[Nix-dev] Installing CA certificates
Adam Russell
adamlr6 at gmail.com
Mon Feb 22 16:13:44 CET 2016
Here's the full output of those two commands (substituting domain name and
IP address):
$ curl --cacert /etc/ssl/certs/ca-certificates.crt -v
https://exch1.example.com/owa/
* Trying 10.10.1.234...
* Connected to exch1.example.com (10.10.1.234) port 443 (#0)
* Cipher selection:
ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
* TLSv1.0 (OUT), TLS alert, Client hello (1):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
$ openssl x509 -in /etc/ssl/certs/ca-certificates.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:00:00:00:00:01:15:4b:5a:c3:94
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
Validity
Not Before: Sep 1 12:00:00 1998 GMT
Not After : Jan 28 12:00:00 2028 GMT
Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:da:0e:e6:99:8d:ce:a3:e3:4f:8a:7e:fb:f1:8b:
83:25:6b:ea:48:1f:f1:2a:b0:b9:95:11:04:bd:f0:
63:d1:e2:67:66:cf:1c:dd:cf:1b:48:2b:ee:8d:89:
8e:9a:af:29:80:65:ab:e9:c7:2d:12:cb:ab:1c:4c:
70:07:a1:3d:0a:30:cd:15:8d:4f:f8:dd:d4:8c:50:
15:1c:ef:50:ee:c4:2e:f7:fc:e9:52:f2:91:7d:e0:
6d:d5:35:30:8e:5e:43:73:f2:41:e9:d5:6a:e3:b2:
89:3a:56:39:38:6f:06:3c:88:69:5b:2a:4d:c5:a7:
54:b8:6c:89:cc:9b:f9:3c:ca:e5:fd:89:f5:12:3c:
92:78:96:d6:dc:74:6e:93:44:61:d1:8d:c7:46:b2:
75:0e:86:e8:19:8a:d5:6d:6c:d5:78:16:95:a2:e9:
c8:0a:38:eb:f2:24:13:4f:73:54:93:13:85:3a:1b:
bc:1e:34:b5:8b:05:8c:b9:77:8b:b1:db:1f:20:91:
ab:09:53:6e:90:ce:7b:37:74:b9:70:47:91:22:51:
63:16:79:ae:b1:ae:41:26:08:c8:19:2b:d1:46:aa:
48:d6:64:2a:d7:83:34:ff:2c:2a:c1:6c:19:43:4a:
07:85:e7:d3:7c:f6:21:68:ef:ea:f2:52:9f:7f:93:
90:cf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B
Signature Algorithm: sha1WithRSAEncryption
d6:73:e7:7c:4f:76:d0:8d:bf:ec:ba:a2:be:34:c5:28:32:b5:
7c:fc:6c:9c:2c:2b:bd:09:9e:53:bf:6b:5e:aa:11:48:b6:e5:
08:a3:b3:ca:3d:61:4d:d3:46:09:b3:3e:c3:a0:e3:63:55:1b:
f2:ba:ef:ad:39:e1:43:b9:38:a3:e6:2f:8a:26:3b:ef:a0:50:
56:f9:c6:0a:fd:38:cd:c4:0b:70:51:94:97:98:04:df:c3:5f:
94:d5:15:c9:14:41:9c:c4:5d:75:64:15:0d:ff:55:30:ec:86:
8f:ff:0d:ef:2c:b9:63:46:f6:aa:fc:df:bc:69:fd:2e:12:48:
64:9a:e0:95:f0:a6:ef:29:8f:01:b1:15:b5:0c:1d:a5:fe:69:
2c:69:24:78:1e:b3:a7:1c:71:62:ee:ca:c8:97:ac:17:5d:8a:
c2:f8:47:86:6e:2a:c4:56:31:95:d0:67:89:85:2b:f9:6c:a6:
5d:46:9d:0c:aa:82:e4:99:51:dd:70:b7:db:56:3d:61:e4:6a:
e1:5c:d6:f6:fe:3d:de:41:cc:07:ae:63:52:bf:53:53:f4:2b:
e9:c7:fd:b6:f7:82:5f:85:d2:41:18:db:81:b3:04:1c:c5:1f:
a4:80:6f:15:20:c9:de:0c:88:0a:1d:d6:66:55:e2:fc:48:c9:
29:26:69:e0
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----
On Fri, Feb 19, 2016 at 5:59 PM zimbatm <zimbatm at zimbatm.com> wrote:
> I am starting to think that the installed certificate is not the right-one.
> What if you run `curl --cacert /path/to/cert.pem -v https://yourservi
> <https://yourservie>ce` ? It would be useful to get the full output to
> make sure we didn't miss anything. And also the output of `openssl x509 -in
> /path/to/cert.pem -text`.
>
> On Fri, 19 Feb 2016 at 22:28 Adam Russell <adamlr6 at gmail.com> wrote:
>
>> Using that page as reference, I ran this command:
>>
>> certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n DEV.LOCAL -i
>> /etc/ssl/certs/ca-certificates.crt
>>
>> That page did lead me to some other pages that might be helpful:
>>
>> https://wiki.archlinux.org/index.php/Chromium/Tips_and_tricks#Adding_CAcert_certificates_for_self-signed_certificates
>> http://blog.xelnor.net/firefox-systemcerts/
>>
>> https://chromium.googlesource.com/chromium/src/+/master/docs/linux_cert_management.md
>>
>> And in particular, http://superuser.com/a/719047/73086
>>
>> However, things still don't work, and running the openssl command as
>> recommended in the last link doesn't give me the expected "verify return
>> code" of 0 (ok). Instead, it's 21 (unable to verify the first certificate).
