Intermediate root CA's -- lost and confused :(

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Intermediate root CA's -- lost and confused :(

Paul B. Henson

We just installed our first Thawte cert that uses their intermediate CA's,
and it's not going as smoothly as I'd like.

It's installed on an Apache server with mod_ssl, and I added the
intermediate root CA's to the apache config with the SSLCACertificateFile
directive. Web browsers seem happy with it, they validate the cert with no
errors.

I'm having trouble with command line tools under Linux though, including
openssl itself.

openssl won't correctly validate the cert:

------------------------------------------------------------------------
$ openssl s_client -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem -connect strategic.wiki.csupomona.edu:443
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic
University, Pomona/OU=I(ampersand)IT
Systems/CN=strategic.wiki.csupomona.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic
University, Pomona/OU=I(ampersand)IT
Systems/CN=strategic.wiki.csupomona.edu
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic
University, Pomona/OU=I(ampersand)IT
Systems/CN=strategic.wiki.csupomona.edu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Pomona/O=California State Polytechnic
University, Pomona/OU=I(ampersand)IT
Systems/CN=strategic.wiki.csupomona.edu
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
------------------------------------------------------------------------

It works fine, OTOH, with a cert signed directly by the Thawte Premium
Server CA:

------------------------------------------------------------------------
$ openssl s_client -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem -connect www.csupomona.edu:443
CONNECTED(00000003)
depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailAddress=[hidden email]
verify return:1
depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic
University, Pomona/CN=www.csupomona.edu
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Pomona/O=California State Polytechnic
University, Pomona/CN=www.csupomona.edu
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailAddress=[hidden email]
 1 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailAddress=[hidden email]
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailAddress=[hidden email]
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
------------------------------------------------------------------------

As I mentioned, web browsers work fine, and I think the server is
configured correctly. Also, gnutls-cli works fine on the same box:

------------------------------------------------------------------------
$ gnutls-cli --x509cafile /etc/ssl/certs/Thawte_Premium_Server_CA.pem strategic.wiki.csupomona.edu -p 443
Processed 1 CA certificate(s).
Resolving 'strategic.wiki.csupomona.edu'...
Connecting to '134.71.247.55:443'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1021 bits
 - Peer's public key: 1024 bits
- Certificate type: X.509
 - Got a certificate list of 3 certificates.
 - Certificate[0] info:
  - subject `C=US,ST=California,L=Pomona,O=California State Polytechnic
University\, Pomona,OU=I(ampersand)IT
Systems,CN=strategic.wiki.csupomona.edu', issuer `C=US,O=Thawte\,
Inc.,CN=Thawte SSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated
`2010-09-10 00:00:00 UTC', expires `2011-09-10 23:59:59 UTC', SHA-1
fingerprint `57292bcd7541c56c7b664705f0192b43a927056c'
 - Certificate[1] info:
  - subject `C=US,O=Thawte\, Inc.,CN=Thawte SSL CA', issuer
`C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006
thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA', RSA key
2048 bits, signed using RSA-SHA1, activated `2010-02-08 00:00:00 UTC',
expires `2020-02-07 23:59:59 UTC', SHA-1 fingerprint
`73e42686657aece354fbf685712361658f2f4357'
 - Certificate[2] info:
  - subject `C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c)
2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA',
issuer `C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting
cc,OU=Certification Services Division,CN=Thawte Premium Server
CA,EMAIL=[hidden email]', RSA key 2048 bits, signed using
RSA-SHA1, activated `2006-11-17 00:00:00 UTC', expires `2020-12-30 23:59:59
UTC', SHA-1 fingerprint `1fa490d1d4957942cd23545f6e823d0000796ea2'
- The hostname in the certificate matches 'strategic.wiki.csupomona.edu'.
- Peer's certificate is trusted
------------------------------------------------------------------------

Why won't openssl verify the cert? It seems to stop and give up right after
seeing the server cert, rather than downloading the rest of the certs in
the chain. I'm assuming this is why all of the tools built on top of
openssl (wget, ldapsearch, etc) are all failing:

