How to verify openssl certification chain
This document (7021187) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15 SP4
SUSE Linux Enterprise Server 15 SP3
SUSE Linux Enterprise Server 15 SP2
SUSE Linux Enterprise Server 15 SP1
SUSE Linux Enterprise Server 15 GA
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server 12 SP4
SUSE Linux Enterprise Server 12 SP3
SUSE Linux Enterprise Server 15 SP3
SUSE Linux Enterprise Server 15 SP2
SUSE Linux Enterprise Server 15 SP1
SUSE Linux Enterprise Server 15 GA
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server 12 SP4
SUSE Linux Enterprise Server 12 SP3
SUSE Linux Enterprise Server 12 SP2
SUSE Linux Enterprise Server 12 SP1SUSE Linux Enterprise Server 12 GA
Situation
Error message says "unknown CA" or "TLS certificate verification: Error, unable to get local issuer certificate"
Resolution
In order to check the certificate status, please proceed as below
As 'root' user, from a terminal window, type :
If the last command shows more than 2 numbers (for file sizes) printed then there is more than one cert provided.
To print out details to those certificates:
(Note: xx00 will only contain openssl output until first certificate shown, so it can be deleted)
The last ca certificate in chain needs to be in /var/lib/ca-certificates/openssl/ symlinked by his hash or base64 encoded in bundle file /var/lib/ca-certificates/ca-bundle.pem which is deprecated.
For smt a check if server cert issuer hash matches the CA cert hash can be done as follows:
on SMT:
There provided output must show identical results.
Following command should show the server cert location:
Per default SSLCertificatefile points to /etc/ssl/servercerts/servercert.pem, to check issuer hash
matches the hash from CA:
This should be equal to the output of "openssl s_client -connect <smtserver>". If not then Apache provides either the wrong, or an old, server certificate.
As 'root' user, from a terminal window, type :
cd /tmp
mkdir cert
cd cert
echo |openssl s_client -connect <server_name>:<port> -servername <server_name> -showcerts 2>&1 |csplit - '/-----BEGIN CERTIFICATE-----/' '{*}'
To print out details to those certificates:
rm xx00; for i in `ls xx*`; do openssl x509 -in $i -noout -subject -hash -issuer_hash; done
(Note: xx00 will only contain openssl output until first certificate shown, so it can be deleted)
The last ca certificate in chain needs to be in /var/lib/ca-certificates/openssl/ symlinked by his hash or base64 encoded in bundle file /var/lib/ca-certificates/ca-bundle.pem which is deprecated.
For smt a check if server cert issuer hash matches the CA cert hash can be done as follows:
on SMT:
openssl x509 -in /var/lib/CAM/YaST_Default_CA/cacert.pem -noout -hash -issuer_hash -dates -fingerprint openssl x509 -in /srv/www/htdocs/smt.crt -noout -hash -issuer_hash -dates -fingerprint
Following command should show the server cert location:
egrep -ir SSLCertificatefile /etc/apache2/|grep -v "#"
matches the hash from CA:
openssl x509 -in /etc/ssl/servercerts/servercert.pem -noout -hash -issuer_hash -dates -fingerprint
Cause
The CA certificate with the correct issuer_hash cannot be found.
Possible reasons:
Possible reasons:
- 1. Wrong openssl version or library installed (in case of e.g. custom ldap version e.g. under
/usr/local)- Check files are from installed package with "
rpm -V openssl" - Check if
LD_LIBRARY_PATHis not set to local library - Verify libraries used by openssl "
ldd $( which openssl)"
- Check files are from installed package with "
- CA Certificate does not reside within the trust store
- In case of ldaps: Environment variable
LDAPCONFpoints to a different config file with wrongTLS_CACERTset - CA-Bundle file/var/lib/ca-certificates/ca-bundle.pem or
/var/lib/ca-certificates/openssldoes not contain the certificate - to add call "update-ca-certificates" - When running zypper commands - Registration was not correct, please re-register without deleting or resetting registration
- In case of SMT client the SMT server still provides an old/invalid certificate.
- In case of ldaps: Environment variable
Additional Information
Additional CA certificates can be added in /etc/pki/trust/anchors/ or /usr/share/pki/trust/anchors/
The following command will apply certificates across the system:
If the openssl command successfully completes and shows an issuer_hash for a server certificate which is not known to the system:
The following command will apply certificates across the system:
update-ca-certificates
Additional note:
If the openssl command successfully completes and shows an issuer_hash for a server certificate which is not known to the system:
echo |openssl s_client -showcerts -connect <server>:<port> 2>&1 | tee /tmp/logfile_with_server_cert
openssl x509 -in /tmp/logfile_with_server_cert -noout -hash -issuer_hash
Additional note: The reason for this might be that the server provides CA certificates s which are signed by an trusted CA certificate already in storage: server cert -> CA -> CA -> CA (in trust store)
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7021187
- Creation Date: 08-Aug-2017
- Modified Date:16-Aug-2022
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
