Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 days ago.
Improve this question
I've got some trouble with one of my clients (docker container based on Alpine) connecting a mail server with a Letsencrypt SSL certificate:
Nov 2 14:39:50 mail postfix/smtpd[878799]: warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:../ssl/record/rec_layer_s3.c:1543:SSL alert number 45:
I know that Letsencrypt uses the new ISRG Root X1 since 1st Oct 2021. After Downloading the CA pem file from here https://letsencrypt.org/de/certificates/ I checked that the certificate is available.
Seems to be okay for me:
/etc/ssl/certs # grep -ri "emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=" .
./4042bcee.1:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./ca-certificates.crt:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./ca-certificates.crt:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./ca-cert-isrgrootx1.pem.pem:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./4042bcee.0:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./ca-cert-ISRG_Root_X1.pem:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
Additionally I installed the Certificate by hand (snippet of the Dockerfile):
COPY etc/ssl/isrgrootx1.pem /usr/local/share/ca-certificates/
RUN apk update && apk add --no-cache ca-certificates && update-ca-certificates
No luck. The SSL chain seems to be strange (domain is masked with xxx):
/etc/ssl/certs # openssl s_client -starttls smtp -connect mail.xxx.de:587
CONNECTED(00000003)
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
---
Certificate chain
0 s:/CN=mail.xxx.de
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/CN=mail.xxx.de
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 4895 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: D0DA2252D5091779AA2CDF832A856F846A2AFD4C4C73CEDA24D64647FD998CB4
Session-ID-ctx:
Master-Key: BA703221FC54ADE822079229A36672AADFF4621EBEFDDA338D3E5F8025DC9668BBAFA152A1708C569B72AFF09F80AC5D
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 18 80 2d 38 6c e0 da 60-77 43 b1 62 d7 80 84 3f ..-8l..`wC.b...?
0010 - 1e 28 23 23 f7 34 ef 30-21 09 a2 34 92 b7 bf 10 .(##.4.0!..4....
0020 - ae c1 b7 50 ea 85 11 32-1c 28 f9 09 9f ff 20 7a ...P...2.(.... z
0030 - 7b e2 61 8d 8d 06 e3 66-6e 7c 93 31 95 29 e9 2d {.a....fn|.1.).-
0040 - 6a 93 bc 06 1d e2 26 58-00 32 48 67 aa f5 45 ed j.....&X.2Hg..E.
0050 - b8 5a 0d 93 84 7e c4 36-cf 06 39 4f d3 6a 45 e1 .Z...~.6..9O.jE.
0060 - a6 fc 49 31 3a 1c c4 32-d3 ae d2 2c 2e 34 e9 c2 ..I1:..2...,.4..
0070 - 8c 58 ee 98 08 48 56 d9-58 c3 3a 2c 21 6e a8 3b .X...HV.X.:,!n.;
0080 - 85 22 9b 90 6c 21 06 79-f2 e6 6c b0 dd c9 1e 2c ."..l!.y..l....,
0090 - c1 62 11 4b 7b 19 5d ac-d9 ba 69 6a 17 fb 7b ab .b.K{.]...ij..{.
Start Time: 1636139076
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
---
250 CHUNKING
Here one of my Alpine Containers with a successfully connection:
/var/www/html # openssl s_client -starttls smtp -connect mail.xxx.de:587
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.xxx.de
verify return:1
---
Certificate chain
0 s:CN = mail.xxx.de
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = mail.xxx.de
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4834 bytes and written 435 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: A60E19C667530A8C575213D7ECCA704F55D32294779DDA198D182909ACF72EC9
Session-ID-ctx:
Resumption PSK: F341E73946627D59D9AEAEDDDF23D0F9B5BBFF8CE5603550A30E0A17BC884174A8883D2BBF1D4335D6835470A9DBED6D
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 4e 14 1b 3c 6f 76 8f da-4c 91 b0 71 f0 95 f8 f6 N..<ov..L..q....
0010 - a2 bd 18 a8 75 00 a3 0c-dc 18 7a 95 2c 74 a4 62 ....u.....z.,t.b
0020 - 4e aa 8e d4 dc 75 6a 1e-1b 3b c1 87 9d ca ff ce N....uj..;......
