CA no longer verifying certificates

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

CA no longer verifying certificates

Samuel Williams
Hello

I generate a CA (self signed), and then generate a certificate from
that CA, which should be used by a HTTP/2 client and server during
testing.

This code was working as recently as 12 months ago, but it seems like
something has stopped it from verifying correctly.

Here is how the CA is generated, along with a certificate store which
is used for verification:

https://github.com/socketry/async-rspec/blob/4e4c2e59fdb93daab0aa11917f02a05d0fd746e3/lib/async/rspec/ssl.rb#L47-L79

Later, this CA is used to generate a certificate:

https://github.com/socketry/async-rspec/blob/4e4c2e59fdb93daab0aa11917f02a05d0fd746e3/lib/async/rspec/ssl.rb#L85-L110

Finally, we want to check that this is a valid configuration:

https://github.com/socketry/async-rspec/blob/4e4c2e59fdb93daab0aa11917f02a05d0fd746e3/spec/async/rspec/ssl_spec.rb#L35-L37

Like I said, this was passing, as recently as April. However, it's now
failing with error code 18: "self signed certificate".

I've tried a number of things but cannot figure out what's changed and
what I need to do to make this work again (except disable verification
completely which is not what I want).

Any ideas what I need to do to make this work again?

Thanks
Samuel
Reply | Threaded
Open this post in threaded view
|

Re: CA no longer verifying certificates

Samuel Williams
Oh my, I figured it out after digging through the OpenSSL source code.

My CA certificate and the client certificate both had the same common
name, so they were clobbering each other.

Changing the name of the CA certificate solved the problem.

On Sun, 15 Nov 2020 at 14:10, Samuel Williams
<[hidden email]> wrote:

>
> Hello
>
> I generate a CA (self signed), and then generate a certificate from
> that CA, which should be used by a HTTP/2 client and server during
> testing.
>
> This code was working as recently as 12 months ago, but it seems like
> something has stopped it from verifying correctly.
>
> Here is how the CA is generated, along with a certificate store which
> is used for verification:
>
> https://github.com/socketry/async-rspec/blob/4e4c2e59fdb93daab0aa11917f02a05d0fd746e3/lib/async/rspec/ssl.rb#L47-L79
>
> Later, this CA is used to generate a certificate:
>
> https://github.com/socketry/async-rspec/blob/4e4c2e59fdb93daab0aa11917f02a05d0fd746e3/lib/async/rspec/ssl.rb#L85-L110
>
> Finally, we want to check that this is a valid configuration:
>
> https://github.com/socketry/async-rspec/blob/4e4c2e59fdb93daab0aa11917f02a05d0fd746e3/spec/async/rspec/ssl_spec.rb#L35-L37
>
> Like I said, this was passing, as recently as April. However, it's now
> failing with error code 18: "self signed certificate".
>
> I've tried a number of things but cannot figure out what's changed and
> what I need to do to make this work again (except disable verification
> completely which is not what I want).
>
> Any ideas what I need to do to make this work again?
>
> Thanks
> Samuel