X509v3 Basic Constraints: CA: FALSE - Need it to be TRUE

jody · April 23, 2018, 11:26pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jodywhitesides.com

I ran this command: openssl x509 -text -noout -in cert.pem

It produced this output:Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:ca:b6:78:1a:b6:9e:4e:35:5b:c0:7f:dd:1c:6d:ad:73:0a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
Validity
Not Before: Apr 17 05:14:57 2018 GMT
Not After : Jul 16 05:14:57 2018 GMT
Subject: CN = jodywhitesides.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:cb:34:05:da:d0:29:70:b2:e4:32:dc:0f:f6:
d5:5e:49:cb:e4:92:bf:31:e3:f2:3f:69:72:e4:ef:
ef:de:c2:66:c5:f9:7c:39:64:ff:c2:85:37:12:53:
9e:ab:c0:18:ac:47:36:04:f7:1d:a4:ae:90:c7:52:
97:93:53:b0:c0:99:f5:f9:c8:7b:d4:e3:59:fd:ee:
93:5a:56:92:21:62:17:9f:cb:ba:c3:a3:3d:a6:b4:
69:56:13:1b:c0:f6:43:d7:dd:04:89:fa:51:3c:67:
37:49:5f:e0:bc:a4:7b:8f:bb:eb:b4:51:62:b0:c7:
36:ff:28:9e:1c:9d:e1:41:6f:99:4c:41:fc:cf:2f:
b0:85:04:6a:82:c4:39:f8:26:88:5f:fd:e3:b9:21:
0f:76:1c:56:66:89:24:30:ec:a0:3c:b4:64:a4:da:
71:e8:ac:71:7d:f5:d0:99:13:db:2f:ea:ac:3a:cb:
a0:81:a6:ef:a6:d7:0c:d2:11:f5:9c:c4:2f:7c:f2:
a2:0b:82:1f:a6:0b:b0:71:c4:e3:ac:e8:10:e2:b4:
da:2d:ae:17:e2:38:6e:07:62:13:1e:d4:c5:e0:ea:
64:7c:fb:e6:8d:f7:93:3c:52:d4:4f:3c:b3:c5:a9:
f6:44:df:63:4c:7d:cf:57:1b:1b:81:f1:ff:db:28:
f3:3b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
83:B0:AD:8F:78:65:C0:28:68:DE:B3:73:31:06:B1:65:C7:97:98:4F
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

        Authority Information Access: 
            OCSP - URI:http://ocsp.int-x3.letsencrypt.org
            CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

        X509v3 Subject Alternative Name: 
            DNS:ftp.jodywhitesides.com, DNS:jodywhitesides.com, DNS:mail.jodywhitesides.com, DNS:www.jodywhitesides.com
        X509v3 Certificate Policies: 
            Policy: 2.23.140.1.2.1
            Policy: 1.3.6.1.4.1.44947.1.1.1
              CPS: http://cps.letsencrypt.org
              User Notice:
                Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

