Be careful you are not checking the web server from a browser that has the intermediate certificate installed.
Obtain the root certificate - and only the root certificate - that is likely to be present in a random user's browser and save it as thawte_root_cert.pem openssl s_client -verify 10 -CAfile thawte_root_cert.pem -connect strategic.wiki.csupomona.edu:443 On Sep 13, 2010, at 12:58 PM, Paul B. Henson wrote: > > We just installed our first Thawte cert that uses their intermediate CA's, > and it's not going as smoothly as I'd like. > > It's installed on an Apache server with mod_ssl, and I added the > intermediate root CA's to the apache config with the SSLCACertificateFile > directive. Web browsers seem happy with it, they validate the cert with no > errors. > > I'm having trouble with command line tools under Linux though, including > openssl itself. > > openssl won't correctly validate the cert: > > ------------------------------------------------------------------------ > $ openssl s_client -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem > -connect strategic.wiki.csupomona.edu:443 > CONNECTED(00000003) > depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic > University, Pomona/OU=I(ampersand)IT > Systems/CN=strategic.wiki.csupomona.edu > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic > University, Pomona/OU=I(ampersand)IT > Systems/CN=strategic.wiki.csupomona.edu > verify error:num=27:certificate not trusted > verify return:1 > depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic > University, Pomona/OU=I(ampersand)IT > Systems/CN=strategic.wiki.csupomona.edu > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 s:/C=US/ST=California/L=Pomona/O=California State Polytechnic > University, Pomona/OU=I(ampersand)IT > Systems/CN=strategic.wiki.csupomona.edu > i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA > --- > Server certificate > -----BEGIN CERTIFICATE----- > [...] > ------------------------------------------------------------------------ > > It works fine, OTOH, with a cert signed directly by the Thawte Premium > Server CA: > > ------------------------------------------------------------------------ > $ openssl s_client -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem > -connect www.csupomona.edu:443 > CONNECTED(00000003) > depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting > cc/OU=Certification Services Division/CN=Thawte Premium Server > CA/emailaddress=premium-ser...@thawte.com > verify return:1 > depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic > University, Pomona/CN=www.csupomona.edu > verify return:1 > --- > Certificate chain > 0 s:/C=US/ST=California/L=Pomona/O=California State Polytechnic > University, Pomona/CN=www.csupomona.edu > i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting > cc/OU=Certification Services Division/CN=Thawte Premium Server > CA/emailaddress=premium-ser...@thawte.com > 1 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting > cc/OU=Certification Services Division/CN=Thawte Premium Server > CA/emailaddress=premium-ser...@thawte.com > i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting > cc/OU=Certification Services Division/CN=Thawte Premium Server > CA/emailaddress=premium-ser...@thawte.com > --- > Server certificate > -----BEGIN CERTIFICATE----- > [...] > ------------------------------------------------------------------------ > > As I mentioned, web browsers work fine, and I think the server is > configured correctly. Also, gnutls-cli works fine on the same box: > > ------------------------------------------------------------------------ > $ gnutls-cli --x509cafile /etc/ssl/certs/Thawte_Premium_Server_CA.pem > strategic.wiki.csupomona.edu -p 443 > Processed 1 CA certificate(s). > Resolving 'strategic.wiki.csupomona.edu'... > Connecting to '134.71.247.55:443'... > - Ephemeral Diffie-Hellman parameters > - Using prime: 1024 bits > - Secret key: 1021 bits > - Peer's public key: 1024 bits > - Certificate type: X.509 > - Got a certificate list of 3 certificates. > - Certificate[0] info: > - subject `C=US,ST=California,L=Pomona,O=California State Polytechnic > University\, Pomona,OU=I(ampersand)IT > Systems,CN=strategic.wiki.csupomona.edu', issuer `C=US,O=Thawte\, > Inc.,CN=Thawte SSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated > `2010-09-10 00:00:00 UTC', expires `2011-09-10 23:59:59 UTC', SHA-1 > fingerprint `57292bcd7541c56c7b664705f0192b43a927056c' > - Certificate[1] info: > - subject `C=US,O=Thawte\, Inc.,CN=Thawte SSL CA', issuer > `C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 > thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA', RSA key > 2048 bits, signed using RSA-SHA1, activated `2010-02-08 00:00:00 UTC', > expires `2020-02-07 23:59:59 UTC', SHA-1 fingerprint > `73e42686657aece354fbf685712361658f2f4357' > - Certificate[2] info: > - subject `C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) > 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA', > issuer `C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting > cc,OU=Certification Services Division,CN=Thawte Premium Server > CA,email=premium-ser...@thawte.com', RSA key 2048 bits, signed using > RSA-SHA1, activated `2006-11-17 00:00:00 UTC', expires `2020-12-30 23:59:59 > UTC', SHA-1 fingerprint `1fa490d1d4957942cd23545f6e823d0000796ea2' > - The hostname in the certificate matches 'strategic.wiki.csupomona.edu'. > - Peer's certificate is trusted > ------------------------------------------------------------------------ > > Why won't openssl verify the cert? It seems to stop and give up right after > seeing the server cert, rather than downloading the rest of the certs in > the chain. I'm assuming this is why all of the tools built on top of > openssl (wget, ldapsearch, etc) are all failing: > > ------------------------------------------------------------------------ > $ wget https://strategic.wiki.csupomona.edu/ > --2010-09-13 12:55:57-- https://strategic.wiki.csupomona.edu/ > Resolving strategic.wiki.csupomona.edu... 134.71.247.55 > Connecting to strategic.wiki.csupomona.edu|134.71.247.55|:443... connected. > ERROR: cannot verify strategic.wiki.csupomona.edus certificate, issued by > /C=US/O=Thawte, Inc./CN=Thawte SSL CA: > Unable to locally verify the issuers authority. > ------------------------------------------------------------------------ > > But again, a server with a directly signed cert works fine: > > ------------------------------------------------------------------------ > $ wget https://www.csupomona.edu/ > --2010-09-13 12:57:27-- https://www.csupomona.edu/ > Resolving www.csupomona.edu... 134.71.177.148 > Connecting to www.csupomona.edu|134.71.177.148|:443... connected. > HTTP request sent, awaiting response... 200 OK > ------------------------------------------------------------------------ > > > Any help much appreciated, thanks... > > > -- > Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ > Operating Systems and Network Analyst | hen...@csupomona.edu > California State Polytechnic University | Pomona CA 91768 > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
