Issue - Unable to verify certificate chain - CentOS7

Help
1

Greetings,

Issue:
Issue - Unable to verify certificate chain - CentOS7

Summary:
I issued a let'sencrupt via Certbot installed on a Pi, my DNS server is Cloudflare.
I was able to get the cert files without issues.

root@raspberrypi# certbot --version
certbot 1.12.0

[root]# ls
0-server.key  1-server.crt  2-inter.crt  3-root.crt  chain.crt  fullchain.crt

[root]# openssl x509 -in 1-server.crt -noout -issuer
issuer= /C=US/O=Let's Encrypt/CN=R3

[root]# openssl x509 -in 2-inter.crt -noout -issuer
issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1

[root]# openssl x509 -in 2-inter.crt -noout -issuer
issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1

Now when I run the following command to verify, getting error:

[root]# openssl verify -CAfile 2-inter.crt 1-server.crt
1-server.crt: C = US, O = Let's Encrypt, CN = R3
error 2 at 1 depth lookup:unable to get issuer certificate

My web server showing error as well when using the cert:

  Missing CA: /O=Digital Signature Trust Co./CN=DST Root CA X3 (2e5ac55d).
       Error: Unable to verify certificate chain.
Error: Unable to validate web_service_certificate

Any idea why the chain validation is broken?

Note: When I use a self-signed certificate chain (Root-Inter-leaf) everything works fine (I just need to add the root to the trust store, that's why I am trying to use Let's encrypt, however, it's failing.

Regards,

1 Like
2

The best way to use openssl to verify a local cert is shown here (by a certbot dev):

What command are you trying when your webserver says "Unable to validate web_service_certificate"?

Can you describe your web server? And, is this still your ans.red domain from earlier posts? If not, which domain is it?

9 Likes
3

Hi @MikeMcQ . thanks for helping out here.

The domain is different, illumio.consulting

The error Unable to validate web_service_certificate is from the web server software itself.

I tried the verify command from the link you shared, between root and intermediate + intermediate + server and I got:

I noticed when checking the command on my Macbook, and it shows it's okay

# openssl verify -untrusted 3-root.crt 2-inter.crt

2-inter.crt: OK

# openssl verify -untrusted 2-inter.crt 1-server.crt

1-server.crt: OK

But on the CentOS 7 machine,

# openssl verify -untrusted 3-root.crt 2-inter.crt
2-inter.crt: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 1 depth lookup:unable to get issuer certificate


# openssl verify -untrusted 2-inter.crt 1-server.crt
1-server.crt: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate

Anything else I should check to verify the certificate is valid on a CentOS 7 machine and it's able to validate the chain?

1 Like
4

I don't know why the server would verify the cert. Usually the server just sends out the cert and the client verifies that it is trusted in their CA store. A server can't possibly know whether a client will trust the certs.

Setting that aside, the verify error sounds like your CA root store does not have the ISRG Root X1 cert in it. You could try updating that with

sudo yum install ca-certificates
9 Likes
5

ca-certificate already installed

# sudo yum install ca-certificates
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                                                                 |  20 kB  00:00:00
 * base: mirror.dst.ca
 * epel: mirror.dst.ca
 * extras: mirror.dst.ca
 * updates: mirror.xenyth.net
base                                                                                                 | 3.6 kB  00:00:00
epel                                                                                                 | 4.7 kB  00:00:00
extras                                                                                               | 2.9 kB  00:00:00
updates                                                                                              | 2.9 kB  00:00:00
(1/2): epel/x86_64/updateinfo                                                                        | 1.1 MB  00:00:00
(2/2): epel/x86_64/primary_db                                                                        | 7.0 MB  00:00:01
Package ca-certificates-2021.2.50-72.el7_9.noarch already installed and latest version
Nothing to do

I used this other command as well to confirm the ISRG Root X1 certificate if it's there.

awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-bundle.crt

and I can see the root cert

subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1

1 Like
6

Hmmm. I am on a similar system and get this when verifying an LE cert:
(pwd is the /etc/letsencrypt/live/(domain)/ folder)

openssl verify -untrusted chain.pem cert.pem
cert.pem: OK

What happens with:

openssl verify -untrusted 2-inter.crt 1-server.crt -CAfile /etc/ssl/certs/ca-certificates.crt
9 Likes
7

Getting this

# openssl verify -untrusted 2-inter.crt 1-server.crt -CAfile /etc/ssl/certs/ca-certificates.crt

1-server.crt: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate

Error opening certificate file -CAfile
139794605307792:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('-CAfile','r')
139794605307792:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load certificate

