I have set up a server with a SSL certificate, added the necessary chain, and done the apache set up. I have tested using:
openssl s_client -CAPath /etc/ssl/certs -connect www.example.org:443
and get various output including:
Verify return code: 0 (ok)
Both firefox and chrome are happy with the site, but some clients (including svn) report the certificate is rejected. What's wrong?
Here is the full output from openssl:
$ openssl s_client -CApath /etc/ssl/certs -connect www.aptivate.org:443
CONNECTED(00000003)
depth=3 L = ValiCert Validation Network, O = "ValiCert, Inc.", OU = ValiCert Class 2 Policy Validation Authority, CN = http://www.valicert.com/, emailAddress = [email protected]
verify return:1
depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 07969287
verify return:1
depth=0 O = *.aptivate.org, OU = Domain Control Validated, CN = *.aptivate.org
verify return:1
---
Certificate chain
0 s:/O=*.aptivate.org/OU=Domain Control Validated/CN=*.aptivate.org
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
1 s:/O=*.aptivate.org/OU=Domain Control Validated/CN=*.aptivate.org
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected]
4 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected]
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVzCCBD+gAwIBAgIHJ+uaBU9wOjANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlm
aWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5
IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5Njky
ODcwHhcNMTEwMTEyMTcwNjE4WhcNMTQwMTEyMTcwNjE4WjBVMRcwFQYDVQQKDA4q
LmFwdGl2YXRlLm9yZzEhMB8GA1UECwwYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVk
MRcwFQYDVQQDDA4qLmFwdGl2YXRlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBANogFQnLwi8hKKJ6rm117cJSxeIOmt9dZT+5MsxQO7YesHM/hOuy
/Dk6WI6eaFPgms+w1EgEalbyaagMpnAoCnfQPfXFM221MzKXbD9w0+iXi3nwdCBw
vnsgPsCtaz1uDBrEALN+NympRyb8jGVWCaGY2ypPxpqvO8olkNSvrVhsFy+EdfmA
IPvCinuvBQXaUI6gcoEAM/yFE4u2a0NkXip/vmUgAH8u5Hz/ksx36J+oWpl59ofk
6K+VuudjRU8vpaoYY2HSL01p1w1b6QFHU2RvD/FrQg0spZXflfULULEbjcH69gEL
slg9oqL3coVS8XVN0wwWM10SHUQN4s2rhTsCAwEAAaOCAbQwggGwMA8GA1UdEwEB
/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB
/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29t
L2dkczEtMjguY3JsME0GA1UdIARGMEQwQgYLYIZIAYb9bQEHFwEwMzAxBggrBgEF
BQcCARYlaHR0cHM6Ly9jZXJ0cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYI
KwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNv
bS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20v
cmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKT
bEXW4u6FX5q653aZaMznMCcGA1UdEQQgMB6CDiouYXB0aXZhdGUub3JnggxhcHRp
dmF0ZS5vcmcwHQYDVR0OBBYEFIfBDt6TU0GGA1uyaEeC3yePHYgoMA0GCSqGSIb3
DQEBBQUAA4IBAQAjJ27yI6vf9QwFIWDiqyTx7jsWYJAGqPG0KsyNgMYBaXdSSY+b
q0dKSRtBwX8sM4sR1ahSNLFlajIy+3dzm/qsk16vKgV+NPgz+Zl7pqm6NaObW+uV
XWw9QHln7jvQXadhV9JXU4/mjF76/0eWs1egLhBn8vgtcqAS4ZckwxLXNmEGm729
IGIppZwe/yy66KJ2tahkCeWBcrNkdcnxsWsD60hfRR4fe8FrQMUxeeIca7c3LguG
0KhtI/fJN+iVORdfG8enJkjZzQW67z/W3gFM1AVIrnmu94DQ9Ro/vD7vp55YkBld
28o9agLg5Dl9cu5Xs7onqcTTJJpCp3AQHQE3
-----END CERTIFICATE-----
subject=/O=*.aptivate.org/OU=Domain Control Validated/CN=*.aptivate.org
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
No client certificate CA names sent
---
SSL handshake has read 5325 bytes and written 416 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 5098DC94E1FF98BBD0DBA424A973728346F974FF02700928ECA32E27E10992F5
Session-ID-ctx:
Master-Key: DBE2733FE83E8B3105FD1F63D023AF4DFC5BBA028CC1DD35107FDC9F913A88E2F58C65FBC5839525BF4D529A7DBBA91E
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1352195224
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Turned out there was a repeated certificate in the chain. openssl doesn't mind that, but gnutls does - and svn uses gnutls (as does LDAP and mutt, in case they are your problem). Here is the
gnutls-cli
command (for Ubuntu/Debian systems at least):Though you can see the chain with either gnutls or openssl. In the openssl output from above you can see there is a repeated certificate.
For gnutls to validate this, the
i:
(issuer) of each item in the chain must match thes:
(subject) of the next item.In this case I had put the certificate in it's own file, and put it in the chain file. So
0i
did not match1s
. This was enough to make svn reject the certificate.Any bad ordering causes this problem. So if you had 2 and 3 the wrong way around you would get validation errors.