Hi,
I'm really struggling to get my head around a specific scenario that isn't behaving as I expect. Hopefully someone with more experience/knowledge can set me on the right path.
Note - my attempts to reproduce this in a lab have been unsuccessful, although I don't have access to the server private key, so the attempts have been with a completely independent CA chain.
I have a private CA, which has signed an intermediate certificate which has signed a server certificate for an internal web server which is used by various automated systems (all linux based).
The webserver (Apache) has the server cert and key, defined and in use as well as the intermediate certificate defined as the chain certificate - this all shows as expected.
I have then added the root certificate to the trusted certs for an automated system (populated `/etc/pki/ca-trust/source/anchors/` run `update-ca-trust extract`).
After this curl no longer complains about the certificate from the web server (expected).
However OpenSSL still does (unexpected), and I presume that for the same reason(s) urllib in Python also doesn't accept the certificate.
If I manually feed `openssl verify` the certificates and chain then they all come back "OK".
I've set up these systems a number of times with both self signed and CA signed certs and never seen this behaviour.
I'm slightly at a loss as to what diagnostics I even need at this point... so I've dropped a summary of relevant(?) diagnostics at this point below.
Thanks,
John
--
# Check that the root is installed into the trusted bundle:
# awk -v cmd='openssl x509 -noout -subject -serial -fingerprint; echo' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-bundle.trust.crt | grep -A1 CAROOT
subject= /CN=CAROOT/O=org/C=XX
serial=4D4C00241A7A17D0
# Check that the pem file I have is correct (serial matches above):
# openssl x509 -in CAROOT.pem -text | grep erial
Serial Number: 5569826994213492688 (0x4d4c00241a7a17d0)
# Check that the chain is contiguous:
# openssl x509 -text -noout -in CAROOT.pem | grep -A1 -e Ident -e erial
Serial Number: 5569826994213492688 (0x4d4c00241a7a17d0)
Signature Algorithm: sha256WithRSAEncryption
X509v3 Subject Key Identifier:
2A:3E:33:88:7E:19:35:7C:6E:9D:7C:63:90:80:B8:DF:96:5A:A8:9D
X509v3 Authority Key Identifier:
keyid:2A:3E:33:88:7E:19:35:7C:6E:9D:7C:63:90:80:B8:DF:96:5A:A8:9D
# openssl x509 -text -noout -in CAINTER.pem | grep -A1 -e Ident
X509v3 Subject Key Identifier:
FB:17:C5:BB:BD:AD:84:65:4F:16:A7:E8:FA:95:1D:C7:D9:29:45:6A
X509v3 Authority Key Identifier:
keyid:2A:3E:33:88:7E:19:35:7C:6E:9D:7C:63:90:80:B8:DF:96:5A:A8:9D
# openssl x509 -text -noout -in SERVER.pem | grep -A1 -e Ident
X509v3 Subject Key Identifier:
F5:26:E2:09:A4:41:EC:EE:75:E2:4E:E4:02:90:B7:CD:EB:FC:4E:EC
X509v3 Authority Key Identifier:
keyid:FB:17:C5:BB:BD:AD:84:65:4F:16:A7:E8:FA:95:1D:C7:D9:29:45:6A
To my eye those all look lined up, and the serial on the root still agrees.
CURL:
# curl https://server.fqdn
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="" href="https://server.fqdn:443/path/">https://server.fqdn:443/path/">here</a>.</p>
</body></html>
OpenSSL:
# openssl s_client -connect server.fqdn:443
CONNECTED(00000007)
depth=1 CN = CAINTER, O = org, C = XX
verify error:num=2:unable to get issuer certificate
issuer= CN = CAROOT, O = org, C = XX
--8<--
Verify return code: 2 (unable to get issuer certificate)