Error opening certificate file /etc/ssl/certs/ca-certificates.crt
139794605307792:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/ssl/certs/ca-certificates.crt','r')
139794605307792:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load certificate

Might be something wrong with CA store on the system, not sure what could be though

8

Oh, my bad. Should be:

openssl verify -untrusted 2-inter.crt -CAfile /etc/ssl/certs/ca-bundle.crt 1-server.crt
9 Likes
9

it's okay, here is the output

# openssl verify -untrusted 2-inter.crt -CAfile /etc/ssl/certs/ca-bundle.crt 1-server.crt
1-server.crt: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate
10

I don't understand how that can be. You found the ISRG root in that CA store with your awk command a few posts back. Are you sure those files 2-inter.crt and 1-server.crt are the chain.pem and cert.pem, respectively, created by certbot?

As evidence this is what I get :slight_smile: I have the same CA cert store version as you.

openssl verify -untrusted chain.pem -CAfile /etc/ssl/certs/ca-bundle.crt cert.pem
cert.pem: OK
9 Likes
11

What is the output of:

openssl version

OpenSSL and similar programs are not very intuitive to start with, and behavior of some commands has changed across releases. Some versions will accept a combined chain for -untrusted, others require multiple arguments for single certificates. E.g.:

openssl verify -purpose sslserver -untrusted combined_chain.pem cert.pem

openssl verify -purpose sslserver -untrusted chain_1.pem -untrusted chain_0.pem cert.pem
9 Likes
12

For sure !

Just for fun I looked at the openssl changelog and it says -untrusted support for a set of certs was done at the same time as -purpose was introduced (between 0.94 and 0.95). The current docs say the -untrusted file can have one or more certs and be set multiple times.

Two new options to the verify program: -untrusted allows a set of untrusted certificates to be passed in and -purpose which sets the intended purpose of the certificate. If a purpose is set then the new chain verify code is used to check extension consistency.

9 Likes
13 
# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

Running the commands you shared

# openssl verify -purpose sslserver -untrusted fullchain.crt 1-server.crt
1-server.crt: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate

# openssl verify -purpose sslserver -untrusted 3-root.crt -untrusted 2-inter.crt 1-server.crt
1-server.crt: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate

Just to confirm
1-server.crt = Is just the actual certificate ( ====Common Name=illumio.consulting)
2-inter.crt = Is the intermediate cert (Let's encrypt ====Common Name=R3)
3-root.crt = Is the root cert ( ====Common Name=ISRG Root X1)

fullchain.crt is the regular bundle that has all three the above in one file

14

Ah, you have 1.02.

You should upgrade if possible. That particular version is problematic.

See if any of this works: Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - OpenSSL Blog

9 Likes
15

I don't have the ability to spin up legacy OS builds right now, but I am fairly certain I had issues with -untrusted on some .98 and 1.02 versions; I don't remember the minor/letter version. Looking at my notes, it appears to have been when I was running OSX 10.10 and 10.11 and using the stock OpenSSL. (I did not write which OpenSSL version was affected in my notes)

I only started using -purpose sslserver recently, thanks to someone posting about it here!

9 Likes
16

Can you upload the contents of that file (or show it)? The current default LE chain would have 2 certs in the intermediate chain. As long as there is no string in it saying "PRIVATE" it is ok to post.

The root is used by clients to validate that the leaf and intermediates they received chain to something they trust. Where did you get that? It is not sent out by the server - each client already has ones that they trust.

And, just for clarity ... I am using an AWS Linux2 test server which is a close cousin of your CentOS 7. I have the same major version of openssl as you as well as cert store. openssl gets security backports but not features so what works on my test system should be working on yours.

9 Likes
17

Sure.

