[Nix-dev] Installing CA certificates
Adam Russell
adamlr6 at gmail.com
Tue Feb 23 00:01:54 CET 2016
Thanks Guillaume; your reply is very informative. I'll investigate as soon
as I have a chance and get back to you.
On Mon, Feb 22, 2016 at 11:42 AM Guillaume Maudoux (Layus) <
layus.on at gmail.com> wrote:
> Just my two cents, but could you test again your openssl command with
> `-partial_chain` ?
> Like in `openssl s_client -connect {HOSTNAME}:443 -partial_chain` ?
>
> My reasoning is that, most probably, the certificate downloaded by
> chrome is an intermediate certificate, signed by some authority for your
> website, and not self-signed.
> Adding that certificate to the trust store does not make openssl (nor
> anyone else) trust your website, unless you explicitly accept partial
> chains.
> This is because a intermediate certificate cannot be used as a root
> (=self-signed) certificate.
>
> To solve the issue, you need to add the root certificate to
> /etc/ssl/certs/ca-certificates.crt.,
> the one that is self-signed in the chain dumped by `openssl s_client
> -connect {HOSTNAME}:443 -showcerts`.
> Alternatively, when saving the certificate with chrome, you have an
> option to dump the whole certificate chain instead of only the last
> certificate in the chain.
>
> You must then include the root certificate (or the full chain, it does
> not matter) to security.pki.certificates.
> To avoid errors, typos and such, you can use
> `security.pki.certificateFiles = [ /path/to/your/root-cert.pem ]`
>
> Then, `openssl s_client -connect {HOSTNAME}:443` should work !
>
> Partial chains would be perfect for you but it is not a widely
> implemented feature and there is often no option to enable it.
> And that's the whole story...
>
> G.
>
> Le 22/02/16 16:13, Adam Russell a écrit :
> > Here's the full output of those two commands (substituting domain name
> > and IP address):
> >
> > $ curl --cacert /etc/ssl/certs/ca-certificates.crt -v
> > https://exch1.example.com/owa/
> > * Trying 10.10.1.234...
> > * Connected to exch1.example.com <http://exch1.example.com>
> > (10.10.1.234) port 443 (#0)
> > * Cipher selection:
> > ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> > * successfully set certificate verify locations:
> > * CAfile: /etc/ssl/certs/ca-certificates.crt
> > CApath: none
> > * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> > * TLSv1.0 (IN), TLS handshake, Server hello (2):
> > * TLSv1.0 (IN), TLS handshake, Certificate (11):
> > * TLSv1.0 (OUT), TLS alert, Server hello (2):
> > * SSL certificate problem: unable to get local issuer certificate
> > * Closing connection 0
> > * TLSv1.0 (OUT), TLS alert, Client hello (1):
> > curl: (60) SSL certificate problem: unable to get local issuer
> certificate
> > More details here: http://curl.haxx.se/docs/sslcerts.html
> >
> > curl performs SSL certificate verification by default, using a "bundle"
> > of Certificate Authority (CA) public keys (CA certs). If the default
> > bundle file isn't adequate, you can specify an alternate file
> > using the --cacert option.
> > If this HTTPS server uses a certificate signed by a CA represented in
> > the bundle, the certificate verification probably failed due to a
> > problem with the certificate (it might be expired, or the name might
> > not match the domain name in the URL).
> > If you'd like to turn off curl's verification of the certificate, use
> > the -k (or --insecure) option.
> > $ openssl x509 -in /etc/ssl/certs/ca-certificates.crt -text
> > Certificate:
> > Data:
> > Version: 3 (0x2)
> > Serial Number:
> > 04:00:00:00:00:01:15:4b:5a:c3:94
> > Signature Algorithm: sha1WithRSAEncryption
> > Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root
> CA
> > Validity
> > Not Before: Sep 1 12:00:00 1998 GMT
> > Not After : Jan 28 12:00:00 2028 GMT
> > Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign
> Root CA
> > Subject Public Key Info:
> > Public Key Algorithm: rsaEncryption
> > Public-Key: (2048 bit)
> > Modulus:
> > 00:da:0e:e6:99:8d:ce:a3:e3:4f:8a:7e:fb:f1:8b:
> > 83:25:6b:ea:48:1f:f1:2a:b0:b9:95:11:04:bd:f0:
> > 63:d1:e2:67:66:cf:1c:dd:cf:1b:48:2b:ee:8d:89:
> > 8e:9a:af:29:80:65:ab:e9:c7:2d:12:cb:ab:1c:4c:
> > 70:07:a1:3d:0a:30:cd:15:8d:4f:f8:dd:d4:8c:50:
> > 15:1c:ef:50:ee:c4:2e:f7:fc:e9:52:f2:91:7d:e0:
> > 6d:d5:35:30:8e:5e:43:73:f2:41:e9:d5:6a:e3:b2:
> > 89:3a:56:39:38:6f:06:3c:88:69:5b:2a:4d:c5:a7:
> > 54:b8:6c:89:cc:9b:f9:3c:ca:e5:fd:89:f5:12:3c:
> > 92:78:96:d6:dc:74:6e:93:44:61:d1:8d:c7:46:b2:
> > 75:0e:86:e8:19:8a:d5:6d:6c:d5:78:16:95:a2:e9:
> > c8:0a:38:eb:f2:24:13:4f:73:54:93:13:85:3a:1b:
> > bc:1e:34:b5:8b:05:8c:b9:77:8b:b1:db:1f:20:91:
> > ab:09:53:6e:90:ce:7b:37:74:b9:70:47:91:22:51:
> > 63:16:79:ae:b1:ae:41:26:08:c8:19:2b:d1:46:aa:
> > 48:d6:64:2a:d7:83:34:ff:2c:2a:c1:6c:19:43:4a:
> > 07:85:e7:d3:7c:f6:21:68:ef:ea:f2:52:9f:7f:93:
> > 90:cf
> > Exponent: 65537 (0x10001)
> > X509v3 extensions:
> > X509v3 Key Usage: critical
> > Certificate Sign, CRL Sign
> > X509v3 Basic Constraints: critical
> > CA:TRUE
> > X509v3 Subject Key Identifier:
> >
> 60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B
> > Signature Algorithm: sha1WithRSAEncryption
> > d6:73:e7:7c:4f:76:d0:8d:bf:ec:ba:a2:be:34:c5:28:32:b5:
> > 7c:fc:6c:9c:2c:2b:bd:09:9e:53:bf:6b:5e:aa:11:48:b6:e5:
> > 08:a3:b3:ca:3d:61:4d:d3:46:09:b3:3e:c3:a0:e3:63:55:1b:
> > f2:ba:ef:ad:39:e1:43:b9:38:a3:e6:2f:8a:26:3b:ef:a0:50:
> > 56:f9:c6:0a:fd:38:cd:c4:0b:70:51:94:97:98:04:df:c3:5f:
> > 94:d5:15:c9:14:41:9c:c4:5d:75:64:15:0d:ff:55:30:ec:86:
> > 8f:ff:0d:ef:2c:b9:63:46:f6:aa:fc:df:bc:69:fd:2e:12:48:
> > 64:9a:e0:95:f0:a6:ef:29:8f:01:b1:15:b5:0c:1d:a5:fe:69:
> > 2c:69:24:78:1e:b3:a7:1c:71:62:ee:ca:c8:97:ac:17:5d:8a:
> > c2:f8:47:86:6e:2a:c4:56:31:95:d0:67:89:85:2b:f9:6c:a6:
> > 5d:46:9d:0c:aa:82:e4:99:51:dd:70:b7:db:56:3d:61:e4:6a:
> > e1:5c:d6:f6:fe:3d:de:41:cc:07:ae:63:52:bf:53:53:f4:2b:
> > e9:c7:fd:b6:f7:82:5f:85:d2:41:18:db:81:b3:04:1c:c5:1f:
> > a4:80:6f:15:20:c9:de:0c:88:0a:1d:d6:66:55:e2:fc:48:c9:
> > 29:26:69:e0
> > -----BEGIN CERTIFICATE-----
> > MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
> > A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
> > b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
> > MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
> > YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
> > aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
> > jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
> > xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
> > 1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
> > snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
> > U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
> > 9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
> > BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
> > AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
> > yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
> > 38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
> > AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
> > DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
> > HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
> > -----END CERTIFICATE-----
> >
> >
> > On Fri, Feb 19, 2016 at 5:59 PM zimbatm <zimbatm at zimbatm.com
> > <mailto:zimbatm at zimbatm.com>> wrote:
> >
> > I am starting to think that the installed certificate is not the
> > right-one.
> > What if you run `curl --cacert /path/to/cert.pem -v
> > https://yourservi <https://yourservie>ce` ? It would be useful to
> > get the full output to make sure we didn't miss anything. And also
> > the output of `openssl x509 -in /path/to/cert.pem -text`.
> >
> > On Fri, 19 Feb 2016 at 22:28 Adam Russell <adamlr6 at gmail.com
> > <mailto:adamlr6 at gmail.com>> wrote:
> >
> > Using that page as reference, I ran this command:
> >
> > certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n DEV.LOCAL -i
> > /etc/ssl/certs/ca-certificates.crt
> >
> > That page did lead me to some other pages that might be helpful:
> >
> https://wiki.archlinux.org/index.php/Chromium/Tips_and_tricks#Adding_CAcert_certificates_for_self-signed_certificates
> > http://blog.xelnor.net/firefox-systemcerts/
> >
> https://chromium.googlesource.com/chromium/src/+/master/docs/linux_cert_management.md
> >
> > And in particular, http://superuser.com/a/719047/73086
> >
> > However, things still don't work, and running the openssl
> > command as recommended in the last link doesn't give me the
> > expected "verify return code" of 0 (ok). Instead, it's 21
> > (unable to verify the first certificate).
> >
> > This is all way over my head. I have some more reading to do.