------------------------------------------------------------------------
$ wget https://strategic.wiki.csupomona.edu/
--2010-09-13 12:55:57--  https://strategic.wiki.csupomona.edu/
Resolving strategic.wiki.csupomona.edu... 134.71.247.55
Connecting to strategic.wiki.csupomona.edu|134.71.247.55|:443... connected.
ERROR: cannot verify strategic.wiki.csupomona.edus certificate, issued by
/C=US/O=Thawte, Inc./CN=Thawte SSL CA:
  Unable to locally verify the issuers authority.
------------------------------------------------------------------------

But again, a server with a directly signed cert works fine:

------------------------------------------------------------------------
$ wget https://www.csupomona.edu/
--2010-09-13 12:57:27--  https://www.csupomona.edu/
Resolving www.csupomona.edu... 134.71.177.148
Connecting to www.csupomona.edu|134.71.177.148|:443... connected.
HTTP request sent, awaiting response... 200 OK
------------------------------------------------------------------------


Any help much appreciated, thanks...


--
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  [hidden email]
California State Polytechnic University  |  Pomona CA 91768
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Intermediate root CA's -- lost and confused :(

Chris L-2
Be careful you are not checking the web server from a browser that has the intermediate certificate installed.

Obtain the root certificate - and only the root certificate - that is likely to be present in a random user's browser and save it as thawte_root_cert.pem

openssl s_client -verify 10 -CAfile thawte_root_cert.pem -connect strategic.wiki.csupomona.edu:443

On Sep 13, 2010, at 12:58 PM, Paul B. Henson wrote:

>
> We just installed our first Thawte cert that uses their intermediate CA's,
> and it's not going as smoothly as I'd like.
>
> It's installed on an Apache server with mod_ssl, and I added the
> intermediate root CA's to the apache config with the SSLCACertificateFile
> directive. Web browsers seem happy with it, they validate the cert with no
> errors.
>
> I'm having trouble with command line tools under Linux though, including
> openssl itself.
>
> openssl won't correctly validate the cert:
>
> ------------------------------------------------------------------------
> $ openssl s_client -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem -connect strategic.wiki.csupomona.edu:443
> CONNECTED(00000003)
> depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic
> University, Pomona/OU=I(ampersand)IT
> Systems/CN=strategic.wiki.csupomona.edu
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic
> University, Pomona/OU=I(ampersand)IT
> Systems/CN=strategic.wiki.csupomona.edu
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic
> University, Pomona/OU=I(ampersand)IT
> Systems/CN=strategic.wiki.csupomona.edu
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=California/L=Pomona/O=California State Polytechnic
> University, Pomona/OU=I(ampersand)IT
> Systems/CN=strategic.wiki.csupomona.edu
>   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> [...]
> ------------------------------------------------------------------------
>
> It works fine, OTOH, with a cert signed directly by the Thawte Premium
> Server CA:
>
> ------------------------------------------------------------------------
> $ openssl s_client -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem -connect www.csupomona.edu:443
> CONNECTED(00000003)
> depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
> cc/OU=Certification Services Division/CN=Thawte Premium Server
> CA/emailAddress=[hidden email]
> verify return:1
> depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic
> University, Pomona/CN=www.csupomona.edu
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=California/L=Pomona/O=California State Polytechnic
> University, Pomona/CN=www.csupomona.edu
>   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
> cc/OU=Certification Services Division/CN=Thawte Premium Server
> CA/emailAddress=[hidden email]
> 1 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
> cc/OU=Certification Services Division/CN=Thawte Premium Server
> CA/emailAddress=[hidden email]
>   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
> cc/OU=Certification Services Division/CN=Thawte Premium Server
> CA/emailAddress=[hidden email]
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> [...]
> ------------------------------------------------------------------------
>
> As I mentioned, web browsers work fine, and I think the server is
> configured correctly. Also, gnutls-cli works fine on the same box:
>
> ------------------------------------------------------------------------
> $ gnutls-cli --x509cafile /etc/ssl/certs/Thawte_Premium_Server_CA.pem strategic.wiki.csupomona.edu -p 443
> Processed 1 CA certificate(s).
> Resolving 'strategic.wiki.csupomona.edu'...
> Connecting to '134.71.247.55:443'...
> - Ephemeral Diffie-Hellman parameters
> - Using prime: 1024 bits
> - Secret key: 1021 bits
> - Peer's public key: 1024 bits
> - Certificate type: X.509
> - Got a certificate list of 3 certificates.
> - Certificate[0] info:
>  - subject `C=US,ST=California,L=Pomona,O=California State Polytechnic
> University\, Pomona,OU=I(ampersand)IT
> Systems,CN=strategic.wiki.csupomona.edu', issuer `C=US,O=Thawte\,
> Inc.,CN=Thawte SSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated
> `2010-09-10 00:00:00 UTC', expires `2011-09-10 23:59:59 UTC', SHA-1
> fingerprint `57292bcd7541c56c7b664705f0192b43a927056c'
> - Certificate[1] info:
>  - subject `C=US,O=Thawte\, Inc.,CN=Thawte SSL CA', issuer
> `C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006
> thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA', RSA key
> 2048 bits, signed using RSA-SHA1, activated `2010-02-08 00:00:00 UTC',
> expires `2020-02-07 23:59:59 UTC', SHA-1 fingerprint
> `73e42686657aece354fbf685712361658f2f4357'
> - Certificate[2] info:
>  - subject `C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c)
> 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA',
> issuer `C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting
> cc,OU=Certification Services Division,CN=Thawte Premium Server
> CA,EMAIL=[hidden email]', RSA key 2048 bits, signed using
> RSA-SHA1, activated `2006-11-17 00:00:00 UTC', expires `2020-12-30 23:59:59
> UTC', SHA-1 fingerprint `1fa490d1d4957942cd23545f6e823d0000796ea2'
> - The hostname in the certificate matches 'strategic.wiki.csupomona.edu'.
> - Peer's certificate is trusted
> ------------------------------------------------------------------------
>
> Why won't openssl verify the cert? It seems to stop and give up right after
> seeing the server cert, rather than downloading the rest of the certs in
> the chain. I'm assuming this is why all of the tools built on top of
> openssl (wget, ldapsearch, etc) are all failing:
>
> ------------------------------------------------------------------------
> $ wget https://strategic.wiki.csupomona.edu/
> --2010-09-13 12:55:57--  https://strategic.wiki.csupomona.edu/
> Resolving strategic.wiki.csupomona.edu... 134.71.247.55
> Connecting to strategic.wiki.csupomona.edu|134.71.247.55|:443... connected.
> ERROR: cannot verify strategic.wiki.csupomona.edus certificate, issued by
> /C=US/O=Thawte, Inc./CN=Thawte SSL CA:
>  Unable to locally verify the issuers authority.
> ------------------------------------------------------------------------
>
> But again, a server with a directly signed cert works fine:
>
> ------------------------------------------------------------------------
> $ wget https://www.csupomona.edu/
> --2010-09-13 12:57:27--  https://www.csupomona.edu/
> Resolving www.csupomona.edu... 134.71.177.148
> Connecting to www.csupomona.edu|134.71.177.148|:443... connected.
> HTTP request sent, awaiting response... 200 OK
> ------------------------------------------------------------------------
>
>
> Any help much appreciated, thanks...
>
>
> --
> Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
> Operating Systems and Network Analyst  |  [hidden email]
> California State Polytechnic University  |  Pomona CA 91768
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Intermediate root CA's -- lost and confused :(

Ashish Thapliyal
In reply to this post by Paul B. Henson
From the openssl s_client log it looks like the server is not sending the whole certificate chain.  You should be seeing something like:
<root cert>
<intermediate cert>
<your cert>

I am not familiar with apache, but from the documentation at http://www.apache-ssl.org/docs.html#SSLCACertificateFile, my guess is that you have not added all the intermediate roots to the CACertificatesFile, hence apache is having trouble assembling the certificate chain.  I recommend adding all the intermediate certs and the root into the CA file and give it a try. Looking at the web site, you should add the following:
Thawte SSL CA, thawte Primary Root CA, Thawte Premium Server CA.  You should be able to find these certs on Thawte's web site: https://www.thawte.com/roots/index.html


Ashish.