        CT Precertificate SCTs: 
            Signed Certificate Timestamp:
                Version   : v1 (0x0)
                Log ID    : DB:74:AF:EE:CB:29:EC:B1:FE:CA:3E:71:6D:2C:E5:B9:
                            AA:BB:36:F7:84:71:83:C7:5D:9D:4F:37:B6:1F:BF:64
                Timestamp : Apr 17 06:14:57.705 2018 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:46:02:21:00:E3:FF:FB:1D:83:8B:8D:3E:EF:D8:70:
                            34:83:24:BB:3F:12:C9:6A:53:8C:45:AA:C1:A8:85:7C:
                            34:76:BA:DC:3E:02:21:00:D6:D9:80:43:C3:80:35:64:
                            BE:A7:16:52:B8:C3:19:35:12:21:B4:FD:ED:A0:22:B5:
                            AA:B2:29:DA:2F:40:B7:10
            Signed Certificate Timestamp:
                Version   : v1 (0x0)
                Log ID    : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
                            6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
                Timestamp : Apr 17 06:14:57.761 2018 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:21:00:91:E6:A2:D2:94:50:65:1D:03:37:56:
                            75:9D:01:7B:A5:29:73:AD:A0:51:52:06:6E:28:58:CF:
                            8E:7B:42:91:13:02:20:56:6E:91:71:8A:8D:03:9F:6A:
                            59:01:F5:AC:D9:98:C7:9B:81:F0:82:24:4A:C9:13:67:
                            CE:AA:78:00:3D:E5:62
Signature Algorithm: sha256WithRSAEncryption
     94:c7:ef:89:45:c8:8c:b9:63:b1:88:14:d0:83:c2:b7:ea:b3:
     b4:a0:8c:24:c8:fc:86:74:ce:61:cd:0f:75:3b:49:3b:8c:51:
     b2:73:f0:ba:5a:9b:ca:c3:a7:89:a1:46:a0:60:6a:36:9d:6b:
     bd:23:28:5a:42:1f:cc:12:b2:ab:37:95:c1:91:81:ba:ea:be:
     54:25:6d:62:69:38:44:cf:18:87:b4:8b:6c:b5:3a:c9:a5:eb:
     38:74:e2:2a:2c:2b:cf:d0:32:c2:1c:81:ad:22:6a:fc:62:86:
     45:95:03:ae:ea:e1:16:df:6e:b0:e7:25:7a:39:58:69:8a:49:
     0b:d5:96:49:0f:55:5d:1a:35:73:69:60:b6:ff:da:ff:0e:a6:
     6e:f8:09:72:f2:ee:03:59:16:c6:02:af:71:6e:b3:92:70:b0:
     a4:9a:20:6b:c9:14:d6:61:17:27:0c:42:1a:4d:05:90:42:b5:
     ae:ec:ca:42:fc:50:77:03:73:4d:4d:3c:c9:8f:42:44:e9:48:
     ce:23:ae:10:18:c4:c4:98:f1:b3:f8:cd:19:3b:f7:47:25:b9:
     15:c6:12:f8:72:ad:04:e4:44:6d:6b:42:33:78:9b:46:f3:4c:
     11:98:8d:4e:fc:bb:cf:12:19:ce:3f:67:f8:90:84:3e:42:16:
     59:13:ff:d1

My web server is (include version): jodywhitesides.com

The operating system my web server runs on is (include version): Unbuntu 17.10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no.

I’m running into an issue where I’m attempting to use PHPList for mailing list software. However, PHPList is running into an issue where the TLS certificate from Lets Encrypt is getting rejected due to the following issue:

“io-error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca”

In getting the information about the Lets Encrypt certs I’ve been issued, I can see that the CA is being set to FALSE. Is there a way to fix this, or to get the CA to be TRUE?

Thank you for any help that can be provided.

WinstonSmith · April 23, 2018, 11:44pm

That’s more likely the cause of a missing intermediate certificate.

There’s no way you’ll get a CA:TRUE certificate, because that would mean you could issue certs for any name. This would be a grave breach of CA rules.

_az · April 23, 2018, 11:52pm

As @WinstonSmith points out, that's not what the error means - the CA flag is not involved here at all.

What's your PHPMAILERHOST and port number?

If it's mail.jodywhitesides.com on port 587 (STARTTLS), then the issue is that you are not sending the intermediate certificate with the end-entity certificate, which certainly could cause PHP to break in this way.

