[Nix-dev] Installing CA certificates

Guillaume Maudoux (Layus) layus.on at gmail.com
Mon Feb 22 18:42:19 CET 2016


Just my two cents, but could you test again your openssl command with
`-partial_chain` ?
Like in `openssl s_client -connect {HOSTNAME}:443 -partial_chain` ?

My reasoning is that, most probably, the certificate downloaded by
chrome is an intermediate certificate, signed by some authority for your
website, and not self-signed.
Adding that certificate to the trust store does not make openssl (nor
anyone else) trust your website, unless you explicitly accept partial
chains.
This is because a intermediate certificate cannot be used as a root
(=self-signed) certificate.

To solve the issue, you need to add the root certificate to
/etc/ssl/certs/ca-certificates.crt.,
the one that is self-signed in the chain dumped by `openssl s_client
-connect {HOSTNAME}:443 -showcerts`.
Alternatively, when saving the certificate with chrome, you have an
option to dump the whole certificate chain instead of only the last
certificate in the chain.

You must then include the root certificate (or the full chain, it does
not matter) to security.pki.certificates.
To avoid errors, typos and such, you can use
`security.pki.certificateFiles = [ /path/to/your/root-cert.pem ]`

Then, `openssl s_client -connect {HOSTNAME}:443` should work !

Partial chains would be perfect for you but it is not a widely
implemented feature and there is often no option to enable it.
And that's the whole story...

G.