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Paul B. Henson
Sent: Monday, September 13, 2010 12:58 PM
To: [hidden email]
Subject: Intermediate root CA's -- lost and confused :(


We just installed our first Thawte cert that uses their intermediate CA's,
and it's not going as smoothly as I'd like.

It's installed on an Apache server with mod_ssl, and I added the
intermediate root CA's to the apache config with the SSLCACertificateFile
directive. Web browsers seem happy with it, they validate the cert with no
errors.

I'm having trouble with command line tools under Linux though, including
openssl itself.

openssl won't correctly validate the cert:

------------------------------------------------------------------------
$ openssl s_client -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem -connect strategic.wiki.csupomona.edu:443
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic
University, Pomona/OU=I(ampersand)IT
Systems/CN=strategic.wiki.csupomona.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic
University, Pomona/OU=I(ampersand)IT
Systems/CN=strategic.wiki.csupomona.edu
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic
University, Pomona/OU=I(ampersand)IT
Systems/CN=strategic.wiki.csupomona.edu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Pomona/O=California State Polytechnic
University, Pomona/OU=I(ampersand)IT
Systems/CN=strategic.wiki.csupomona.edu
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
------------------------------------------------------------------------

It works fine, OTOH, with a cert signed directly by the Thawte Premium
Server CA:

------------------------------------------------------------------------
$ openssl s_client -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem -connect www.csupomona.edu:443
CONNECTED(00000003)
depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailAddress=[hidden email]
verify return:1
depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic
University, Pomona/CN=www.csupomona.edu
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Pomona/O=California State Polytechnic
University, Pomona/CN=www.csupomona.edu
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailAddress=[hidden email]
 1 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailAddress=[hidden email]
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailAddress=[hidden email]
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
------------------------------------------------------------------------

As I mentioned, web browsers work fine, and I think the server is
configured correctly. Also, gnutls-cli works fine on the same box:

------------------------------------------------------------------------
$ gnutls-cli --x509cafile /etc/ssl/certs/Thawte_Premium_Server_CA.pem strategic.wiki.csupomona.edu -p 443
Processed 1 CA certificate(s).
Resolving 'strategic.wiki.csupomona.edu'...
Connecting to '134.71.247.55:443'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1021 bits
 - Peer's public key: 1024 bits
- Certificate type: X.509
 - Got a certificate list of 3 certificates.
 - Certificate[0] info:
  - subject `C=US,ST=California,L=Pomona,O=California State Polytechnic
University\, Pomona,OU=I(ampersand)IT
Systems,CN=strategic.wiki.csupomona.edu', issuer `C=US,O=Thawte\,
Inc.,CN=Thawte SSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated
`2010-09-10 00:00:00 UTC', expires `2011-09-10 23:59:59 UTC', SHA-1
fingerprint `57292bcd7541c56c7b664705f0192b43a927056c'
 - Certificate[1] info:
  - subject `C=US,O=Thawte\, Inc.,CN=Thawte SSL CA', issuer
`C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006
thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA', RSA key
2048 bits, signed using RSA-SHA1, activated `2010-02-08 00:00:00 UTC',
expires `2020-02-07 23:59:59 UTC', SHA-1 fingerprint
`73e42686657aece354fbf685712361658f2f4357'
 - Certificate[2] info:
  - subject `C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c)
2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA',
issuer `C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting
cc,OU=Certification Services Division,CN=Thawte Premium Server
CA,EMAIL=[hidden email]', RSA key 2048 bits, signed using
RSA-SHA1, activated `2006-11-17 00:00:00 UTC', expires `2020-12-30 23:59:59
UTC', SHA-1 fingerprint `1fa490d1d4957942cd23545f6e823d0000796ea2'
- The hostname in the certificate matches 'strategic.wiki.csupomona.edu'.
- Peer's certificate is trusted
------------------------------------------------------------------------

