Solved Adding certificate to ca_root_nss

Hello all,

I have to make wget https://my.server work from FreeBSD 10 box. For this I have installed security/ca_root_nss and made symlink to /etc/ssl/cert.pem

With well-known web-servers like github.com it works well and response is 200. But my custom SSL certificate is not validated so I decided to add it to ca_root_nss.pem file manually because it is just a bunch of known CA certs concatenated together. If I export my SSL to PEM file and append it to ca_root_nss it is still not validated. I have added certificate like this:
openssl x509 -in startssl.crt -text >> /etc/ssl/cert.pem

I have also tried to import top-level CA that has issued the certificate - still no luck. What am I missing? It should be fairly simple to trust any desired certificate, but I didn't get it.

P.S. I know about "--no-check-certificate" option.
 
What happens if you use --ca-certificate and point that at your self-signed CA certificate?

The problem is that in this situation there are too many unknown factors to determine what could be causing this. Your certificate could be invalid, your web server could have been misconfigured, etc. Normally the CA which issues the certificate used by the webserver needs to be trusted, so that should eventually end up in /etc/ssl/cert.pem. But as mentioned; first I'd try --ca-certificate instead.

Also be sure to log and optionally raise verbosity, that might also give you some clues.
 
Try
Code:
openssl s_client -connect my.server:443 -servername my.server -CAfile /path/to/your/top-level/ca/certificate

One possible problem with merging certificates - I had once some troubles when I manually pasted a new certificate data into a existing file and didn't add new line at the end. However I can't recall if it was OpenSSL or Nginx or what was not able to recognize added certificate.
 
Thank you all for help ! Finally I got certificate to be correctly verified by importing intermediate CLASS 1 provider cert. There is a chain of certificates : rootCA - intermediate class 1 CA - client cert. So to check client certificate I should import particularly class 1 certificate. If I import rootCA or web-server CA -- I can't validate client.
BTW -- appending certificate to the end of /etc/ssl/cert.pem did the job. It just need to be the correct one :)
 
You have a problem with the web server configuration - you have to send whole certificate chain, see following page for an example http://nginx.org/en/docs/http/configuring_https_servers.html#chains

When I use
openssl s_client -connect my.server:443
I can see server certificate("s") and and Class 1 certificate ("i"). I don't see rootCA certificate (i.e. chain). Probably I need to assemble .crt file by myself adding rootCA to the file? Openssl complains this:
Code:
Verify return code: 21 (unable to verify the first certificate)
There is only one under number "0", not like in example - 1, 2.
 
Yes, you have to assembly your certificate chain yourself. Server should send everything between CA root, which is usually in the certificate store of the client (the ca_root_nss port in your case) and server own certificate. Exact method may vary depending on your web server, see appropriate documentation, but certificates order in file is usually important. There are many examples at least for Apache and nginx on the Internet.

However if you see intermediate certificate sent from the server (and there is only one in the chain between root and your servers certificate), then is probably something wrong. Did you point the openssl command to the installed bundle with -CAfile?
 
If I do openssl s_client -connect my.server:443 then it prints:
Code:
Certificate chain
0 s:/C=EE/CN=cloud.ant.ee/emailAddress=xxxx
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
And result of verification:
Code:
Verify return code: 21 (unable to verify the first certificate)
If I do openssl s_client -connect webmail.ant.ee:443 -CAfile /etc/ssl/cert.pem then it prints exactly the same, but result of verification is :
Code:
Verify return code: 0 (ok)
Because StartCom Class 1 is imported to /etc/ssl/cert.pem manually.

I thought that if CA gives me CRT file -- it already includes the full chain and I don't need to assemble it by myself.
 
Back
Top