0030 - 24 a4 7b fb 35 e8 c1 8e-ff a0 a4 38 db 52 7d fd $.{.5......8.R}.
0040 - 95 42 0d 8f 0b ba c4 5b-27 d5 94 2b bc f3 92 34 .B.....['..+...4
0050 - 41 e4 12 6e f7 c4 f0 33-81 bc 9d 07 12 8f b2 8b A..n...3........
0060 - f1 8d 59 2f ee 49 e6 c8-17 e6 66 64 b6 b8 8f a0 ..Y/.I....fd....
0070 - d0 40 bc 28 71 96 d1 a7-b9 e3 00 db ba 5b 85 43 .#.(q........[.C
0080 - e2 dc d0 42 21 8a d1 57-21 01 5e b9 5f e2 ec 16 ...B!..W!.^._...
0090 - fb 00 d6 5b ae b6 2b d1-42 c8 2c ae f6 2d 21 48 ...[..+.B.,..-!H
00a0 - dc d2 a9 c3 5c 75 33 21-a8 c2 ca d3 7b 86 ec 65 ....\u3!....{..e
00b0 - d2 1b 1f e5 c7 b2 45 94-96 56 48 74 e5 d5 22 18 ......E..VHt..".
00c0 - bf c4 5d f4 9e 1c 37 e2-b7 9a cc 3a e1 0e 9b ee ..]...7....:....
Start Time: 1636139616
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Any idea? Thank you very much!
I have created my own CA and an Intermediate CA
The Intermediate CA is signed from the self-signed CA and then I create a private key and a certificate for the web sites I have in my lab. The certificate has as common name the FQDN of the server (which is the same as the CA/IntCA).
The certificate has all the sites in the Subject Alternative Names.
Apache is configured like this for all sites:
# HTTP
<VirtualHost *:80>
ServerName trd.example.com
# Redirect any HTTP request to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
# Logging
LogLevel warn
ErrorLog logs/trd.example.com-error_log
CustomLog logs/trd.example.com-access_log combined
</VirtualHost>
<VirtualHost *:443>
ServerName trd.example.com
SSLEngine on
SSLCertificateKeyFile /etc/pki/tls/private/server.example.com_key.pem
SSLCertificateFile /etc/pki/tls/certs/server.example.com_chain.pem
Protocols h2 http/1.1
Header always set Strict-Transport-Security "max-age=63072000"
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
DocumentRoot /var/www/sites/trd
# Logging
LogLevel warn
ErrorLog logs/trd.example.com-error_log
CustomLog logs/trd.example.com-access_log combined
</VirtualHost>
The file server.example.com_chain.pem contains the site's certificate and the Intermediate's CA certificate. Apache starts, but then, when I connect to any site either with Firefox or Chrome, I get SSL errors.
I tried to verify the ssl with the openssl command and I get this error:
Verify return code: 7 (certificate signature failure)
The full output of the command is:
$ openssl s_client -connect trd.example.com:443
openssl s_client -connect trd.example.com:443
CONNECTED(00000003)
depth=2 C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA, emailAddress = hostmaster#example.com
verify return:1
depth=1 C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA1, emailAddress = hostmaster#example.com
verify return:1
depth=0 C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = server.example.com, emailAddress = hostmaster#example.com
verify error:num=7:certificate signature failure
verify return:1
depth=0 C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = server.example.com, emailAddress = hostmaster#example.com
verify return:1
---
Certificate chain
0 s:C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = server.example.com, emailAddress = hostmaster#example.com
i:C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA1, emailAddress = hostmaster#example.com
1 s:C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA1, emailAddress = hostmaster#example.com
i:C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA, emailAddress = hostmaster#example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEuzCCBB2gAwIBAgIUXaYFIVHY33EeSst3A22ExUzKjf8wCgYIKoZIzj0EAwIw
....
MQhgl8SAmayZK81mLpvO7SoUEjOUYyKzht08qjSJACDwGhFL5YuXydWcuTDPN+tv
CzYVuHq/HJcX8zocGzhz
-----END CERTIFICATE-----
subject=C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = server.example.com, emailAddress = hostmaster#example.com
issuer=C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA1, emailAddress = hostmaster#example.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3566 bytes and written 396 bytes
Verification error: certificate signature failure
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 7 (certificate signature failure)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 6999AE5E768A5068199C8AEC33395E11CAA6CD9A9AA00952C4EDED9FB14A6DCA
Session-ID-ctx:
Resumption PSK: F09B2927E48D9934395D9FB1364D70DE798EF30694687B0918B4517F8BD2B83E70FDA60640C9165FAF19EE81DAD97C03
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 27 c8 f4 bd 54 77 e3 70-9a 22 1e 9a 85 c6 07 92 '...Tw.p."......
