Task #3583
MNDeployment #3554: KNB
Production KNB node should return intermediate CA certs
100%
Description
In trying to connect over SSL from the command line (not a browser), I get:
cjones@boulder:~$ openssl s_client -connect knb.ecoinformatics.org:443 -showcerts
CONNECTED(00000003)
depth=0 /O=.ecoinformatics.org/OU=Domain Control Validated/CN=.ecoinformatics.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=.ecoinformatics.org/OU=Domain Control Validated/CN=.ecoinformatics.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=.ecoinformatics.org/OU=Domain Control Validated/CN=.ecoinformatics.org
verify error:num=21:unable to verify the first certificate
verify return:1
...
However, by explicitly accepting certificates signed by GoDaddy intermediate CAs, we get a verified result:
cjones@boulder:~$ openssl s_client -connect knb.ecoinformatics.org:443 -showcerts -CAfile gd_intermediate_bundle.crt
CONNECTED(00000003)
depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
verify return:1
depth=2 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
verify return:1
depth=1 /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
verify return:1
depth=0 /O=.ecoinformatics.org/OU=Domain Control Validated/CN=.ecoinformatics.org
verify return:1
...
Verify return code: 0 (ok)
The client shouldn't need to know about the intermediate CAs, just the Root CA, and so the KNB server should send the intermediate CA certs along in the challenge response. I noticed that this line is commented out in the knb-ssl config file:
#SSLCertificateChainFile /etc/ssl/certs/gd_intermediate_bundle.crt
and the intermediate bundle is not in /etc/ssl/certs.
Consult with Ben on this.
Related issues
History
#1 Updated by Chris Jones almost 12 years ago
- Assignee changed from Chris Jones to Ben Leinfelder
Ben, I'm thinking we should uncomment the SSLCertificateChainFile line in the virtual host config. Do you remember why we commented it? I recall troubleshooting SSL issues with the KNB with you.
#2 Updated by Ben Leinfelder almost 12 years ago
Is this preventing anything other than openssl s_client from connecting with the KNB? We can certainly uncomment the intermediate cert and check that everything continues to work as expected.
#3 Updated by Rob Nahf almost 12 years ago
It does cause libclient_java client apps to not be able to retrieve any objects from the KNB. Since we made the decision not to include the GoDaddy CA cert with libclient_java, we probably need to have KNB send the intermediate certificate.
#4 Updated by Ben Leinfelder almost 12 years ago
- Status changed from New to Closed
- translation missing: en.field_remaining_hours set to 0.0
wget'ed the gd bundle and uncommented the line. Rob and Matt report that their issues are resolved.