Basic install complains about DST Root CA X3 self-signed certificate


#1

Here is what I have done:

  1. Generated standalone cert.pem, privkey.pem, chain.pem, and fullchain.pem using ./letsencrypt-auto certonly --standalone -d MYDOMAIN on my debian server

  2. tested openssl client connection from my mac laptop to that server:

on server: openssl s_server -cert cert.pem -key privkey.pem -CAfile chain.pem

on client: openssl s_client -connect MYDOMAIN:4433 -servername MYDOMAIN

The result complains about a self-signed cert:

MacBook-Pro-3:certs dhorton$ openssl s_client -connect MYDOMAIN:4433 -servername MYDOMAIN
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=19:self signed certificate in certificate chain

Certificate chain
0 s:/CN=MYDOMAIN
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
2 s:/O=Digital Signature Trust Co./CN=DST Root CA X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Since it seemed to be complaining that the root cert was self-signed, I downloaded and installed the DST Root CA X3 cert into keychain access on my mac. Still get same results.

Any ideas?


#2

try adding argument -CApath /etc/ssl/certs

so
openssl s_client -CApath /etc/ssl/certs -connect MYDOMAIN:4433 -servername MYDOMAIN

ensure that you have certificate bundles installed under this path, its /etc/ssl/certs for Linux, notably Debian, but i’m not sure for Mac


#3

Thanks. I explicitly referenced the downloaded root cert that I got and it seemed to work. I guess at this point my question is more a mac-specific question about why it is not finding that root cert in keychain access.

Anyways, for posterity here is the command that seemed to work:

MacBook-Pro-3:certs dhorton$ openssl s_client -connect srf-qa-02.drachtio.org:4433 -servername srf-qa-02.drachtio.org -CAfile dst_root.pem 
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = srf-qa-02.drachtio.org
verify return:1

Certificate chain
 0 s:/CN=srf-qa-02.drachtio.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
 2 s:/O=Digital Signature Trust Co./CN=DST Root CA X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.