Using OpenSSL with Mozilla Root CA Bundle to Avoid unable to get local issuer certificate Errors

Hi,

After struggling for a while, I finally got LE to issue the certificates I wanted, but they don’t seem to validate. That is if I run “openssl s_client -connect dw.cameron.edu” I get a the following.

CONNECTED(00000003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=dw.cameron.edu
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFADCCA+igAwIBAgISA3IJLHapbQWvNnqwk46qVndpMA0GCSqGSIb3DQEBCwUA

...

tHGuYeY0sds6FK7jWPq2XTsGjC/vTvSJpC/JcLwrN9pZPTIb
-----END CERTIFICATE-----

I’m working with an Apache 2.2.3 server. When the certs were generated, I received four files cert1.pem, chain1.pem, fullchain1.pem, and privkey1.pem. The private key was easy to install. My server has ca.pem file that holds the certificate chain and a localhost.crt file that holds the certificate. I have tried installing the cert two different ways (well, actually as many ways as I can think of, but these are the main ones). I copied the fullchain1.pem file over to the ca.cert file and removed the bottom cert and moved it into the localhost.crt file. That didn’t work. I also tried copying the chain1.crt into ca.pem and cert1.pem into localhost.crt. The Apache setting are below.

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateChainFile /etc/pki/tls/certs/ca.pem

Why can’t my server validate these certs?

Thank you.

OpenSSL’s s_client doesn’t use a root bundle for verification by default. If you’re verifying with the tool, make sure to include the “-CAfile” parameter and point it to the location of the root bundle on your system. The location can vary by distribution, but it’s usually under /etc/ssl, /etc/tls, or /etc/pki somewhere. In CentOS, it’s under /etc/pki/tls/certs/ca-bundle.crt, for example.

Altenrately, gnutls-cli works well and automatically uses the system root store to verify certificate chains. Likewise, ncat (included as part of nmap) also supports verifying certificate chains.

Hi @rdill17

Your server is correctly configured. You can also use an online scanner to verify this. https://www.ssllabs.com/ssltest/analyze.html?d=dw.cameron.edu&hideResults=on&latest

So others can benefit below are some screenshots.

A) Download the Mozilla CA Root Cert bundle from here: https://curl.haxx.se/ca/cacert.pem
B) Place it in a folder (I have used a folder called LE_TRAINING)

C) run as you have

openssl s_client -connect dw.cameron.edu:443

D) Run with the CA Root Cert Bundle

openssl s_client -connect dw.cameron.edu:443 -CAfile .\MOZILLA_ROOT_BUNDLE.pem

image.png832×281 12.6 KB

E) There is one other test I recommend you do with OpenSSL and that is to check SNI behaviour

openssl s_client -connect dw.cameron.edu:443 -CAfile .\MOZILLA_ROOT_BUNDLE.pem -servername dw.cameron.edu

image.png850×250 9.78 KB

Hope this helps. I would also suggest that you review Mozillas TLS Server Guidelines as you have some weak ciphers on your server.

https://mozilla.github.io/server-side-tls/ssl-config-generator/

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.