Task #3583

MNDeployment #3554: KNB

Production KNB node should return intermediate CA certs

Added by Chris Jones almost 11 years ago. Updated over 10 years ago.

Ben Leinfelder
Target version:
Start date:
Due date:
% Done:


Story Points:


In trying to connect over SSL from the command line (not a browser), I get:

cjones@boulder:~$ openssl s_client -connect -showcerts
depth=0 / Control Validated/
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 / Control Validated/
verify error:num=27:certificate not trusted
verify return:1
depth=0 / Control Validated/
verify error:num=21:unable to verify the first certificate
verify return:1

However, by explicitly accepting certificates signed by GoDaddy intermediate CAs, we get a verified result:

cjones@boulder:~$ openssl s_client -connect -showcerts -CAfile gd_intermediate_bundle.crt
depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=
verify return:1
depth=2 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
verify return:1
depth=1 /C=US/ST=Arizona/L=Scottsdale/, Inc./OU= Daddy Secure Certification Authority/serialNumber=07969287
verify return:1
depth=0 / Control Validated/
verify return:1
Verify return code: 0 (ok)

The client shouldn't need to know about the intermediate CAs, just the Root CA, and so the KNB server should send the intermediate CA certs along in the challenge response. I noticed that this line is commented out in the knb-ssl config file:

#SSLCertificateChainFile /etc/ssl/certs/gd_intermediate_bundle.crt

and the intermediate bundle is not in /etc/ssl/certs.

Consult with Ben on this.

Related issues

Related to Infrastructure - Bug #3627: inconsistent SSL peer not auth exceptions with KNB content (godaddy CA) Rejected


#1 Updated by Chris Jones almost 11 years ago

  • Assignee changed from Chris Jones to Ben Leinfelder

Ben, I'm thinking we should uncomment the SSLCertificateChainFile line in the virtual host config. Do you remember why we commented it? I recall troubleshooting SSL issues with the KNB with you.

#2 Updated by Ben Leinfelder almost 11 years ago

Is this preventing anything other than openssl s_client from connecting with the KNB? We can certainly uncomment the intermediate cert and check that everything continues to work as expected.

#3 Updated by Rob Nahf over 10 years ago

It does cause libclient_java client apps to not be able to retrieve any objects from the KNB. Since we made the decision not to include the GoDaddy CA cert with libclient_java, we probably need to have KNB send the intermediate certificate.

#4 Updated by Ben Leinfelder over 10 years ago

  • Status changed from New to Closed
  • translation missing: en.field_remaining_hours set to 0.0

wget'ed the gd bundle and uncommented the line. Rob and Matt report that their issues are resolved.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)