0010 - 61 0c f4 33 53 aa 62 ba-ff fe a9 84 3f c6 35 32 a..3S.b.....?.52
0020 - 1b 70 e8 5e 67 ad 82 b0-70 a4 da 20 ae 18 8e ef .p.^g...p.. ....
0030 - bf b1 cf f6 1b ea 1d 4d-9e eb 8d 9f 80 ee 66 93 .......M......f.
0040 - a7 5e 53 54 a9 89 6e 5a-59 62 cc ac d6 90 91 1e .^ST..nZYb......
0050 - 3f db 75 f0 5c f9 72 3c-a3 8b c9 77 16 9f bf 4d ?.u.\.r<...w...M
0060 - ae 65 5a 5e 05 ae 84 45-8b 48 f7 a8 99 08 c1 c0 .eZ^...E.H......
0070 - d0 66 3f 54 c6 1f ca e3-1d a6 50 22 ab 92 80 c8 .f?T......P"....
0080 - 7f f5 be 6a 4d 4d 0a 7a-e6 82 6d e0 e6 72 32 e2 ...jMM.z..m..r2.
0090 - d4 ab e2 2a ea cb 00 83-c7 51 de 7c c3 52 1a 5e ...*.....Q.|.R.^
00a0 - 94 3e 38 81 cb 05 27 6e-0a f0 5d 32 27 ea 5f c4 .>8...'n..]2'._.
00b0 - 50 de b0 12 69 6a 3b 4f-ae cc 85 64 a2 93 1a b0 P...ij;O...d....
00c0 - 7d 60 04 6c a3 4b 3c de-7c 08 04 b1 8b 1f 53 d4 }`.l.K<.|.....S.
00d0 - 1e db 57 ca 08 f8 0c 8a-45 84 fe a7 f4 eb 88 2c ..W.....E......,
00e0 - 90 f5 96 f1 6a c4 54 eb-16 54 86 6c 9f bc b8 52 ....j.T..T.l...R
Start Time: 1585135481
Timeout : 7200 (sec)
Verify return code: 7 (certificate signature failure)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 844AB89D046A9564B4F71DE1689D63E295D796AA3DB3C97360A276216A711052
Session-ID-ctx:
Resumption PSK: 10DBA6252AECC4DC7A9567DA8CDA7C4B6695E0788D33533F155726628A8CBE9DC361A977473759402A9E2D2EA15698A7
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 27 c8 f4 bd 54 77 e3 70-9a 22 1e 9a 85 c6 07 92 '...Tw.p."......
0010 - 7b f3 f1 29 8d 79 74 0f-43 bc f1 40 70 16 52 99 {..).yt.C..#p.R.
0020 - 78 6f e8 14 bc 4b 34 f8-7f 03 1c 26 70 6f d9 94 xo...K4....&po..
0030 - 92 e7 b4 b2 19 68 37 95-1e ab fa 42 ea ee de 4c .....h7....B...L
0040 - 45 da 86 c5 db 30 1a 60-91 85 d5 9e 05 0b e4 5f E....0.`......._
0050 - 5e eb c8 b8 94 f5 e0 a5-01 1c 60 cc 7c a0 bc 70 ^.........`.|..p
0060 - 10 55 c7 48 1c 2a 2b 57-06 ad dc b9 c1 56 e7 34 .U.H.*+W.....V.4
0070 - 4b bd 59 67 ad f0 d7 55-a3 07 26 10 7f c5 4f 87 K.Yg...U..&...O.
0080 - 96 7f 43 bf 8c 1b f5 84-37 f5 47 99 c7 8e a4 29 ..C.....7.G....)
0090 - 9f b6 43 79 43 27 04 33-7c 5d 2a ef cf 2c 15 1d ..CyC'.3|]*..,..