Here

1-server.crt

-----BEGIN CERTIFICATE-----
MIIFQDCCBCigAwIBAgISA5MpHDgcI0KAVMZQqa+PKDX2MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA3MDYwMDI1MjdaFw0yMjEwMDQwMDI1MjZaMB0xGzAZBgNVBAMT
EmlsbHVtaW8uY29uc3VsdGluZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAJeQQz2GsoJB/4wFwnI57fUufmZlDPQBVDkuDu0vXfTc7/L6RpjV0QIiIfEg
KMLQ9rOPF3BlvNuiPLyHvbRI/ce87q2xJeBX6xeAkDlGWIeyvmozMzgt0ruY5yqN
kKTAqiVTB/r5chCcR3va0ZtIuBJiZrApB/PPlrAhNcsn0wOoJjD6kIEPROOEtJ+a
0iEzAQfPre+K81o5snwE0jKnQotA2VLVqtnd/4NhArIVbAxg+v9V7XJHTQ4sqPwE
N4PCFoYArhuJYqisy9Pq9VPm3tzqWNTqp3XZihcykFs8WZY1rnZMB9KfYYgzVFFw
q7GgXtEfshqKVJJVRGNzUvRfvZECAwEAAaOCAmMwggJfMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQUJnq13JxNVmJ3VizL6e9FgQ9ChjswHwYDVR0jBBgwFoAUFC6zF7dY
VsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRw
Oi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNy
Lm9yZy8wMwYDVR0RBCwwKoIUKi5pbGx1bWlvLmNvbnN1bHRpbmeCEmlsbHVtaW8u
Y29uc3VsdGluZzBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAo
MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisG
AQQB1nkCBAIEgfUEgfIA8AB2AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBE
XCpzAAABgdEcsUAAAAQDAEcwRQIhAJL6T1keW2ggaUb1G/S7O4Zzq00TJ28gBQbw
rhdiYaOCAiBpYvRcGhlu2vwi08uAjLBnCJ5W+p6ziUKEK0Z9Xng8FQB2AEalVet1
+pEgMLWiiWn0830RLEF0vv1JuIWr8vxw/m1HAAABgdEcsWkAAAQDAEcwRQIgS9vP
Zo9N+VqueDRglbvNZgZlJHcr6cggHo9I8FlRGDoCIQDhCtlLwsKrBrU50HjO5xtA
wzSsB0ZaYRAvs9Jw9wVxOjANBgkqhkiG9w0BAQsFAAOCAQEAEo1CEldf3EzFpnit
FvUQrTnCHncMNcAeyjKqdId2FJOcG/himZCE3e/Xmm0zMGMqHCzvnhWoUDtnLiVv
uAmjDdvEeyRMJTIdulN6Nzv4sXgIRSjHExDJfVoWOQZGuY/w4DhnLyyDJC7jkCXg
8V/YH+2+y27mlv3yY0LUfgm3atXJPDsigDC6w9ujYZiRm+BtidYuV6Jm6xLPvajl
CpPCHGlwKD6Efm0E20U6dFTtRBKFFpeQJjsQAPxjh3vxpHPLm943SvLvjl//eHj9
dVUA1sGEdqYaQGXIFT/4m+HL845FN6I/jYKI12pZjagt0JawjJx0qCcoD5FWw8BL
4nFWyw==
-----END CERTIFICATE-----

2-inter.crt

-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

3-root.crt

-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

Thanks for the help!

18

Thanks. That "root" is not really a CA root. Your inter and root files are the two parts of the default "long intermediate" chain returned by Let's Encrypt. At least I am no longer confused by that name :slight_smile:

Good news is your server (leaf) cert with that inter verifies fine on my system.

We should check if you have something odd in your CA store. What does this show:

sudo cat /etc/ssl/certs/ca-bundle.crt | grep -Ei 'ISRG|DST|R3' | grep -e '#'
11 Likes
19

@MikeMcQ sorry about the confusion with the naming.

Here I just renamed all the files to the default to make things easier.

ls -l
total 20
-rw-r--r--. 1 root root 1882 Jul 6 17:43 cert.pem
-rw-r--r--. 1 root root 3748 Jul 6 17:43 chain.pem
-rw-r--r--. 1 root root 5631 Jul 6 17:43 fullchain.pem
-rw-r--r--. 1 root root 1703 Jul 6 17:43 privkey.pem

I just reset the CentOS7 machine as well

  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-1160.71.1.el7.x86_64

# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

Running the command you shared:

sudo cat /etc/ssl/certs/ca-bundle.crt | grep -Ei 'ISRG|DST|R3' | grep -e '#'
# GTS Root R3
# GlobalSign Root CA - R3
# ISRG Root X1

I ran the previous commands as well from @jvanasco

# openssl verify -purpose sslserver -untrusted fullchain.pem cert.pem
cert.pem: OK

# openssl verify -purpose sslserver -untrusted chain.pem cert.pem
cert.pem: OK

# openssl verify -purpose sslserver -untrusted fullchain.pem chain.pem cert.pem
chain.pem: OK
cert.pem: OK

I think we are making some good progress as there was something wrong with the CentOS 7. I still working on the setup and will test soon with the web server itself.

Thanks guys for the help so far.

3 Likes
20

Excellent. That's what I see on my system too. Let us know what happens with your server config. Cheers

5 Likes