>>
>> This is all way over my head. I have some more reading to do. Once I do
>> figure it out, I think I will suggest having the NixOS module take care of
>> whatever steps are necessary to fix this, assuming it can be done in a
>> reproducible manner.
>>
>> On Fri, Feb 19, 2016 at 11:42 AM zimbatm <zimbatm at zimbatm.com> wrote:
>>
>>> Found this which might be useful to you:
>>> http://mindref.blogspot.co.uk/2011/02/nssdb-add-ca-certificate.html
>>>
>>>
>>> On Fri, 19 Feb 2016 at 17:36 zimbatm <zimbatm at zimbatm.com> wrote:
>>>
>>>> curl should work just fine then. Can you paste the output of `curl -v
>>>> https://yoursite.com` ?
>>>>
>>>> Chromium uses NSS which has another mechanism for it's PKI which I
>>>> don't know. Can you confirm that your cert is also in
>>>> /etc/pki/tls/certs/ca-bundle.crt ?
>>>> Also do you have anything under ~/.pki ?
>>>>
>>>>
>>>> On Fri, 19 Feb 2016 at 16:47 Adam Russell <adamlr6 at gmail.com> wrote:
>>>>
>>>>> The output is:
>>>>>
>>>>> $ echo $SSL_CERT_FILE
>>>>> /etc/ssl/certs/ca-certificates.crt
>>>>> $ echo $CURL_CA_BUNDLE
>>>>>
>>>>> $
>>>>>
>>>>> And yes, the certificates are in that file. Is there another step that
>>>>> needs to happen for curl and Chromium to be able to use them?
>>>>>
>>>>> On Fri, Feb 19, 2016 at 9:26 AM zimbatm <zimbatm at zimbatm.com> wrote:
>>>>>
>>>>>> What is the output of `echo $SSL_CERT_FILE` and `echo
>>>>>> $CURL_CA_BUNDLE` ?
>>>>>> If one of those is set, look in the pointed file if you can find your
>>>>>> certificate.
>>>>>>
>>>>>> On Fri, 19 Feb 2016 at 15:12 Adam Russell <adamlr6 at gmail.com> wrote:
>>>>>>
>>>>>>> Thomas, I've not used the openssl command-line tool before, and
>>>>>>> looking at its documentation I'm not sure what command I would run in order
>>>>>>> to test it, or what output to look for. I can tell you that curl doesn't
>>>>>>> work against the domains in question, though (at least without the insecure
>>>>>>> flag).
>>>>>>>
>>>>>>> Regardless, with or without the "comment" with the equal signs
>>>>>>> separator, adding things to security.pki.certificates has no effect for me.
>>>>>>> Is there a bug, or am I doing something wrong?
>>>>>>>
>>>>>>> On Thu, Feb 18, 2016 at 1:31 PM Thomas Hunger <tehunger at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Adam,
>>>>>>>>
>>>>>>>> Can you make the TLS call work with a command line tool like
>>>>>>>> openssl? I'm not 100% sure but I think that Chrome might use a different
>>>>>>>> set of trusted certs (based on the Mozilla ones) [1].
>>>>>>>>
>>>>>>>> ~
>>>>>>>>
>>>>>>>> [1]
>>>>>>>> https://www.chromium.org/Home/chromium-security/root-ca-policy
>>>>>>>>
>>>>>>>> On 18 February 2016 at 13:53, Adam Russell <adamlr6 at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hello Nix-Dev,
>>>>>>>>>
>>>>>>>>> I'm trying to understand how to install CA certificates in NixOS.
>>>>>>>>>
>>>>>>>>> If I visit my work's webmail in Chromium, I get an indicator that
>>>>>>>>> my connection is not private. Clicking the padlock icon in the address bar,
>>>>>>>>> then the "Certificate information" link in the Connection tab, going to the
>>>>>>>>> "Details" tab, and clicking "Export" allows me to download a certificate.
>>>>>>>>>
>>>>>>>>> The text in this export is what I am supposed to put in the array
>>>>>>>>> in `security.pki.certificates` option of `/etc/nixos/configuration.nix`,
>>>>>>>>> correct? Am I missing something?
>>>>>>>>>
>>>>>>>>> The documentation I am using is at:
>>>>>>>>> https://github.com/NixOS/nixpkgs/blob/6e6a96d42cf56cfcd042bbeab89e37f442f0cfcc/nixos/modules/security/ca.nix#L39-L45
>>>>>>>>>
>>>>>>>>> Does the text above the equal signs have any significance
>>>>>>>>> ("NixOS.org" in the example), or is it just a comment?
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> -Adam
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> nix-dev mailing list
>>>>>>>>> nix-dev at lists.science.uu.nl
>>>>>>>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>> nix-dev mailing list
>>>>>>> nix-dev at lists.science.uu.nl
>>>>>>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>>>>>>
>>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160222/47f679f0/attachment-0001.html
More information about the nix-dev
mailing list