Project

General

Profile

Task #3583

MNDeployment #3554: KNB

Production KNB node should return intermediate CA certs

Added by Chris Jones about 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
High
Assignee:
Ben Leinfelder
Target version:
Start date:
2013-02-17
Due date:
% Done:

100%

Story Points:
Sprint:

Description

In trying to connect over SSL from the command line (not a browser), I get:

cjones@boulder:~$ openssl s_client -connect knb.ecoinformatics.org:443 -showcerts
CONNECTED(00000003)
depth=0 /O=.ecoinformatics.org/OU=Domain Control Validated/CN=.ecoinformatics.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=.ecoinformatics.org/OU=Domain Control Validated/CN=.ecoinformatics.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=.ecoinformatics.org/OU=Domain Control Validated/CN=.ecoinformatics.org
verify error:num=21:unable to verify the first certificate
verify return:1
...

However, by explicitly accepting certificates signed by GoDaddy intermediate CAs, we get a verified result:

cjones@boulder:~$ openssl s_client -connect knb.ecoinformatics.org:443 -showcerts -CAfile gd_intermediate_bundle.crt
CONNECTED(00000003)
depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
verify return:1
depth=2 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
verify return:1
depth=1 /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
verify return:1
depth=0 /O=.ecoinformatics.org/OU=Domain Control Validated/CN=.ecoinformatics.org
verify return:1
...
Verify return code: 0 (ok)

The client shouldn't need to know about the intermediate CAs, just the Root CA, and so the KNB server should send the intermediate CA certs along in the challenge response. I noticed that this line is commented out in the knb-ssl config file:

#SSLCertificateChainFile /etc/ssl/certs/gd_intermediate_bundle.crt

and the intermediate bundle is not in /etc/ssl/certs.

Consult with Ben on this.


Related issues

Related to Infrastructure - Bug #3627: inconsistent SSL peer not auth exceptions with KNB content (godaddy CA) Rejected

History

#1 Updated by Chris Jones about 11 years ago

  • Assignee changed from Chris Jones to Ben Leinfelder

Ben, I'm thinking we should uncomment the SSLCertificateChainFile line in the virtual host config. Do you remember why we commented it? I recall troubleshooting SSL issues with the KNB with you.

#2 Updated by Ben Leinfelder about 11 years ago

Is this preventing anything other than openssl s_client from connecting with the KNB? We can certainly uncomment the intermediate cert and check that everything continues to work as expected.

#3 Updated by Rob Nahf about 11 years ago

It does cause libclient_java client apps to not be able to retrieve any objects from the KNB. Since we made the decision not to include the GoDaddy CA cert with libclient_java, we probably need to have KNB send the intermediate certificate.

#4 Updated by Ben Leinfelder about 11 years ago

  • Status changed from New to Closed
  • translation missing: en.field_remaining_hours set to 0.0

wget'ed the gd bundle and uncommented the line. Rob and Matt report that their issues are resolved.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)