Why won't openssl verify the cert? It seems to stop and give up right after
seeing the server cert, rather than downloading the rest of the certs in
the chain. I'm assuming this is why all of the tools built on top of
openssl (wget, ldapsearch, etc) are all failing:

------------------------------------------------------------------------
$ wget https://strategic.wiki.csupomona.edu/
--2010-09-13 12:55:57--  https://strategic.wiki.csupomona.edu/
Resolving strategic.wiki.csupomona.edu... 134.71.247.55
Connecting to strategic.wiki.csupomona.edu|134.71.247.55|:443... connected.
ERROR: cannot verify strategic.wiki.csupomona.edus certificate, issued by
/C=US/O=Thawte, Inc./CN=Thawte SSL CA:
  Unable to locally verify the issuers authority.
------------------------------------------------------------------------

But again, a server with a directly signed cert works fine:

------------------------------------------------------------------------
$ wget https://www.csupomona.edu/
--2010-09-13 12:57:27--  https://www.csupomona.edu/
Resolving www.csupomona.edu... 134.71.177.148
Connecting to www.csupomona.edu|134.71.177.148|:443... connected.
HTTP request sent, awaiting response... 200 OK
------------------------------------------------------------------------


Any help much appreciated, thanks...


--
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  [hidden email]
California State Polytechnic University  |  Pomona CA 91768
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Intermediate root CA's -- lost and confused :(

Paul B. Henson
On Mon, 13 Sep 2010, Ashish Thapliyal wrote:

> From the openssl s_client log it looks like the server is not sending the
> whole certificate chain.  You should be seeing something like: <root
> cert> <intermediate cert> <your cert>
>
> I am not familiar with apache, but from the documentation at
> http://www.apache-ssl.org/docs.html#SSLCACertificateFile, my guess is
> that you have not added all the intermediate roots to the
> CACertificatesFile

Thanks for the response. I'm pretty sure the web server is configured
correctly. Before I added the CACertificatesFile directive, I was getting
security errors from firefox/IE/et al; whereas after I added it web
browsers seems to be working fine.

Also, gnutls-client works correctly and lists the entire CA chain, which
would also seem to indicate the server is supplying them.


--
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  [hidden email]
California State Polytechnic University  |  Pomona CA 91768
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Intermediate root CA's -- lost and confused :(

Paul B. Henson
In reply to this post by Chris L-2
On Mon, 13 Sep 2010, Chris wrote:

> Be careful you are not checking the web server from a browser that has
> the intermediate certificate installed.

I initially installed just the new cert on the web server, and the web
browsers were generating cert security errors. I then went back and added
the SSLCACertificateFile directive and the intermediate certs on the
server; at that point the web browsers were happy. This leads me to believe
the web server is correctly configured.

> openssl s_client -verify 10 -CAfile thawte_root_cert.pem -connect
> strategic.wiki.csupomona.edu:443

I had output from a similar command in my initial email without the verify
option, it still fails with it:

-------------------------------------------------------------------------
$ openssl s_client -verify 10 -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem -connect strategic.wiki.csupomona.edu:443
verify depth is 10
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic
University, Pomona/OU=I(ampersand)IT
Systems/CN=strategic.wiki.csupomona.edu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic
University, Pomona/OU=I(ampersand)IT
Systems/CN=strategic.wiki.csupomona.edu
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic
University, Pomona/OU=I(ampersand)IT
Systems/CN=strategic.wiki.csupomona.edu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Pomona/O=California State Polytechnic
University, Pomona/OU=I(ampersand)IT
Systems/CN=strategic.wiki.csupomona.edu
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-------------------------------------------------------------------------

gnutls-client on the same box works fine, listing the entire certificate
chain:

-------------------------------------------------------------------------
$ gnutls-cli --x509cafile /etc/ssl/certs/Thawte_Premium_Server_CA.pem
strategic.wiki.csupomona.edu -p 443
Processed 1 CA certificate(s).
Resolving 'strategic.wiki.csupomona.edu'...
Connecting to '134.71.247.55:443'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1023 bits
 - Peer's public key: 1024 bits
- Certificate type: X.509
 - Got a certificate list of 3 certificates.
 - Certificate[0] info:
  - subject `C=US,ST=California,L=Pomona,O=California State Polytechnic
University\, Pomona,OU=I(ampersand)IT
Systems,CN=strategic.wiki.csupomona.edu', issuer `C=US,O=Thawte\,
Inc.,CN=Thawte SSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated
`2010-09-10 00:00:00 UTC', expires `2011-09-10 23:59:59 UTC', SHA-1
fingerprint `57292bcd7541c56c7b664705f0192b43a927056c'
 - Certificate[1] info:
  - subject `C=US,O=Thawte\, Inc.,CN=Thawte SSL CA', issuer
`C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006
thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA', RSA key
2048 bits, signed using RSA-SHA1, activated `2010-02-08 00:00:00 UTC',
expires `2020-02-07 23:59:59 UTC', SHA-1 fingerprint
`73e42686657aece354fbf685712361658f2f4357'
 - Certificate[2] info:
  - subject `C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c)
2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA',
issuer `C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting
cc,OU=Certification Services Division,CN=Thawte Premium Server
CA,EMAIL=[hidden email]', RSA key 2048 bits, signed using
RSA-SHA1, activated `2006-11-17 00:00:00 UTC', expires `2020-12-30 23:59:59
UTC', SHA-1 fingerprint `1fa490d1d4957942cd23545f6e823d0000796ea2'
- The hostname in the certificate matches 'strategic.wiki.csupomona.edu'.
- Peer's certificate is trusted
-------------------------------------------------------------------------

As far as I can tell the web server is configured correctly, as web
browsers and gnutls are happy with it. It's just openssl and applications
that use it that seem to be failing for reasons I haven't determined.

Thanks...


--
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  [hidden email]
California State Polytechnic University  |  Pomona CA 91768
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Intermediate root CA's -- lost and confused :(

Tim Hudson-3
In reply to this post by Paul B. Henson
  > Also, gnutls-client works correctly and lists the entire CA chain, which
would also seem to indicate the server is supplying them.

Connecting with openssl s_client as per the command you provided is not showing
the certificate chain.

openssl s_client -verify 10 -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem
-connect strategic.wiki.csupomona.edu:443

Try gnutls without the TLS extensions processing occurring and you will see that
the server is not sending back the certificate chain:

gnutls-cli --priority 'NONE:+VERS-SSL3.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL'
--debug 10 --x509cafile /etc/ssl/certs/Thawte_Premium_Server_CA.pem
strategic.wiki.csupomona.edu -p 443

This fails. You need to correct your server configuration so that it correctly
sends out the chain.

Tim.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Intermediate root CA's -- lost and confused :(

Paul B. Henson
On Mon, 13 Sep 2010, Tim Hudson wrote:

> Try gnutls without the TLS extensions processing occurring and you will
> see that the server is not sending back the certificate chain:

Hmm, so the server isn't volunteering the chain, but if the client is smart
enough to ask for it it will provide it :)?

> This fails. You need to correct your server configuration so that it
> correctly sends out the chain.

I'm using bog-standard apache with mod_ssl, currently version 2.2.14. The
instructions from Thawte were to use the SSLCACertificateFile directive in
the config pointing to a file they provided containing two certs (the
"thawte Primary Root CA" followed by the "Thawte SSL CA"). My server cert
is signed by the "Thawte SSL CA", and my openssl client has the "Thawte
Premium Server CA" cert installed on it.

This didn't work, as you point out it seems the server is not sending the
chain. Per an off list discussion, I've changed my config and am now using
the SSLCertificateChainFile directive instead (which seems to be the better
way to do it). I also reversed the order of the certs in the file per a
forum thread I found indicating they should be in order of verification.

That's still not working, no chain from the server.

Presumably somebody has one of these new Thawte certs installed under
apache working correctly, could one of those somebodies possibly post what
apache configuration directives they are using, and what certificates in
what order are present in the intermediate ca file they are using? That
would be greatly appreciated :).

Thanks...