Le 22/02/16 16:13, Adam Russell a écrit :
> Here's the full output of those two commands (substituting domain name
> and IP address):
> 
> $ curl --cacert /etc/ssl/certs/ca-certificates.crt -v
> https://exch1.example.com/owa/
> *   Trying 10.10.1.234...
> * Connected to exch1.example.com <http://exch1.example.com>
> (10.10.1.234) port 443 (#0)
> * Cipher selection:
> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> *   CAfile: /etc/ssl/certs/ca-certificates.crt
>   CApath: none
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * TLSv1.0 (IN), TLS handshake, Server hello (2):
> * TLSv1.0 (IN), TLS handshake, Certificate (11):
> * TLSv1.0 (OUT), TLS alert, Server hello (2):
> * SSL certificate problem: unable to get local issuer certificate
> * Closing connection 0
> * TLSv1.0 (OUT), TLS alert, Client hello (1):
> curl: (60) SSL certificate problem: unable to get local issuer certificate
> More details here: http://curl.haxx.se/docs/sslcerts.html
> 
> curl performs SSL certificate verification by default, using a "bundle"
>  of Certificate Authority (CA) public keys (CA certs). If the default
>  bundle file isn't adequate, you can specify an alternate file
>  using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
>  the bundle, the certificate verification probably failed due to a
>  problem with the certificate (it might be expired, or the name might
>  not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
>  the -k (or --insecure) option.
> $ openssl x509 -in /etc/ssl/certs/ca-certificates.crt -text
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             04:00:00:00:00:01:15:4b:5a:c3:94
>     Signature Algorithm: sha1WithRSAEncryption
>         Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
>         Validity
>             Not Before: Sep  1 12:00:00 1998 GMT
>             Not After : Jan 28 12:00:00 2028 GMT
>         Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
>                     00:da:0e:e6:99:8d:ce:a3:e3:4f:8a:7e:fb:f1:8b:
>                     83:25:6b:ea:48:1f:f1:2a:b0:b9:95:11:04:bd:f0:
>                     63:d1:e2:67:66:cf:1c:dd:cf:1b:48:2b:ee:8d:89:
>                     8e:9a:af:29:80:65:ab:e9:c7:2d:12:cb:ab:1c:4c:
>                     70:07:a1:3d:0a:30:cd:15:8d:4f:f8:dd:d4:8c:50:
>                     15:1c:ef:50:ee:c4:2e:f7:fc:e9:52:f2:91:7d:e0:
>                     6d:d5:35:30:8e:5e:43:73:f2:41:e9:d5:6a:e3:b2:
>                     89:3a:56:39:38:6f:06:3c:88:69:5b:2a:4d:c5:a7:
>                     54:b8:6c:89:cc:9b:f9:3c:ca:e5:fd:89:f5:12:3c:
>                     92:78:96:d6:dc:74:6e:93:44:61:d1:8d:c7:46:b2:
>                     75:0e:86:e8:19:8a:d5:6d:6c:d5:78:16:95:a2:e9:
>                     c8:0a:38:eb:f2:24:13:4f:73:54:93:13:85:3a:1b:
>                     bc:1e:34:b5:8b:05:8c:b9:77:8b:b1:db:1f:20:91:
>                     ab:09:53:6e:90:ce:7b:37:74:b9:70:47:91:22:51:
>                     63:16:79:ae:b1:ae:41:26:08:c8:19:2b:d1:46:aa:
>                     48:d6:64:2a:d7:83:34:ff:2c:2a:c1:6c:19:43:4a:
>                     07:85:e7:d3:7c:f6:21:68:ef:ea:f2:52:9f:7f:93:
>                     90:cf
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Key Usage: critical
>                 Certificate Sign, CRL Sign
>             X509v3 Basic Constraints: critical
>                 CA:TRUE
>             X509v3 Subject Key Identifier: 
>                 60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B
>     Signature Algorithm: sha1WithRSAEncryption
>          d6:73:e7:7c:4f:76:d0:8d:bf:ec:ba:a2:be:34:c5:28:32:b5:
>          7c:fc:6c:9c:2c:2b:bd:09:9e:53:bf:6b:5e:aa:11:48:b6:e5:
>          08:a3:b3:ca:3d:61:4d:d3:46:09:b3:3e:c3:a0:e3:63:55:1b:
>          f2:ba:ef:ad:39:e1:43:b9:38:a3:e6:2f:8a:26:3b:ef:a0:50:
>          56:f9:c6:0a:fd:38:cd:c4:0b:70:51:94:97:98:04:df:c3:5f:
>          94:d5:15:c9:14:41:9c:c4:5d:75:64:15:0d:ff:55:30:ec:86:
>          8f:ff:0d:ef:2c:b9:63:46:f6:aa:fc:df:bc:69:fd:2e:12:48:
>          64:9a:e0:95:f0:a6:ef:29:8f:01:b1:15:b5:0c:1d:a5:fe:69:
>          2c:69:24:78:1e:b3:a7:1c:71:62:ee:ca:c8:97:ac:17:5d:8a:
>          c2:f8:47:86:6e:2a:c4:56:31:95:d0:67:89:85:2b:f9:6c:a6:
>          5d:46:9d:0c:aa:82:e4:99:51:dd:70:b7:db:56:3d:61:e4:6a:
>          e1:5c:d6:f6:fe:3d:de:41:cc:07:ae:63:52:bf:53:53:f4:2b:
>          e9:c7:fd:b6:f7:82:5f:85:d2:41:18:db:81:b3:04:1c:c5:1f:
>          a4:80:6f:15:20:c9:de:0c:88:0a:1d:d6:66:55:e2:fc:48:c9:
>          29:26:69:e0
> -----BEGIN CERTIFICATE-----
> MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
> A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
> b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
> MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
> YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
> aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
> jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
> xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
> 1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
> snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
> U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
> 9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
> BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
> AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
> yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
> 38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
> AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
> DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
> HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
> -----END CERTIFICATE-----
> 
> 
> On Fri, Feb 19, 2016 at 5:59 PM zimbatm <zimbatm at zimbatm.com
> <mailto:zimbatm at zimbatm.com>> wrote:
> 
>     I am starting to think that the installed certificate is not the
>     right-one.
>     What if you run `curl --cacert /path/to/cert.pem -v
>     https://yourservi <https://yourservie>ce` ? It would be useful to
>     get the full output to make sure we didn't miss anything. And also
>     the output of `openssl x509 -in /path/to/cert.pem -text`.
> 
>     On Fri, 19 Feb 2016 at 22:28 Adam Russell <adamlr6 at gmail.com
>     <mailto:adamlr6 at gmail.com>> wrote:
> 
>         Using that page as reference, I ran this command:
> 
>         certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n DEV.LOCAL -i
>         /etc/ssl/certs/ca-certificates.crt
> 
>         That page did lead me to some other pages that might be helpful:
>         https://wiki.archlinux.org/index.php/Chromium/Tips_and_tricks#Adding_CAcert_certificates_for_self-signed_certificates
>         http://blog.xelnor.net/firefox-systemcerts/
>         https://chromium.googlesource.com/chromium/src/+/master/docs/linux_cert_management.md
> 
>         And in particular, http://superuser.com/a/719047/73086
> 
>         However, things still don't work, and running the openssl
>         command as recommended in the last link doesn't give me the