> > Once I do figure it out, I think I will suggest having the NixOS
> > module take care of whatever steps are necessary to fix this,
> > assuming it can be done in a reproducible manner.
> >
> > On Fri, Feb 19, 2016 at 11:42 AM zimbatm <zimbatm at zimbatm.com
> > <mailto:zimbatm at zimbatm.com>> wrote:
> >
> > Found this which might be useful to
> > you:
> http://mindref.blogspot.co.uk/2011/02/nssdb-add-ca-certificate.html
> >
> >
> > On Fri, 19 Feb 2016 at 17:36 zimbatm <zimbatm at zimbatm.com
> > <mailto:zimbatm at zimbatm.com>> wrote:
> >
> > curl should work just fine then. Can you paste the
> > output of `curl -v https://yoursite.com` ?
> >
> > Chromium uses NSS which has another mechanism for it's
> > PKI which I don't know. Can you confirm that your cert
> > is also in /etc/pki/tls/certs/ca-bundle.crt ?
> > Also do you have anything under ~/.pki ?
> >
> >
> > On Fri, 19 Feb 2016 at 16:47 Adam Russell
> > <adamlr6 at gmail.com <mailto:adamlr6 at gmail.com>> wrote:
> >
> > The output is:
> >
> > $ echo $SSL_CERT_FILE
> > /etc/ssl/certs/ca-certificates.crt
> > $ echo $CURL_CA_BUNDLE
> >
> > $
> >
> > And yes, the certificates are in that file. Is there
> > another step that needs to happen for curl and
> > Chromium to be able to use them?
> >
> > On Fri, Feb 19, 2016 at 9:26 AM zimbatm
> > <zimbatm at zimbatm.com <mailto:zimbatm at zimbatm.com>>
> > wrote:
> >
> > What is the output of `echo $SSL_CERT_FILE` and
> > `echo $CURL_CA_BUNDLE` ?
> > If one of those is set, look in the pointed file
> > if you can find your certificate.
> >
> > On Fri, 19 Feb 2016 at 15:12 Adam Russell
> > <adamlr6 at gmail.com <mailto:adamlr6 at gmail.com>>
> > wrote:
> >
> > Thomas, I've not used the openssl
> > command-line tool before, and looking at its
> > documentation I'm not sure what command I
> > would run in order to test it, or what
> > output to look for. I can tell you that curl
> > doesn't work against the domains in
> > question, though (at least without the
> > insecure flag).
> >
> > Regardless, with or without the "comment"
> > with the equal signs separator, adding
> > things to security.pki.certificates has no
> > effect for me. Is there a bug, or am I doing
> > something wrong?
> >
> > On Thu, Feb 18, 2016 at 1:31 PM Thomas
> > Hunger <tehunger at gmail.com
> > <mailto:tehunger at gmail.com>> wrote:
> >
> > Hi Adam,
> >
> > Can you make the TLS call work with a
> > command line tool like openssl? I'm not
> > 100% sure but I think that Chrome might
> > use a different set of trusted certs
> > (based on the Mozilla ones) [1].
> >
> > ~
> >
> > [1]
> >
> https://www.chromium.org/Home/chromium-security/root-ca-policy
> >
> > On 18 February 2016 at 13:53, Adam
> > Russell <adamlr6 at gmail.com
> > <mailto:adamlr6 at gmail.com>> wrote:
> >
> > Hello Nix-Dev,
> >
> > I'm trying to understand how to
> > install CA certificates in NixOS.
> >
> > If I visit my work's webmail in
> > Chromium, I get an indicator that my
> > connection is not private. Clicking
> > the padlock icon in the address bar,
> > then the "Certificate information"
> > link in the Connection tab, going to
> > the "Details" tab, and clicking
> > "Export" allows me to download a
> > certificate.
> >
> > The text in this export is what I am
> > supposed to put in the array in
> > `security.pki.certificates` option
> > of `/etc/nixos/configuration.nix`,
> > correct? Am I missing something?
> >
> > The documentation I am using is
> > at:
> https://github.com/NixOS/nixpkgs/blob/6e6a96d42cf56cfcd042bbeab89e37f442f0cfcc/nixos/modules/security/ca.nix#L39-L45
> >
> > Does the text above the equal signs
> > have any significance ("NixOS.org"
> > in the example), or is it just a
> > comment?
> >
> > Thanks,
> > -Adam
> >
> >
> _______________________________________________
> > nix-dev mailing list
> > nix-dev at lists.science.uu.nl
> > <mailto:nix-dev at lists.science.uu.nl>
> >
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
> >
> >
> _______________________________________________
> > nix-dev mailing list
> > nix-dev at lists.science.uu.nl
> > <mailto:nix-dev at lists.science.uu.nl>
> >
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
> >
> >
> >
> > _______________________________________________
> > nix-dev mailing list
> > nix-dev at lists.science.uu.nl
> > http://lists.science.uu.nl/mailman/listinfo/nix-dev
> >
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160222/383e15d1/attachment-0001.html
More information about the nix-dev
mailing list