeating again, you need to put the whole ca chain in /etc/ssl/certs in this case the CA_chain.pem file as I created it above, same as you did in the browser. I don't know why are you so confused it is very simple: the client no matter if it is a application or browser needs to know about the WHOLE chain of ca certificates involved in signing the server's one. Not just the issuer not just the intermediate but both of them.

I really recommend you find some good documentation about how the certificates work as it looks like you are misinterpreting the roles of the web server and the browser in the whole process of the certificate verification.

I'm getting the same Error no. 19.

But doing this is pointless, it's not what I'm trying to do.

intermediate.pem is not expected to be installed in the browser, but it's signed by issuer.pem, which's installed in the browser.

server.pem is signed by intermediate.pem

intermediate.pem must get installed automatically in the browsers (at least in FF), but instead these browsers don't see the certificate.