>         expected "verify return code" of 0 (ok). Instead, it's 21
>         (unable to verify the first certificate).
> 
>         This is all way over my head. I have some more reading to do.
>         Once I do figure it out, I think I will suggest having the NixOS
>         module take care of whatever steps are necessary to fix this,
>         assuming it can be done in a reproducible manner.
> 
>         On Fri, Feb 19, 2016 at 11:42 AM zimbatm <zimbatm at zimbatm.com
>         <mailto:zimbatm at zimbatm.com>> wrote:
> 
>             Found this which might be useful to
>             you: http://mindref.blogspot.co.uk/2011/02/nssdb-add-ca-certificate.html
> 
> 
>             On Fri, 19 Feb 2016 at 17:36 zimbatm <zimbatm at zimbatm.com
>             <mailto:zimbatm at zimbatm.com>> wrote:
> 
>                 curl should work just fine then. Can you paste the
>                 output of `curl -v https://yoursite.com` ?
> 
>                 Chromium uses NSS which has another mechanism for it's
>                 PKI which I don't know. Can you confirm that your cert
>                 is also in /etc/pki/tls/certs/ca-bundle.crt ?
>                 Also do you have anything under ~/.pki ?
> 
> 
>                 On Fri, 19 Feb 2016 at 16:47 Adam Russell
>                 <adamlr6 at gmail.com <mailto:adamlr6 at gmail.com>> wrote:
> 
>                     The output is:
> 
>                     $ echo $SSL_CERT_FILE
>                     /etc/ssl/certs/ca-certificates.crt
>                     $ echo $CURL_CA_BUNDLE
> 
>                     $
> 
>                     And yes, the certificates are in that file. Is there
>                     another step that needs to happen for curl and
>                     Chromium to be able to use them?
> 
>                     On Fri, Feb 19, 2016 at 9:26 AM zimbatm
>                     <zimbatm at zimbatm.com <mailto:zimbatm at zimbatm.com>>
>                     wrote:
> 
>                         What is the output of `echo $SSL_CERT_FILE` and
>                         `echo $CURL_CA_BUNDLE` ?
>                         If one of those is set, look in the pointed file
>                         if you can find your certificate.
> 
>                         On Fri, 19 Feb 2016 at 15:12 Adam Russell
>                         <adamlr6 at gmail.com <mailto:adamlr6 at gmail.com>>
>                         wrote:
> 
>                             Thomas, I've not used the openssl
>                             command-line tool before, and looking at its
>                             documentation I'm not sure what command I
>                             would run in order to test it, or what
>                             output to look for. I can tell you that curl
>                             doesn't work against the domains in
>                             question, though (at least without the
>                             insecure flag).
> 
>                             Regardless, with or without the "comment"
>                             with the equal signs separator, adding
>                             things to security.pki.certificates has no
>                             effect for me. Is there a bug, or am I doing
>                             something wrong?
> 
>                             On Thu, Feb 18, 2016 at 1:31 PM Thomas
>                             Hunger <tehunger at gmail.com
>                             <mailto:tehunger at gmail.com>> wrote:
> 
>                                 Hi Adam,
> 
>                                 Can you make the TLS call work with a
>                                 command line tool like openssl? I'm not
>                                 100% sure but I think that Chrome might
>                                 use a different set of trusted certs
>                                 (based on the Mozilla ones) [1].
> 
>                                 ~
> 
>                                 [1]
>                                 https://www.chromium.org/Home/chromium-security/root-ca-policy
> 
>                                 On 18 February 2016 at 13:53, Adam
>                                 Russell <adamlr6 at gmail.com
>                                 <mailto:adamlr6 at gmail.com>> wrote:
> 
>                                     Hello Nix-Dev,
> 
>                                     I'm trying to understand how to
>                                     install CA certificates in NixOS.
> 
>                                     If I visit my work's webmail in
>                                     Chromium, I get an indicator that my
>                                     connection is not private. Clicking
>                                     the padlock icon in the address bar,
>                                     then the "Certificate information"
>                                     link in the Connection tab, going to
>                                     the "Details" tab, and clicking
>                                     "Export" allows me to download a
>                                     certificate.
> 
>                                     The text in this export is what I am
>                                     supposed to put in the array in
>                                     `security.pki.certificates` option
>                                     of `/etc/nixos/configuration.nix`,
>                                     correct? Am I missing something?
> 
>                                     The documentation I am using is
>                                     at: https://github.com/NixOS/nixpkgs/blob/6e6a96d42cf56cfcd042bbeab89e37f442f0cfcc/nixos/modules/security/ca.nix#L39-L45
> 
>                                     Does the text above the equal signs
>                                     have any significance ("NixOS.org"
>                                     in the example), or is it just a
>                                     comment?
> 
>                                     Thanks,
>                                     -Adam
> 
>                                     _______________________________________________
>                                     nix-dev mailing list
>                                     nix-dev at lists.science.uu.nl
>                                     <mailto:nix-dev at lists.science.uu.nl>
>                                     http://lists.science.uu.nl/mailman/listinfo/nix-dev
> 
>                             _______________________________________________
>                             nix-dev mailing list
>                             nix-dev at lists.science.uu.nl
>                             <mailto:nix-dev at lists.science.uu.nl>
>                             http://lists.science.uu.nl/mailman/listinfo/nix-dev
> 
> 
> 
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
> 


More information about the nix-dev mailing list