OpenSSL not accepting a certificate, whilst curl does.

John Robson jrobson at zenoss.com
Mon Sep 28 21:35:55 UTC 2020 

Hi,

I'm really struggling to get my head around a specific scenario that isn't
behaving as I expect.  Hopefully someone with more experience/knowledge can
set me on the right path.

Note - my attempts to reproduce this in a lab have been unsuccessful,
although I don't have access to the server private key, so the attempts
have been with a completely independent CA chain.


I have a private CA, which has signed an intermediate certificate which has
signed a server certificate for an internal web server which is used by
various automated systems (all linux based).

The webserver (Apache) has the server cert and key, defined and in use as
well as the intermediate certificate defined as the chain certificate -
this all shows as expected.

I have then added the root certificate to the trusted certs for an
automated system (populated `/etc/pki/ca-trust/source/anchors/` run
`update-ca-trust extract`).

After this curl no longer complains about the certificate from the web
server (expected).
However OpenSSL still does (unexpected), and I presume that for the same
reason(s) urllib in Python also doesn't accept the certificate.
If I manually feed `openssl verify` the certificates and chain then they
all come back "OK".

I've set up these systems a number of times with both self signed and CA
signed certs and never seen this behaviour.

I'm slightly at a loss as to what diagnostics I even need at this point...
so I've dropped a summary of relevant(?) diagnostics at this point below.

Thanks,


John

-- 

# Check that the root is installed into the trusted bundle:
# awk -v cmd='openssl x509 -noout -subject -serial -fingerprint; echo'
'/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-bundle.trust.crt |
grep -A1 CAROOT
subject= /CN=CAROOT/O=org/C=XX
serial=4D4C00241A7A17D0

# Check that the pem file I have is correct (serial matches above):
# openssl x509 -in CAROOT.pem -text | grep erial
        Serial Number: 5569826994213492688 (0x4d4c00241a7a17d0)

# Check that the chain is contiguous:
# openssl x509 -text -noout -in CAROOT.pem | grep -A1 -e Ident -e erial
        Serial Number: 5569826994213492688 (0x4d4c00241a7a17d0)
    Signature Algorithm: sha256WithRSAEncryption
            X509v3 Subject Key Identifier:
                2A:3E:33:88:7E:19:35:7C:6E:9D:7C:63:90:80:B8:DF:96:5A:A8:9D
            X509v3 Authority Key Identifier:

keyid:2A:3E:33:88:7E:19:35:7C:6E:9D:7C:63:90:80:B8:DF:96:5A:A8:9D
# openssl x509 -text -noout -in CAINTER.pem | grep -A1 -e Ident
            X509v3 Subject Key Identifier:
                FB:17:C5:BB:BD:AD:84:65:4F:16:A7:E8:FA:95:1D:C7:D9:29:45:6A
            X509v3 Authority Key Identifier:

keyid:2A:3E:33:88:7E:19:35:7C:6E:9D:7C:63:90:80:B8:DF:96:5A:A8:9D
# openssl x509 -text -noout -in SERVER.pem | grep -A1 -e Ident
            X509v3 Subject Key Identifier:
                F5:26:E2:09:A4:41:EC:EE:75:E2:4E:E4:02:90:B7:CD:EB:FC:4E:EC
            X509v3 Authority Key Identifier:

keyid:FB:17:C5:BB:BD:AD:84:65:4F:16:A7:E8:FA:95:1D:C7:D9:29:45:6A

To my eye those all look lined up, and the serial on the root still agrees.


CURL:
# curl https://server.fqdn
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://server.fqdn:443/path/
">here</a>.</p>
</body></html>

OpenSSL:
# openssl s_client -connect server.fqdn:443
CONNECTED(00000007)
depth=1 CN = CAINTER, O = org, C = XX
verify error:num=2:unable to get issuer certificate
issuer= CN = CAROOT, O = org, C = XX
 --8<--
Verify return code: 2 (unable to get issuer certificate)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200928/6803c652/attachment.html>

More information about the openssl-users mailing list