00a0 - 14 d0 a3 a1 4b ef c2 a2-02 c5 4c 75 74 08 d5 cf ....K.....Lut...
00b0 - 47 cc 02 fb a3 c2 e0 d8-87 ad e1 3b c6 f4 d6 aa G..........;....
00c0 - e6 cb a1 a8 6c e9 c9 e8-56 0a bf d4 3e fa 08 a0 ....l...V...>...
00d0 - 26 02 82 36 33 71 db 9f-bf ce b8 8f d7 ef 75 b3 &..63q........u.
00e0 - fb d1 38 56 81 b0 ed f6-c6 35 66 e3 87 bd 68 d9 ..8V.....5f...h.
Start Time: 1585135481
Timeout : 7200 (sec)
Verify return code: 7 (certificate signature failure)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
This is my chain certificate:
openssl x509 -text -noout -subject -in /etc/pki/tls/certs/server.example.com_chain.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5d:a6:05:21:51:d8:df:71:1e:4a:cb:77:03:6d:84:c5:4c:ca:8d:ff
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA1, emailAddress = hostmaster#example.com
Validity
Not Before: Mar 24 16:42:09 2020 GMT
Not After : Jan 15 11:00:00 2030 GMT
Subject: C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = server.example.com, emailAddress = hostmaster#example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:eb:a7:c3:a0:23:d6:7a:ac:fb:4c:70:e1:cf:b9:
f2:4d:ff:d8:ed:9d:40:cb:e4:68:67:b0:02:d2:25:
03:15:37:18:31:e0:90:7f:2c:ff:dd:ef:da:64:9d:
e8:86:48:b3:75:9b:a7:8e:b2:70:e2:fb:d0:c3:b3:
74:42:52:57:65:35:db:0e:4f:57:57:a6:3c:ee:7b:
33:7d:1d:0e:25:e0:4a:eb:26:0c:f3:2b:04:23:c5:
6c:c0:95:0b:06:61:33:7d:ca:be:c3:b9:fa:f0:b2:
01:eb:9d:55:8d:cb:1f:3c:96:78:6a:8b:9e:66:9c:
26:6b:fa:8a:d9:2a:2c:3a:bf:73:97:78:4b:a8:6f:
41:7f:0a:f0:4a:63:e5:92:ca:f8:f8:7b:cf:0c:b2:
f3:7c:4d:ca:75:ed:0a:b2:99:f0:75:e0:7c:9f:e7:
b5:53:9a:08:3d:71:5d:f6:39:91:85:1e:47:04:0f:
5a:a2:26:b5:5f:4e:2d:d9:95:3b:32:88:b8:f4:54:
5e:1e:64:11:cd:cb:3c:17:4d:d3:a5:c7:bb:88:1c:
01:db:43:ee:b8:16:f8:95:c8:37:96:de:c1:3e:cd:
a9:f9:7c:f6:94:fb:a6:6d:67:9d:69:24:0b:0e:43:
b2:94:6d:54:61:04:41:c3:e9:ed:0f:80:e8:3b:69:
ca:f2:76:39:7b:f6:6c:48:4c:94:0a:cc:57:50:14:
1e:c7:7f:c7:b5:98:e7:50:a7:ea:f8:9b:73:ad:77:
be:ab:2d:7b:e6:c3:e8:2b:8a:bd:3b:26:b3:7b:a0:
4f:90:96:6e:92:50:d5:8c:a0:5a:c8:2e:9f:82:52:
35:82:f5:5d:0e:e8:fb:89:f2:b3:ef:85:ae:ae:fe:
ea:52:75:2e:dd:ad:a5:a2:ff:2d:22:df:8c:50:39:
f6:d1:30:8b:73:c9:a5:da:d6:28:96:db:9b:55:d7:
bd:30:fc:ec:3e:3c:10:94:9f:05:39:63:1c:2d:37:
56:d5:33:ed:cc:5d:d6:0c:df:57:2b:9c:07:35:8e:
20:74:9f:53:09:08:32:26:a8:11:e8:6e:98:d4:a3:
b9:4a:40:28:5b:e0:9d:41:2a:07:bc:cd:fb:2a:6c:
fb:cd:55:c8:fa:a9:7b:68:76:bb:79:58:30:96:97:
c1:db:b3:fe:b6:05:94:bf:a7:49:03:9f:e8:fe:b0:
88:6f:3f:52:a9:ac:86:72:df:20:19:df:80:76:85:
72:0e:a6:d5:fe:34:b6:21:d4:19:5e:c1:96:c0:ca:
58:da:69:f8:41:07:66:17:98:bf:62:0b:97:c1:fa:
f1:39:a1:df:13:0f:8f:15:9f:e0:d0:04:6e:38:50:
51:2a:27
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name: critical
