OpenSSL not accepting a certificate, whilst curl does.

Tue Sep 29 06:06:00 UTC 2020

On Mon, 2020-09-28 at 22:35 +0100, John Robson via openssl-users wrote:
> Hi,
> 
> I'm really struggling to get my head around a specific scenario that
> isn't behaving as I expect.  Hopefully someone with more
> experience/knowledge can set me on the right path.
> 
> Note - my attempts to reproduce this in a lab have been unsuccessful,
> although I don't have access to the server private key, so the
> attempts have been with a completely independent CA chain.
> 
> 
> I have a private CA, which has signed an intermediate certificate
> which has signed a server certificate for an internal web server
> which is used by various automated systems (all linux based).
> 
> The webserver (Apache) has the server cert and key, defined and in
> use as well as the intermediate certificate defined as the chain
> certificate - this all shows as expected.
> 
> I have then added the root certificate to the trusted certs for an
> automated system (populated `/etc/pki/ca-trust/source/anchors/` run
> `update-ca-trust extract`).
> 
> After this curl no longer complains about the certificate from the
> web server (expected).
> However OpenSSL still does (unexpected), and I presume that for the
> same reason(s) urllib in Python also doesn't accept the certificate.
> If I manually feed `openssl verify` the certificates and chain then
> they all come back "OK".
> 
> I've set up these systems a number of times with both self signed and
> CA signed certs and never seen this behaviour.

...
> 	  
> 		  
> CURL:
> # curl https://server.fqdn
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>302 Found</title>
> </head><body>
> <h1>Found</h1>
> <p>The document has moved <a href="
> https://server.fqdn:443/path/">here</a>.</p>
> </body></html>
> 
> OpenSSL:
> # openssl s_client -connect server.fqdn:443
> CONNECTED(00000007)
> depth=1 CN = CAINTER, O = org, C = XX
> verify error:num=2:unable to get issuer certificate
> issuer= CN = CAROOT, O = org, C = XX
>  --8<--
> Verify return code: 2 (unable to get issuer certificate)

What is the curl library linked to? Is it using OpenSSL or something
else, for example NSS, as the TLS library? What exact system are you
testing on?

Are you sure you've put your CAROOT certificate to the system
certificate trust store? And/or is the trust store properly set up to
be loaded by OpenSSL by default?

-- 
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]