[CalendarServer-users] SSLAuthorityChain does not work on 8.0

Axel Rau Axel.Rau at chaos1.de
Wed Sep 14 08:27:06 PDT 2016

Hi Andre,

your perfect explanation resolved the issue on my FreeBSD platform.

I did not expect the redundant requirement of the server cert in both the SSLCertificate and the SSLAuthorityChain.
Most servers, I’m working with, need only the intermediate cert(s) in the chain file.

The root CA cert from DST can be omitted in the chain file, if that cert is in the root CA store on the client system.
This is my current configuration in production and I will learn, if it still works after the next LE cert rollover (-;

Thanks again for your patience and your time,

> Am 10.09.2016 um 02:41 schrieb Andre LaBranche <dre at apple.com>:
> Hi,
> We expect the file (not directory) referenced by the SSLAuthorityChain config directive to contain a concatenation of the following, in this order:
> server cert
> intermediate CA certs
> root CA cert
> Once you have constructed such a chain file, you can verify it against the plain server cert file as follows:
> % openssl verify -verbose -CAfile /path/to/chain.pem -purpose sslserver /path/to/cert.pem
> /path/to/cert.pem: OK
> Trying to verify without specifying the CAfile doesn't validate, as expected:
> % openssl verify -verbose -purpose sslserver /path/to/cert.pem
> /path/to/cert.pem: /CN=my-coolest-domain.com
> error 20 at 0 depth lookup:unable to get local issuer certificate
> As a related aside, I tested this on my public server that uses LE (and which is running Server.app, not the open source CalendarServer), however modern versions of Server.app use an apache reverse proxy to do all the TLS for the backend services. Apache uses a similar setup, where the configuration specifies the server cert, the authority chain file (as described above), and the priv key - so I think it's a valid test.
> Also I note that (using the Server tools), the authority chain file I ended up with has three certs in it:
> my server cert
> Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
> Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
> ... which I only mention because the letsencrypt software doesn't seem to include that final root cert in any of the files associated with my cert renewal. Perhaps it's already in my system's root CA store, so it was read from there while following the issuer chain upstream.
> Hope this helps,
> -dre
>> On Sep 4, 2016, at 10:48 AM, Axel Rau <Axel.Rau at Chaos1.DE> wrote:
>> Hi,
>> I’m getting spurious ‚certificate not trusted‘ errors on client programs on OSX 10.11.6
>> Server cert is from letsencrypt and worked so far, but:
>> - - -
>> [caldav3:local/etc/caldavd] root# openssl s_client -no_ssl2 -no_ssl3 -showcerts -connect caldav.lrau.net:8443
>> CONNECTED(00000003)
>> depth=0 CN = caldav.lrau.net
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 CN = caldav.lrau.net
>> verify error:num=27:certificate not trusted
>> verify return:1
>> depth=0 CN = caldav.lrau.net
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/CN=caldav.lrau.net
>>  i:/C=US/O=Let’s Encrypt/CN=Let's Encrypt Authority X3
>> . . .
>> Verify return code: 21 (unable to verify the first certificate)
>> - - -
>> If I put Let’s Encrypt Authority X3 cert
>> 	https://letsencrypt.org/certificates/
>> in pem format into config dir and point SSLAuthorityChain at it, I get:
>> - - -
>> root# openssl s_client -no_ssl2 -no_ssl3 -showcerts -connect caldav3.lrau.net:8443
>> CONNECTED(00000003)
>> 34379258024:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:757:
>> ---
>> no peer certificate available
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 7 bytes and written 297 bytes
>> ---
>> New, (NONE), Cipher is (NONE)
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> - - -
>> These certs work with all other servers.
>> So what am I doing wrong?
>> Axel
>> Installed versions:
>> - - -
>> gettext-runtime-       GNU gettext runtime libraries and programs
>> gmp-5.1.3_3                    Free library for arbitrary precision arithmetic
>> indexinfo-0.2.4                Utility to regenerate the GNU info page index
>> libevent2-2.0.22_1             API for executing callback functions on events or timeouts
>> libffi-3.2.1                   Foreign Function Interface
>> memcached-1.4.25               High-performance distributed memory object cache system
>> perl5-5.20.3_15                Practical Extraction and Report Language
>> pkg-1.8.7_1                    Package manager
>> postgresql94-client-9.4.9      PostgreSQL database (client)
>> py27-PyGreSQL-5.0.1,1          Python interface to PostgreSQL, both classic and DP-API 2.0
>> py27-attrs-16.0.0              Python attributes without boilerplate
>> py27-calendar-0.15423          Library for iCalendar/vCard data
>> py27-calendarserver-8.0_8      Calendar and Contacts Server from Apple (RFC 4791, RFC 6352)
>> py27-cffi-1.7.0                Foreign Function Interface for Python calling C code
>> py27-characteristic-14.3.0     Python attributes without boilerplate
>> py27-cryptography-1.4          Cryptographic recipes and primitives for Python developers
>> py27-dateutil-2.5.0            Extensions to the standard Python datetime module
>> py27-enum34-1.1.6              Python 3.4 Enum backported to 3.3, 3.2, 3.1, 2.7
>> py27-idna-2.0                  Internationalized Domain Names in Applications (IDNA)
>> py27-ipaddress-1.0.16          Python 3.3's ipaddress for Python 2.6 and 2.7
>> py27-openssl-16.0.0            Python interface to the OpenSSL library
>> py27-pg8000-1.10.6             Pure-Python Interface to the PostgreSQL Database
>> py27-psutil-4.3.0              Process utilities module for Python
>> py27-pyasn1-0.1.9              ASN.1 toolkit for Python
>> py27-pyasn1-modules-0.0.8_1    Collection of ASN.1 data structures for py-asn1
>> py27-pycparser-2.10            C parser in Python
>> py27-pycrypto-2.6.1_1          Python Cryptography Toolkit
>> py27-pytz-2016.6.1,1           World Timezone Definitions for Python
>> py27-service_identity-16.0.0   Service identity verification for pyOpenSSL
>> py27-setproctitle-1.1.10       Python module to customize the process title
>> py27-setuptools27-23.1.0       Python packages installer
>> py27-six-1.10.0                Python 2 and 3 compatibility utilities
>> py27-sqlite3-2.7.12_7          Standard Python binding to the SQLite3 library (Python 2.7)
>> py27-sqlparse-0.1.16           Non-validating SQL parser for Python
>> py27-twext-0.15423             Extensions to Twisted
>> py27-twisted-15.5.0            Asynchronous networking framework written in Python
>> py27-xattr-0.7.8               Python wrapper for extended filesystem attributes
>> py27-zope.interface-4.1.3      Interfaces for Python
>> python2-2_3                    The "meta-port" for version 2 of the Python interpreter
>> python27-2.7.12                Interpreted object-oriented programming language
>> sqlite3-3.14.1                 SQL database engine in a C library
>> OpenSSL 1.0.1p-freebsd 9 Jul 2015
>> FreeBSD caldav3 10.1-RELEASE-p35 FreeBSD 10.1-RELEASE-p35 #0: Sat May 28 03:37:01 UTC 2016     root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
>> ---
>> PGP-Key:29E99DD6  ☀  computing @ chaos claudius
>> _______________________________________________
>> calendarserver-users mailing list
>> calendarserver-users at lists.macosforge.org
>> https://lists.macosforge.org/mailman/listinfo/calendarserver-users

PGP-Key:29E99DD6  ☀  computing @ chaos claudius

More information about the calendarserver-users mailing list