DNS: server.example.com, DNS: db.example.com, DNS: trd.example.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: ecdsa-with-SHA256
30:81:87:02:42:01:15:65:da:1f:05:77:50:36:05:6f:06:17:
85:aa:29:9b:12:e0:ae:c6:75:03:71:c2:b5:19:a4:57:35:43:
ca:28:a5:54:87:3f:a1:69:c8:8d:67:dd:8f:d5:78:e5:f3:40:
ba:09:24:4c:db:3e:e5:9e:c0:65:05:94:07:a9:29:e6:d1:02:
41:37:da:31:08:60:97:c4:80:99:ac:99:2b:cd:66:2e:9b:ce:
ed:2a:14:12:33:94:63:22:b3:86:dd:3c:aa:34:89:00:20:f0:
1a:11:4b:e5:8b:97:c9:d5:9c:b9:30:cf:37:eb:6f:0b:36:15:
b8:7a:bf:1c:97:17:f3:3a:1c:1b:38:73
subject=C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = server.example.com, emailAddress = hostmaster#example.com
And this is the certificate of my CA:
openssl x509 -text -noout -subject -in /etc/pki/ca/certs/MyCA_crt.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
71:....:19:90:e4
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA, emailAddress = hostmaster#example.com
Validity
Not Before: Mar 24 09:33:34 2020 GMT
Not After : Mar 1 11:00:00 2030 GMT
Subject: C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA, emailAddress = hostmaster#example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:...:61
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS: server.example.com
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
Signature Algorithm: sha256WithRSAEncryption
09:...29
subject=C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA, emailAddress = ...
And this is the CA1 certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
47:d8:98:93:...:92:75:15:c2:cf:20:13
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA, emailAddress = hostmaster#example.com
Validity
Not Before: Mar 24 09:33:37 2020 GMT
Not After : Feb 1 11:00:00 2030 GMT
Subject: C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA1, emailAddress = hostmaster#example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:9e:e4:fd:a2:d5:73:b9:9a:ed:5c:aa:5a:c8:50:
9d:66:b1:0c:43:d3:33:72:5a:32:95:b9:fb:70:fa:
...
0a:b8:83:f2:d2:02:91:8b:f9:40:6d:5d:ab:21:b7:
79:4a:53:b4:b4:d2:c7:e3:ac:bb:64:25:1a:90:07:
eb:fe:22:ba:d3:98:33:d9:18:5b:8f:0d:52:0d:02:
20:57:61
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS: server.example.com
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
Signature Algorithm: sha256WithRSAEncryption
8d:27:2a:ed:eb:7b:dc:35:d2:65:10:58:1b:71:a4:d9:73:28:
06:8d:b5:ae:25:0c:29:e1:8c:7c:4f:3b:44:2d:05:d6:d8:ee:
c4:47:c2:4f:15:57:59:95:85:0b:78:d0:95:43:9d:1c:29:40:
5a:46:72:a0:88:95:18:98:5c:b2:61:9c:fc:05:67:a0:b0:a4:
...
d8:b9:c7:7a:ed:fa:47:46:72:a7:ce:bf:9a:64:c2:2f:b7:7f:
d5:9a:a1:73:d2:bb:b2:55:2d:fb:ef:7c:1d:4e:89:07:8d:9b:
81:98:fa:50:ec:8c:63:e5
subject=C = UN, ST = Locality, L = City, O = MyCompany LTD, OU = IT, CN = myCA1, emailAddress = hostmaster#example.com
How can I find what is wrong with it???
