Need to Specify a CA certificate file to trust when verifying a server SSL certificate


#1

Hello,

I am using a program called: Proxytunnel to establish secure communication from my Windows 7 client through a forward proxy server I created in an Apache Virtualhost on my home LAN. I use this to establish a tls encrypted connection to my ssh server on my LAN.

Proxytunnel has an option to specify a CA cert for server certificate verification. I hardly have any idea what this means. I have an Apache website on my LAN which is SSL enabled using Letsencrypt. I have these lines in the Virtualhost:

SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

So I used Certbot to create these certificates.

My Goal:
I want to run this Proxytunnel program from a Windows command line. Something like this:

proxytunnel -v -p example.com:443 -d 192.168.1.124:22

This will connect me through my forward proxy at example.com on port 443 and use the Apache CONNECT to forward to the ssh port 22.

My Question:
The Proxytunnel program has another command line argument -C that allows me to provide a CA cert for server certificate verification. I don’t know how to supply this file. The Proxytunnel documentation says:

-C, --cacert=filename/directory
Specify a CA certificate file (or directory containing CA certificate(s)) to trust when verifying a server SSL certificate.
If a directory is provided, it must be prepared with OpenSSL’s c_rehash tool. (default: /etc/ssl/certs)

Can someone advise me how maybe I convert one or all of my Letsencrypt certificates and use it or them as a command line parameter to Proxytunnel program to achieve this client certification authentication?

Something like:

> proxytunnel -v -C myCAcert.pem -p example.com:443 -d 192.168.1.124:22

Thank you,

Flex


#2

On Linux, it uses /etc/ssl/certs by default, so the argument can be omitted.

On Windows, I’m not sure if it falls back to anything. You could try including the DST Root and passing that to --cacert. I don’t think you should include your server’s Let’s Encrypt certificate, since it will change every 60-90 days.

proxytunnel -E -C root.pem ...

Root:

-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

#3

Hello _az,

Thank you so much for that clear and quick reply!

I copied the text of that Certificate to a file called root.pem which I just saved into the same directory as the Proxytunnel program and now my new Proxytunnel command is like this:

D:\Application Data\Proxytunnelv1.9.9-32bit>proxytunnel -v -E -C root.pem -p example.com:443 -d 192.168.1.124:22
SSL client to proxy enabled
Connected to example.com:443 (local proxy)
Set SNI hostname to example.com

Tunneling to 192.168.1.124:22 (destination)
Communication with local proxy:
 -> CONNECT 192.168.1.124:22 HTTP/1.1
 -> Host: example.com
 -> Proxy-Connection: Keep-Alive
 <- HTTP/1.0 200 Connection Established

 <- Proxy-agent: Apache

 <-
&a@▒&acom

Tunnel established.
SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u3

… and it works perfectly.

Thank you !

Flex


#4

Great! I should add, that root may not be signing the Let’s Encrypt intermediates ~3-4 years from now, so it may not be a long-term solution.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.