Please see either the nginx's documentation, look for other questions of this kind (the internet including SE and SF) is full of it or give an exact and detailed description of your problem. Your software (nginx) in this case, needs to have access to a certificate file including the full trust chain, from the leaf certificate of your domain up to the root certificate of your CA (optional). But as you talk about servers, there's no point in including your own domain's certificate in the trust store. You only need to "install" a root certificate if it is not already trusted by your OS and you want it to be trusted. The error message clearly says, what is expected: Expecting: TRUSTED CERTIFICATE This is the opposite of a certificate, which holds the public key with additional information about the certificate chain, validity etc. The certificate could not be loaded, as you gave a private key. The -a option is provided to the version command which lists the version and other information. $ openssl verify mywebsite.key I get a message sayingġ39893743232656:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE You need to give openssl some informations about where in the chain the certificates are needed: openssl verify įor example: openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem The code is beginning to see widespread testing as the release of OpenSSL 1.1.0 approaches. Its been available in Master since that time. Viktor Dukhovni provided the implementation in January, 2015. This normally means the list of trusted certificates is not complete. OpenSSL 1.1.0 provides built-in functionality for hostname checking and validation. The issuer certificate of a looked up certificate could not be found. Looking at the manpage of verify(1ssl): 2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate Mywebsite.pem: OU = GT46830179, OU = See (c)15, OU = Domain Control Validated - RapidSSL(R), CN = *. Or do you enter root password every time you call a website? $ openssl verify mywebsite.pem Certificates in /etc/ssl/certs should be readable by everyone in order every user and software can verify certificates. For certificate verification, root is not needed. OpenSSL only needs to be run as root when it needs to read private data as private keys in /etc/ssl/private/. I've removed that part of the question as there's no point in trying that. In a previous version of this question I was also asking about 'openssl verify'ing the. Having problems with that and I think it's (at least partially) because the ssl certificates somehow aren't installed correctly, as indicated by the above output. Trying to get nginx and gunicorn working with ssl. Mywebsite.pem and mywebsite.key aren't actually the names of the files. Created mywebsite.crt and sslpointintermediate.crt by pasting into nano from the email sslpoint sent me. I created mywebsite.pem by running sudo cat mywebsite.crt sslpointintermediate.crt > mywebsite.pem. Who uses OpenSSL Anyone can use OpenSSL to manage SSL certificate installations. OpenSSL is compatible with both Windows and Linux distributions. I created mywebsite.key by copying from sslpoint's certificate generator into nano. OpenSSL is a free and open-source command line tool used to generate CSRs, create private keys, install an SSL certificate, and verify certificate information. I cannot find anything in the OpenSSL documentation that explains why -CApath trusts the intermediate certificate by itself while -CAfile does have this same trust and requires the root certificate in order to verify the chain.In /etc/ssl, when I do sudo openssl verify mywebsite.pem I get a message stating mywebsite.pem: OU = GT46830179, OU = See (c)15, OU = Domain Control Validated - RapidSSL(R), CN = *.Įrror 20 at 0 depth lookup:unable to get local issuer certificate $ openssl verify -CApath trusted untrusted.pem ServeTheHome is the IT professionals guide to servers, storage, networking, and high-end workstation hardware. $ openssl verify -CAfile intermediate.pem Intel Xeon D 1749NT OpenSSL Verify Benchmark. Untrusted.pem: C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 SHA256 Code Signing CAĮrror 2 at 1 depth lookup:unable to get issuer certificate $ openssl verify -CAfile trusted/intermediate.pem untrusted.pem 1 tomiii tomiii 1732 Aug 10 12:26 root.pem 1 tomiii tomiii 1915 Aug 10 12:26 intermediate.pem 1 tomiii tomiii 1753 Aug 10 12:27 untrusted.pemĭrwxr-xr-x. 2 tomiii tomiii 4096 Aug 10 12:27 trusted With -CApath, the directory need only contain the issuer of the certificate being verified the root certificate need not be present.ĭrwxr-xr-x. With -CAfile, the file must contain all of the certificates in the chain including the self-signed root. When using "openssl verify" to verify a certificate chain, I see two different behaviors depending on whether -CAfile or -CApath is specified.
0 Comments
Leave a Reply. |