The full certificate chain is the following:
-----BEGIN CERTIFICATE-----
MIIEuzCCBB2gAwIBAgIUXaYFIVHY33EeSst3A22ExUzKjf8wCgYIKoZIzj0EAwIw
gZQxCzAJBgNVBAYTAkdSMQ8wDQYDVQQIDAZBdHRpY2ExFTATBgNVBAcMDEFyZ3ly
b3Vwb2xpczEdMBsGA1UECgwUUGV0ZXIgVHNlbGlvcyAtIEhvbWUxCzAJBgNVBAsM
AklUMREwDwYDVQQDDAhob21lLUNBMTEeMBwGCSqGSIb3DQEJARYPaG9zdG1hc3Rl
ckBob21lMB4XDTIwMDMyNDE2NDIwOVoXDTMwMDExNTExMDAwMFowgZcxCzAJBgNV
BAYTAkdSMQ8wDQYDVQQIDAZBdHRpY2ExFTATBgNVBAcMDEFyZ3lyb3Vwb2xpczEd
MBsGA1UECgwUUGV0ZXIgVHNlbGlvcyAtIEhvbWUxCzAJBgNVBAsMAklUMRQwEgYD
VQQDDAtzZXJ2ZXIuaG9tZTEeMBwGCSqGSIb3DQEJARYPaG9zdG1hc3RlckBob21l
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA66fDoCPWeqz7THDhz7ny
Tf/Y7Z1Ay+RoZ7AC0iUDFTcYMeCQfyz/3e/aZJ3ohkizdZunjrJw4vvQw7N0QlJX
ZTXbDk9XV6Y87nszfR0OJeBK6yYM8ysEI8VswJULBmEzfcq+w7n68LIB651Vjcsf
PJZ4aoueZpwma/qK2SosOr9zl3hLqG9BfwrwSmPlksr4+HvPDLLzfE3Kde0Kspnw
deB8n+e1U5oIPXFd9jmRhR5HBA9aoia1X04t2ZU7Moi49FReHmQRzcs8F03Tpce7
iBwB20PuuBb4lcg3lt7BPs2p+Xz2lPumbWedaSQLDkOylG1UYQRBw+ntD4DoO2nK
8nY5e/ZsSEyUCsxXUBQex3/HtZjnUKfq+JtzrXe+qy175sPoK4q9Oyaze6BPkJZu
klDVjKBayC6fglI1gvVdDuj7ifKz74Wurv7qUnUu3a2lov8tIt+MUDn20TCLc8ml
2tYoltubVde9MPzsPjwQlJ8FOWMcLTdW1TPtzF3WDN9XK5wHNY4gdJ9TCQgyJqgR
6G6Y1KO5SkAoW+CdQSoHvM37Kmz7zVXI+ql7aHa7eVgwlpfB27P+tgWUv6dJA5/o
/rCIbz9SqayGct8gGd+AdoVyDqbV/jS2IdQZXsGWwMpY2mn4QQdmF5i/YguXwfrx
OaHfEw+PFZ/g0ARuOFBRKicCAwEAAaN9MHswWwYDVR0RAQH/BFEwT4IMIHNlcnZl
ci5ob21lggsgbXlzcWwuaG9tZYINIHBocGlwYW0uaG9tZYIOIGFkbWluLmYxLmhv
bWWCCCBmMS5ob21lggkgdHJkLmhvbWUwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB
/wQCMAAwCgYIKoZIzj0EAwIDgYsAMIGHAkIBFWXaHwV3UDYFbwYXhaopmxLgrsZ1
A3HCtRmkVzVDyiilVIc/oWnIjWfdj9V45fNAugkkTNs+5Z7AZQWUB6kp5tECQTfa
MQhgl8SAmayZK81mLpvO7SoUEjOUYyKzht08qjSJACDwGhFL5YuXydWcuTDPN+tv
CzYVuHq/HJcX8zocGzhz
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF9jCCA96gAwIBAgIUR9iYk/cYS7UPoZ9vd5J1FcLPIBMwDQYJKoZIhvcNAQEL
BQAwgZMxCzAJBgNVBAYTAkdSMQ8wDQYDVQQIDAZBdHRpY2ExFTATBgNVBAcMDEFy
