I am trying to configure my apache that it is delivering all certificates files to get always a positive validation.
To be clear there is no issue with any browsers, I am talking about openssl s_client
and curl
.
Running for example openssl s_client
gives the following output:
CONNECTED(00000003)
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=DE/CN=xxx
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
...
subject=/C=DE/CN=xxx
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4602 bytes and written 518 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: C45A306052F9815DF5ED7CDC7B6AD21FE4E54AC47A7B51BF3BF433748DECB318
Session-ID-ctx:
Master-Key: 8396742DE006FC8CEAEDE280B2CD839D0575D1FAD51498C855825BED82D484CC28F8F1D9F549512F08182FCD3BFF3FCD
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 67 85 0d a9 99 68 b2 cc-d6 fb a6 8f ee ba 67 4f g....h........gO
0010 - 09 c1 e9 a3 1d 3e a0 49-96 54 7f df cf 0d fb ef .....>.I.T......
0020 - 57 3c c3 b4 8b e2 d9 b2-c1 92 db c7 c1 0c 3f 4b W<............?K
0030 - 1c 3b 14 f4 bf 8d 94 09-7f 00 f7 20 9a 2b 6f f0 .;......... .+o.
0040 - 34 48 d2 68 a5 e5 a0 58-3c 84 8b aa 3b 9a 27 27 4H.h...X<...;.''
0050 - 16 4b cd 3d cb 74 40 b8-08 96 a4 95 52 86 f4 aa [email protected]...
0060 - d9 38 fb 9f 3f fc a8 ab-b9 c9 72 20 cd 3c 75 06 .8..?.....r .<u.
0070 - 2e b6 81 df bb e1 a6 b7-f4 bb 52 e1 8c ba 20 42 ..........R... B
0080 - e5 db 5c 48 cd 30 d6 f2-23 24 c6 be 6c 23 09 fa ..\H.0..#$..l#..
0090 - 9a cf 44 78 13 e7 f6 3e-7d c1 4e e3 1f 81 08 46 ..Dx...>}.N....F
00a0 - 49 3c 0e 80 00 d4 f5 f1-ad 95 99 9d 6f 33 e9 62 I<..........o3.b
00b0 - b2 82 14 a2 5d 82 95 49-88 8c 54 e2 d4 64 a6 1d ....]..I..T..d..
00c0 - e0 0f 75 88 57 ec 9a 81-41 0c 7b 71 81 8a 93 34 ..u.W...A.{q...4
Start Time: 1411561048
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
closed
My apache configuration looks like:
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/apache2/ssl/....cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/....key.pem
SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
I also tried to use the ca-bundle.pem as SSLCertificateChainFile and/or SSLCACertificateFile.
Second results in 19 (self signed certificate in certificate chain).
How can I configure apache to deliver the "right" CA file to get around installing the CA cert on the client?
What is wrong?
Thanks for any hints.
You can't get around having the top level CA certificate installed on the client, the CA certificate is required to establish the trust chain. Intermediate certificates may be supplied by the remote host, by Apache, but the top of the CA trust chain, the public CA root certificate needs to be present on the client.
From your output it looks like your webserver has a certificate issued by StartCom Ltd. a.k.a. Startssl.
It looks like the CA bundle certificate or CA directory on the host running openssl and cURL either does not include the StartCom Ltd. CA certificate, or the CA bundle or directory isn't loaded when you run those utilities. I think that is what results in the
verify error:num=20:unable to get local issuer certificate
error.I don't have a pure Debian box at hand but Ubuntu may be similar enough that
/etc/ssl/certs
is the directory for CA certificates. You can try if forcing CA file with the--CAfile <filename>
or-CApath /etc/ssl/certs
on the openssl commandline does work correctly.