Re: [CalendarServer-users] SSLAuthorityChain does not work on 8.0

14 Sep 2016

      Hi Andre,

your perfect explanation resolved the issue on my FreeBSD platform.

I did not expect the redundant requirement of the server cert in both the SSLCertificate and the SSLAuthorityChain.
Most servers, I’m working with, need only the intermediate cert(s) in the chain file.

The root CA cert from DST can be omitted in the chain file, if that cert is in the root CA store on the client system.
This is my current configuration in production and I will learn, if it still works after the next LE cert rollover (-;

Thanks again for your patience and your time,
Axel
...
Am 10.09.2016 um 02:41 schrieb Andre LaBranche <dre@apple.com>:
Hi,
We expect the file (not directory) referenced by the SSLAuthorityChain config directive to contain a concatenation of the following, in this order:
server cert
intermediate CA certs
root CA cert
Once you have constructed such a chain file, you can verify it against the plain server cert file as follows:
% openssl verify -verbose -CAfile /path/to/chain.pem -purpose sslserver /path/to/cert.pem
/path/to/cert.pem: OK
Trying to verify without specifying the CAfile doesn't validate, as expected:
% openssl verify -verbose -purpose sslserver /path/to/cert.pem
/path/to/cert.pem: /CN=my-coolest-domain.com
error 20 at 0 depth lookup:unable to get local issuer certificate
As a related aside, I tested this on my public server that uses LE (and which is running Server.app, not the open source CalendarServer), however modern versions of Server.app use an apache reverse proxy to do all the TLS for the backend services. Apache uses a similar setup, where the configuration specifies the server cert, the authority chain file (as described above), and the priv key - so I think it's a valid test.
Also I note that (using the Server tools), the authority chain file I ended up with has three certs in it:
my server cert
Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
... which I only mention because the letsencrypt software doesn't seem to include that final root cert in any of the files associated with my cert renewal. Perhaps it's already in my system's root CA store, so it was read from there while following the issuer chain upstream.
Hope this helps,
-dre
...
On Sep 4, 2016, at 10:48 AM, Axel Rau <Axel.Rau@Chaos1.DE> wrote:
Hi,
I’m getting spurious ‚certificate not trusted‘ errors on client programs on OSX 10.11.6
Server cert is from letsencrypt and worked so far, but:
- - -
[caldav3:local/etc/caldavd] root# openssl s_client -no_ssl2 -no_ssl3 -showcerts -connect caldav.lrau.net:8443
CONNECTED(00000003)
depth=0 CN = caldav.lrau.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = caldav.lrau.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = caldav.lrau.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=caldav.lrau.net
 i:/C=US/O=Let’s Encrypt/CN=Let's Encrypt Authority X3
. . .
Verify return code: 21 (unable to verify the first certificate)
- - -
If I put Let’s Encrypt Authority X3 cert
  https://letsencrypt.org/certificates/
in pem format into config dir and point SSLAuthorityChain at it, I get:
- - -
root# openssl s_client -no_ssl2 -no_ssl3 -showcerts -connect caldav3.lrau.net:8443
CONNECTED(00000003)
34379258024:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:757:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 297 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
- - -
These certs work with all other servers.
So what am I doing wrong?
Axel
Installed versions:
- - -
gettext-runtime-0.19.8.1       GNU gettext runtime libraries and programs
gmp-5.1.3_3                    Free library for arbitrary precision arithmetic
indexinfo-0.2.4                Utility to regenerate the GNU info page index
libevent2-2.0.22_1             API for executing callback functions on events or timeouts
libffi-3.2.1                   Foreign Function Interface
memcached-1.4.25               High-performance distributed memory object cache system
perl5-5.20.3_15                Practical Extraction and Report Language
pkg-1.8.7_1                    Package manager
postgresql94-client-9.4.9      PostgreSQL database (client)
py27-PyGreSQL-5.0.1,1          Python interface to PostgreSQL, both classic and DP-API 2.0
py27-attrs-16.0.0              Python attributes without boilerplate
py27-calendar-0.15423          Library for iCalendar/vCard data
py27-calendarserver-8.0_8      Calendar and Contacts Server from Apple (RFC 4791, RFC 6352)
py27-cffi-1.7.0                Foreign Function Interface for Python calling C code
py27-characteristic-14.3.0     Python attributes without boilerplate
py27-cryptography-1.4          Cryptographic recipes and primitives for Python developers
py27-dateutil-2.5.0            Extensions to the standard Python datetime module
py27-enum34-1.1.6              Python 3.4 Enum backported to 3.3, 3.2, 3.1, 2.7
py27-idna-2.0                  Internationalized Domain Names in Applications (IDNA)
py27-ipaddress-1.0.16          Python 3.3's ipaddress for Python 2.6 and 2.7
py27-openssl-16.0.0            Python interface to the OpenSSL library
py27-pg8000-1.10.6             Pure-Python Interface to the PostgreSQL Database
py27-psutil-4.3.0              Process utilities module for Python
py27-pyasn1-0.1.9              ASN.1 toolkit for Python
py27-pyasn1-modules-0.0.8_1    Collection of ASN.1 data structures for py-asn1
py27-pycparser-2.10            C parser in Python
py27-pycrypto-2.6.1_1          Python Cryptography Toolkit
py27-pytz-2016.6.1,1           World Timezone Definitions for Python
py27-service_identity-16.0.0   Service identity verification for pyOpenSSL
py27-setproctitle-1.1.10       Python module to customize the process title
py27-setuptools27-23.1.0       Python packages installer
py27-six-1.10.0                Python 2 and 3 compatibility utilities
py27-sqlite3-2.7.12_7          Standard Python binding to the SQLite3 library (Python 2.7)
py27-sqlparse-0.1.16           Non-validating SQL parser for Python
py27-twext-0.15423             Extensions to Twisted
py27-twisted-15.5.0            Asynchronous networking framework written in Python
py27-xattr-0.7.8               Python wrapper for extended filesystem attributes
py27-zope.interface-4.1.3      Interfaces for Python
python2-2_3                    The "meta-port" for version 2 of the Python interpreter
python27-2.7.12                Interpreted object-oriented programming language
sqlite3-3.14.1                 SQL database engine in a C library
OpenSSL 1.0.1p-freebsd 9 Jul 2015
FreeBSD caldav3 10.1-RELEASE-p35 FreeBSD 10.1-RELEASE-p35 #0: Sat May 28 03:37:01 UTC 2016     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
---
PGP-Key:29E99DD6  ☀  computing @ chaos claudius
_______________________________________________
calendarserver-users mailing list
calendarserver-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/calendarserver-users
---
PGP-Key:29E99DD6  ☀  computing @ chaos claudius