--
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  [hidden email]
California State Polytechnic University  |  Pomona CA 91768
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Intermediate root CA's -- lost and confused :(

Mounir IDRASSI
  Hi Paul,

Can you test the SSLCertificateChainFile instructions from the following
site : http://www.cam.ac.uk/cs/tlscerts/deploying-thawte.html?
Your problem could come from the fact that your Apache
SSLCertificateChainFile configuration is missing the Thawte Cross Root
CA that links "thawte Primary Root CA" to "Thawte Premium Server CA".

--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 9/14/2010 3:32 AM, Paul B. Henson wrote:

> On Mon, 13 Sep 2010, Tim Hudson wrote:
>
>> Try gnutls without the TLS extensions processing occurring and you will
>> see that the server is not sending back the certificate chain:
> Hmm, so the server isn't volunteering the chain, but if the client is smart
> enough to ask for it it will provide it :)?
>
>> This fails. You need to correct your server configuration so that it
>> correctly sends out the chain.
> I'm using bog-standard apache with mod_ssl, currently version 2.2.14. The
> instructions from Thawte were to use the SSLCACertificateFile directive in
> the config pointing to a file they provided containing two certs (the
> "thawte Primary Root CA" followed by the "Thawte SSL CA"). My server cert
> is signed by the "Thawte SSL CA", and my openssl client has the "Thawte
> Premium Server CA" cert installed on it.
>
> This didn't work, as you point out it seems the server is not sending the
> chain. Per an off list discussion, I've changed my config and am now using
> the SSLCertificateChainFile directive instead (which seems to be the better
> way to do it). I also reversed the order of the certs in the file per a
> forum thread I found indicating they should be in order of verification.
>
> That's still not working, no chain from the server.
>
> Presumably somebody has one of these new Thawte certs installed under
> apache working correctly, could one of those somebodies possibly post what
> apache configuration directives they are using, and what certificates in
> what order are present in the intermediate ca file they are using? That
> would be greatly appreciated :).
>
> Thanks...
>
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Intermediate root CA's -- lost and confused :( **SOLVED**

Paul B. Henson
In reply to this post by Tim Hudson-3
On Mon, 13 Sep 2010, Tim Hudson wrote:

> You need to correct your server configuration so that it correctly sends
> out the chain.

Ok, I figured out what was wrong. I only had the SSLCertificateChainFile
configured in the specific ssl virtual host, but not the default ssl
virtual host. When I added the SSLCertificateChainFile to the default
virtual host config as well as the specific ssl virtual host the server
started sending the chain.

That was a very frustrating and confusing ordeal 8-/. It's weird that the
browsers started working when I added it just to the specific ssl virtual
host config, that led me to believe the server was configured correctly
when it wasn't.

Thanks much to everybody that helped!


--
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  [hidden email]
California State Polytechnic University  |  Pomona CA 91768
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Intermediate root CA's -- lost and confused :(

Kyle Hamilton
In reply to this post by Paul B. Henson
  On 9/13/10 2:58 PM, Paul B. Henson wrote:
> On Mon, 13 Sep 2010, Chris wrote:
>
>> Be careful you are not checking the web server from a browser that has
>> the intermediate certificate installed.
> I initially installed just the new cert on the web server, and the web
> browsers were generating cert security errors. I then went back and added
> the SSLCACertificateFile directive and the intermediate certs on the
> server; at that point the web browsers were happy. This leads me to believe
> the web server is correctly configured.
SSLCACertificateFile is an adjunct to SSLCACertificatePath, and thus is
for statements about what CAs your system will accept for client
authentication.  The directive that does only what you want is
SSLCertificateChainFile, which is an ordered collection of PEM-encoded
intermediate certifiers which may or may not include the root.  (The
root *may* be provided. X.509 tends to rely on roots being pre-shared.  
For various reasons, I believe that it is useful to send to the client,
including the possibility of root certificate-update with the same
keypair -- there's no reason not to share that information unless
dissemination of the root's public key is by policy to be restricted for
some reason.)