Z3lyb3Vwb2xpczEdMBsGA1UECgwUUGV0ZXIgVHNlbGlvcyAtIEhvbWUxCzAJBgNV
BAsMAklUMRAwDgYDVQQDDAdob21lLUNBMR4wHAYJKoZIhvcNAQkBFg9ob3N0bWFz
dGVyQGhvbWUwHhcNMjAwMzI0MDkzMzM3WhcNMzAwMjAxMTEwMDAwWjCBlDELMAkG
A1UEBhMCR1IxDzANBgNVBAgMBkF0dGljYTEVMBMGA1UEBwwMQXJneXJvdXBvbGlz
MR0wGwYDVQQKDBRQZXRlciBUc2VsaW9zIC0gSG9tZTELMAkGA1UECwwCSVQxETAP
BgNVBAMMCGhvbWUtQ0ExMR4wHAYJKoZIhvcNAQkBFg9ob3N0bWFzdGVyQGhvbWUw
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCe5P2i1XO5mu1cqlrIUJ1m
sQxD0zNyWjKVuftw+naem4fRw0IhFCFeB4dy9sAN3UsByT0FbFxqs5Z2GvNjTtIz
o+zeARI7H5sd0Hym6BiNqteglywwGDe19swT00D0rfNAfuhGIBgCICrKyPHe6b8Z
sFOwWTRy4FA1HI7b4KXkQvSSt/dGD5gzaa/Ase3ayCEdutrCH+5FXazHZTUVculT
gAqbA9zYHOnKUm5D1L+qzfV2jOpn1+FNF4JVpl3EdkLXdx9tmGEVFfwD8n60Mb3b
istCfRBX4SN7MZyqeflmYUfJI2vBQO1dbhC1E2lFbCSmyaxItw5dABZQWKoSql6g
q1ExPCC6WgX7+hsfIlA10hceI465OoKCk2JbtbWTcEZAlUZw9zk98EAReg2inA1Q
U8D2sz+Q+uZay74uEt11fY/cKIrjTkvusVj/YxmBbSvcpoiaX1Ru8NsiNH7wUpRd
qC+xDlCTmAnH9lQpMrPK2iHVTKx69PThCpfM5VW6OurQLDYqmoNh2EMhDUsH+IPY
oREIUi52mQRHHql2m1m7T39UyllCJN4C54FFqdaEi+hAQ1mc707bYw/OcNrH8vis
X1xwHw7Q9nWZJPHcED7Eiwq4g/LSApGL+UBtXasht3lKU7S00sfjrLtkJRqQB+v+
IrrTmDPZGFuPDVINAiBXYQIDAQABoz8wPTAXBgNVHREEEDAOggwgc2VydmVyLmhv
bWUwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcN
AQELBQADggIBAI0nKu3re9w10mUQWBtxpNlzKAaNta4lDCnhjHxPO0QtBdbY7sRH
wk8VV1mVhQt40JVDnRwpQFpGcqCIlRiYXLJhnPwFZ6CwpKde37l2jyXEvORKbN/p
BTaRX7gD8KUM9ambzYhcX6zKhJkF6wxigBstUWGGiVcDg51gGS7TvahqzMlDY1e5
mARMYnQdSQN6mBonvjHo0vo5vY4f6aHCxLQpMkpGOstCShHKCUTF+dU98XDvWyEL
Yxk3XwuXb6TltjPM7Y/9BrRlhj8lGjOTJzXReR7pvikPCZFIi6clwuUjE+QzmVda
2wLzk3YSrJRpbFZWf5Zt69nl0D3pG/HQLFTBLZxlvYndB2jQw+yuRwdaY+m3b4bb
UXP6kk00QQEcCiROJ73tmT2RQ2sRLDL6vnPVxWQeWq9nfiXCQR9N8R6yK0Sb6x0C
6yvgyVm6MFxqY7rPCrkiKMkz4ZnN4f03Ri258UFCZnlNs3KvTQ1AoqYVLOKzwe0M
o6YroN411dikyiEOcUH4IbY3i/Nof8udRHIlexTrwWne0o88XXeNydGnAQ3qQajh
WPe34cOGeh7eIa0n4fzmt5/LaLUJzp8RGPNGiUIu7c+D+Hm3NKiciKwZOOtY49i5
x3rt+kdGcqfOv5pkwi+3f9WaoXPSu7JVLfvvfB1OiQeNm4GY+lDsjGPl
