SSL Problem - loose CA Bundle

execrable · May 7th 2014

Hi !

I try to upload an certificate for a subdomain, but i get always the following error:

Code

[Wed May 7 20:08:21 2014] [debug] iMSCP::Dir::_get: Opening directory /var/www/imscp/engine/PerlLib/Servers
[Wed May 7 20:08:21 2014] [debug] iMSCP::Dir::_get: Opening directory /var/www/imscp/engine/PerlLib/Addons
[Wed May 7 20:08:21 2014] [debug] iMSCP::Execute::execute: Executing command: /usr/bin/openssl rsa -in /var/www/imscp/gui/data/certs/subdomain.pem -noout -passin file:/tmp/NsMBjCIoc_
[Wed May 7 20:08:21 2014] [debug] iMSCP::Execute::getExitCode: External command exited with value 0
[Wed May 7 20:08:21 2014] [debug] iMSCP::Execute::execute: Executing command: /usr/bin/openssl verify -CAfile /var/www/imscp/gui/data/certs/subdomain.pem /var/www/imscp/gui/data/certs/subdomain.pem
[Wed May 7 20:08:21 2014] [debug] iMSCP::Execute::getExitCode: External command exited with value 2
[Wed May 7 20:08:21 2014] [debug] iMSCP::OpenSSL::ssl_check_cert: /var/www/imscp/gui/data/certs/subdomain.pem: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
error 2 at 1 depth lookup:unable to get issuer certificate

I take a look on the tested/created pem file and see, that the ca-bundle has loose the ca-root certificate. This is the problem why the openssl verify could not resolve the trusted chain. Is it an bug that only one ca-crt will be transfert or have i to manage the root-ca on a other way ?

regard
exe

**Nuxwin** · May 8th 2014

This mean that your CA bundle is wrong.

execrable · May 9th 2014

Hi nuxwin !

If i create the pem-container manually (crt,intermediate,root-ca,key) the openssl check ist valid. If i add the ssl certifications over the imscp ui, i lose the root-ca on PEM-file generation - and i lost the trusted chain.

I incl. the intermediate and root-ca into the field "intermediate" (on ui). I think the process in this field works with only one certificate and ignore my second root-ca certificate ?

[i-MSCP 1.1.5]
[ubuntu 14.04]

**Nuxwin** · May 9th 2014

Hello ;

In the SSL certificate interface (client level), you must fill out the intermediate certificates in correct order (in the intermediate certificate input field) and you must pay attention when you copy and past them from a windows operating system (possible encoding issues).

execrable · May 9th 2014

Hello nuxwin !

I can do wat i want ... the intermediate field except only one certificate, the second is not in the generated pem file. i have change the order but the second certificate from the intermediate field is always missing. The database save my certificates right

I try to include the 4. certificate (Root-CA) in one of the three fields, but each field except only one certificate. What can i do ?

Update: The UI makes an error, if i do not include the root-CA within in the intermediate-field, but if i including both certificates, the UI tells me that the certificate is OK. The problem with the missing second certificate, from the intermediate-field, in the pem file is still there.

o-leary · May 12th 2014

- removed comment due to irrelevance. execrable is using a different type of certificate than I assumed.

execrable · May 12th 2014

Hi o-leary !

The praxis is, that the server deliver a lot of certificates, more than only the key,crt and the intermediate. In maximum, the server deliever within to 6 different certificates for the differents trusted pathes, On one RFC (I dont know the number) it is recommend to send this certificates to the client, for more security and more speed on verififcation - take a look at the ssllabs.com.

If i can't include more then one certificate for a trusted chain, i can't use a lot of certificates from Comodo and Verisign and specials like EV-Certificates. Even if the client has no problem to resolve the trusted chain, i have problem to include the certificate on my imscp system, where the root-ca is not include in the os. I can manipulate the OS root-CAs but it is possible that i lose it on next update. At the moment a lot of CAs are pushing new chains of trust, because the Heartbleed Bug (CVE-2014-1060) has compromise the old/actual chains.

PS: In the previews version of i-mscp it was no problem to include the trusted chain.

**Nuxwin** · May 12th 2014

Hello ;

In the current i-MSCP version, it's also allowed to include the Root CA in the bundle (on top of intermediate certificate). What is your certificate type and provider?

**TheCry** · May 12th 2014

Hi Laurent,
today i had the same issue...
I have a Thawte cert and i add the intermediate and the root cert in the text box of the intermediate cert.
The status of the cert is ok and the URL under https will work fine. But the pem file does not include the root cert. Only the intermediate cert is inside this file.
Now i'd checked the cert in the panel and the intermediate and the root cert were saved successfully.

Can you check this?

**Nuxwin** · May 12th 2014

@TheCry
I'm not sure to get you.. What certificate type did you have? SSL123 ?

SSL Problem - loose CA Bundle

Share

Daily visitors