-Kyle H


smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Intermediate root CA's -- lost and confused :( **SOLVED**

Crypto Sal
In reply to this post by Paul B. Henson


On 09/13/2010 10:12 PM, Paul B. Henson wrote:

> On Mon, 13 Sep 2010, Tim Hudson wrote:
>
>> You need to correct your server configuration so that it correctly sends
>> out the chain.
> Ok, I figured out what was wrong. I only had the SSLCertificateChainFile
> configured in the specific ssl virtual host, but not the default ssl
> virtual host. When I added the SSLCertificateChainFile to the default
> virtual host config as well as the specific ssl virtual host the server
> started sending the chain.
>
> That was a very frustrating and confusing ordeal 8-/. It's weird that the
> browsers started working when I added it just to the specific ssl virtual
> host config, that led me to believe the server was configured correctly
> when it wasn't.
>
> Thanks much to everybody that helped!
>
>


Paul,

Browsers tend to cache certificates they receive from servers, hence why
when you visited the properly configured site, then all your other sites
were working on that browser on that machine. IE does some wacky things
in terms of verifying the certificate chain, so don't always trust it in
terms of certificates.

For verifying certificates, I love using OpenSSL's s_client utility. It
is a god-send! (So long as you know what you should be seeing. --
openssl s_client -connect SITE:port -- (in some cases you can use the
protocol for standard stuff,https, pops, etc.) and then read the
certificate chain section and forget all the rest. (provided you know
what you should see.)

One key thing to remember is with OpenSSL, you don't necessarily have a
default certificate store. (Same can be said for wget and others) I do
believe OpenSSL packages on Debian and Red Hat based systems (maintainer
releases) use the System SSL directory of 'etc/ssl/certs/' for root CAs,
but remember it is best practice that the server present the whole chain
(minus) the root CA as the client must have access to it.

SSLCACertificateFile works on older versions of Apache 1.x and early
versions of Apache 2.0.x the same way that SSLCertificateChainFile works
on Apache 2.x nowadays.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Intermediate root CA's -- lost and confused :(

Kyle Hamilton
In reply to this post by Paul B. Henson
Remember that you need to include -showcerts in the s_client line to get it to dump certificates.

-Kyle H

On Mon, Sep 13, 2010 at 6:04 PM, Tim Hudson <[hidden email]> wrote:

>  > Also, gnutls-client works correctly and lists the entire CA chain, which
> would also seem to indicate the server is supplying them.
>
> Connecting with openssl s_client as per the command you provided is not
> showing the certificate chain.
>
> openssl s_client -verify 10 -CAfile
> /etc/ssl/certs/Thawte_Premium_Server_CA.pem -connect
> strategic.wiki.csupomona.edu:443
>
> Try gnutls without the TLS extensions processing occurring and you will see
> that the server is not sending back the certificate chain:
>
> gnutls-cli --priority 'NONE:+VERS-SSL3.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL'
> --debug 10 --x509cafile /etc/ssl/certs/Thawte_Premium_Server_CA.pem
> strategic.wiki.csupomona.edu -p 443
>
> This fails. You need to correct your server configuration so that it
> correctly sends out the chain.
>
> Tim.
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Intermediate root CA's -- lost and confused :(

Paul B. Henson
In reply to this post by Mounir IDRASSI
On Mon, 13 Sep 2010, Mounir IDRASSI wrote:

> Your problem could come from the fact that your Apache
> SSLCertificateChainFile configuration is missing the Thawte Cross Root CA
> that links "thawte Primary Root CA" to "Thawte Premium Server CA".

Thanks for the suggestion, but I don't see that I need that, the "thawte
Primary Root CA" is signed directly by the "Thawte Premium Server CA".

Interestingly, I found two different versions of the "thawte Primary Root
CA" available from Thawte -- one signed by the "Thawte Premium Server CA",
and one self-signed. As if this mess wasn't confusing enough :).

It turns out my problem was specifying the SSLCertificateChainFile
directive in a virtualhost section that wasn't the default. When I moved
the config to the default ssl vhost it started working.


--
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  [hidden email]
California State Polytechnic University  |  Pomona CA 91768
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Loading...