SSL Problem - loose CA Bundle

    • solved
  • execrable
  • Closed
  • Thread is marked as Resolved.

    @TheCry


    Well, the CA bundle (intermediate certs) is https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte ca/SSL123_CA_Bundle.pem


    Normally, you put the content of the CA bundle in the intermediate certificate field (i-MSCP GUI) and then when the PEM container file is created by i-MSCP, all is normally exported (SSL private key, CA bundle (here, two intermediate certificates), and the certificate itself).


    Here, what is the Root CA for you?

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    Ok,


    I eat and and I'll process some tests after.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    Re;


    Problem confirmed.


    Currently, i-MSCP process as follow to import certificate chain (private key, user certificate, intermediate certificate, Root certificate) in the final container (pem file):


    1. The private key is imported in the container with the following command


    Shell-Script
    1. openssl rsa -in private.pem -out container.pem


    2. The user certificate is imported in the container with the following command


    Shell-Script
    1. openssl x509 -in certificate.pem -outform PEM >> container.pem


    3. The CA Bundle (intermediate certificates, CA root) is imported in the container with the following command


    Shell-Script
    1. openssl x509 -in bundle.pem -outform PEM >> container.pem


    The problem here is that the last command takes in account only the first certificate in the input file, meaning that any other intermediate certificate (including the CA Root certificate) are ignored and not imported in the final container, resulting in a partial certificate chain. In most cases, this will not cause any warn because most of the Root certificates are included in your distributions (See the ca-certificates package) and browsers too. However, it's recommended to include the full chain so, I'll fix this by processing with a simple concatenation.


    Thank you all for your report.


    For the record, the order in which the SSL objects must be added in the container is:

    • Private key
    • User certificate
    • Intermediate certificate
    • CA root certificate


    The CA root certificate is part of the CA Bundle which is the concatenation of the intermediate certificates and CA root certificate. Most of the providers do not include the CA root certificate (top-most certificate) in the CA bundle because this certificate is already included in the client browsers and is also part of the ca-certificates Debian packages


    @TheCry In your case, the inclusion of the CA root certificate (top-most certificate) in the certificate chain is optional for the reasons explained above. The certificate chain generated by i-MSCP doesn't include your CA root certificate but it's not really an issue because that certificate is already known by your browser.


    Of course, I'll fix this issue.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    Good morning Laurent,
    thanks for testing and explaining. Yesterday i had a very strange problem. I'd added a cert Thawte SSL123. As you see there are 3 certs. 2 intermediate and teh root cert. All was working fine.
    But one external server which uses curl in a php application doesn't connect to the php api of my server which uses this cert on the domain.
    2 other server with the same php application which access the same php api on my server are working fine. After searching the hole day i got a hint of the php developer from the first external server:

    Quote

    Nach curL: SSL certificate problem, verify that the CA cert is OK.
    Details:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


    After this hint it was clear, where i had to search.
    Normaly the root cert is not needed but the second intermediate cert. Like you explained before.

    Hi @All !


    Thanks for your analysis and sorry for my gap - private life ...


    Yes, you have understand my problem :thumbsup:


    On my private server, i use mostly the Comodo PositiveSSL certifcations. My Customer or on my work, there are a lot of certificates from Thawte/Symatec/VeriSign in use.


    Thanks for your help, good work !!

    Some news about planned change regarding all your feedback:


    - The full chain will be imported
    - The whole chain will be checked through the GUI (for now, a check is made only per certificate. This is bad because this allow to fill the form with a CA bundlle (intermediate certificates) which doesn't match with the certificate.
    - Private key passphrase will no longer be stored in database (To be confirmed)


    @TheCry Your problem will be solved with the 1.1.6 so ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    Should be fixed in last stable branch. See https://github.com/i-MSCP/imsc…11e08864fa7fd118204176efd


    @TheCry Can you give a try? This is a big commit so... ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support