$ export DOM=mail.jodywhitesides.com; openssl s_client -starttls smtp -connect ${DOM}:587 -servername ${DOM} -showcerts
depth=0 CN = jodywhitesides.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = jodywhitesides.com
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=jodywhitesides.com
  i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIGWTCCBUGgAwIBAgISA8q2eBq2nk41W8B/3RxtrXMKMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA0MTcwNTE0NTdaFw0x
ODA3MTYwNTE0NTdaMB0xGzAZBgNVBAMTEmpvZHl3aGl0ZXNpZGVzLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3LNAXa0ClwsuQy3A/21V5Jy+SS
vzHj8j9pcuTv797CZsX5fDlk/8KFNxJTnqvAGKxHNgT3HaSukMdSl5NTsMCZ9fnI
e9TjWf3uk1pWkiFiF5/LusOjPaa0aVYTG8D2Q9fdBIn6UTxnN0lf4Lyke4+767RR
YrDHNv8onhyd4UFvmUxB/M8vsIUEaoLEOfgmiF/947khD3YcVmaJJDDsoDy0ZKTa
ceiscX310JkT2y/qrDrLoIGm76bXDNIR9ZzEL3zyoguCH6YLsHHE46zoEOK02i2u
F+I4bgdiEx7UxeDqZHz75o33kzxS1E88s8Wp9kTfY0x9z1cbG4Hx/9so8zsCAwEA
AaOCA2QwggNgMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUg7Ctj3hlwCho3rNzMQax
ZceXmE8wHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUH
AQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5
cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5
cHQub3JnLzBmBgNVHREEXzBdghZmdHAuam9keXdoaXRlc2lkZXMuY29tghJqb2R5
d2hpdGVzaWRlcy5jb22CF21haWwuam9keXdoaXRlc2lkZXMuY29tghZ3d3cuam9k
eXdoaXRlc2lkZXMuY29tMIH+BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEE
AYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5v
cmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBi
ZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNj
b3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0
cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8wggEFBgorBgEEAdZ5AgQC
BIH2BIHzAPEAdwDbdK/uyynssf7KPnFtLOW5qrs294Rxg8ddnU83th+/ZAAAAWLS
PfGpAAAEAwBIMEYCIQDj//sdg4uNPu/YcDSDJLs/EslqU4xFqsGohXw0drrcPgIh
ANbZgEPDgDVkvqcWUrjDGTUSIbT97aAitaqyKdovQLcQAHYAKTxRllTIOWW6qlD8
WAfUt2+/WHopctykwwz05UVH9HgAAAFi0j3x4QAABAMARzBFAiEAkeai0pRQZR0D
N1Z1nQF7pSlzraBRUgZuKFjPjntCkRMCIFZukXGKjQOfalkB9azZmMebgfCCJErJ
E2fOqngAPeViMA0GCSqGSIb3DQEBCwUAA4IBAQCUx++JRciMuWOxiBTQg8K36rO0
oIwkyPyGdM5hzQ91O0k7jFGyc/C6WpvKw6eJoUagYGo2nWu9IyhaQh/MErKrN5XB
kYG66r5UJW1iaThEzxiHtItstTrJpes4dOIqLCvP0DLCHIGtImr8YoZFlQOu6uEW
326w5yV6OVhpikkL1ZZJD1VdGjVzaWC2/9r/DqZu+Aly8u4DWRbGAq9xbrOScLCk
miBryRTWYRcnDEIaTQWQQrWu7MpC/FB3A3NNTTzJj0JE6UjOI64QGMTEmPGz+M0Z
O/dHJbkVxhL4cq0E5ERta0IzeJtG80wRmI1O/LvPEhnOP2f4kIQ+QhZZE//R
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=jodywhitesides.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2358 bytes and written 498 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 1A7626144D71E91535E0E0D8BFAFF4D901937BF42B7DFD29B7FBD6ABE0E6751CADC551F5EDCA7710F01E496EA94A1AB5
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1524527742
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
250 HELP

jody · April 24, 2018, 12:13am

I’m confused then, I have a cert.pem, a chain.pem, a fullchain.pem and a privkey.pem. Which would be the intermediate cert? And if that’s none of them, how do I get one from Lets Encrypt?

jody · April 24, 2018, 12:14am

To answer your question about the PHPMAILERHOST and port number, yes. Its mail.jodywhitesides.com at 587. Which is defined in the PHPList config file. Is there another way to do it that isn’t explained in their manual? Or is there a way to get the intermediate certificate to register?

Thanks for the help.

_az · April 24, 2018, 12:20am

Have a look at the documentation for OpenSMTPD at https://www.opensmtpd.org/faq/certificates.html :

A certificate chain may be created by appending one or many certificates, including a Certificate Authority certificate, to certfile.

If you pass fullchain.pem as the certificate, it should solve your issue.

jody · April 24, 2018, 12:32am

I’ll try the fullchain.pem instead of the cert.pem and report back.

jody · April 24, 2018, 12:35am

That did the trick!! Thank you _az!

Now PHPList is working as it should.

schoen · April 24, 2018, 12:56am

This is a way better solution than issuing a certificate with CA:TRUE.

rg305 · April 24, 2018, 1:41am

But where is your sense of (mis)adventure?!?!
…
…someone needs a vacation…

schoen · April 24, 2018, 1:43am

It’s somewhat path-constrained, I’m afraid.

system · May 24, 2018, 1:54am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.