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF9TCCA92gAwIBAgIUcTvrJuFA4Lwln6Ex1fIJLCIZkOQwDQYJKoZIhvcNAQEL
BQAwgZMxCzAJBgNVBAYTAkdSMQ8wDQYDVQQIDAZBdHRpY2ExFTATBgNVBAcMDEFy
Z3lyb3Vwb2xpczEdMBsGA1UECgwUUGV0ZXIgVHNlbGlvcyAtIEhvbWUxCzAJBgNV
BAsMAklUMRAwDgYDVQQDDAdob21lLUNBMR4wHAYJKoZIhvcNAQkBFg9ob3N0bWFz
dGVyQGhvbWUwHhcNMjAwMzI0MDkzMzM0WhcNMzAwMzAxMTEwMDAwWjCBkzELMAkG
A1UEBhMCR1IxDzANBgNVBAgMBkF0dGljYTEVMBMGA1UEBwwMQXJneXJvdXBvbGlz
MR0wGwYDVQQKDBRQZXRlciBUc2VsaW9zIC0gSG9tZTELMAkGA1UECwwCSVQxEDAO
BgNVBAMMB2hvbWUtQ0ExHjAcBgkqhkiG9w0BCQEWD2hvc3RtYXN0ZXJAaG9tZTCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ7k/aLVc7ma7VyqWshQnWax
DEPTM3JaMpW5+3D6dp6bh9HDQiEUIV4Hh3L2wA3dSwHJPQVsXGqzlnYa82NO0jOj
7N4BEjsfmx3QfKboGI2q16CXLDAYN7X2zBPTQPSt80B+6EYgGAIgKsrI8d7pvxmw
U7BZNHLgUDUcjtvgpeRC9JK390YPmDNpr8Cx7drIIR262sIf7kVdrMdlNRVy6VOA
CpsD3Ngc6cpSbkPUv6rN9XaM6mfX4U0XglWmXcR2Qtd3H22YYRUV/APyfrQxvduK
y0J9EFfhI3sxnKp5+WZhR8kja8FA7V1uELUTaUVsJKbJrEi3Dl0AFlBYqhKqXqCr
UTE8ILpaBfv6Gx8iUDXSFx4jjrk6goKTYlu1tZNwRkCVRnD3OT3wQBF6DaKcDVBT
wPazP5D65lrLvi4S3XV9j9woiuNOS+6xWP9jGYFtK9ymiJpfVG7w2yI0fvBSlF2o
L7EOUJOYCcf2VCkys8raIdVMrHr09OEKl8zlVbo66tAsNiqag2HYQyENSwf4g9ih
EQhSLnaZBEceqXabWbtPf1TKWUIk3gLngUWp1oSL6EBDWZzvTttjD85w2sfy+Kxf
XHAfDtD2dZkk8dwQPsSLCriD8tICkYv5QG1dqyG3eUpTtLTSx+Osu2QlGpAH6/4i
utOYM9kYW48NUg0CIFdhAgMBAAGjPzA9MBcGA1UdEQQQMA6CDCBzZXJ2ZXIuaG9t
ZTAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBATANBgkqhkiG9w0B
AQsFAAOCAgEACX4JY3a/zn0YKxIB2xfQYAk6NwCa6uKRBXbD2jSCmTlfwFGiJjeW
lwXyylcZ9Hrk1S15hvfk0malDlGso1m3nqxmyUdo93/A+Yckdp2Zo1UlkagPziJB
zkpVeQKLV8cZgUpK/JpMAwjfEHMCgSVVVUPAML7UxwqTsJ+KPsuCXgZWVCvI1duu
PI+jmNdNBqCQBbWRd0wPNvSpZAtRJMTKP1hC02aN+RIOslwqpl28h6FTwEXCZdsb
4JW26xMSAnf9j6O3Zsd1b3qtxJ/dMPvSruQB7JPpjPlGYLWKIHnmXZgmkV+ybbu6
eFZBr9eUN5+ZcvNF7CF3MYmVerIyssXHz5pcPzQDgXeNVtdix0qjSr7i53jq60wt
hKgB4MHlxCce8IS8cf94JZuTaLtcVkaX4CgZAKen3BGuSTlSQ3SA30fVIimKn5ro
EYNujxtRr4SZ0geVfIN3dwR14Yly75qEvN7zrt8pjQoKAGdKhSpRlvjjJ1dgz+Zg
BLCqq//r29yLgSk25smbquPDTq+mG9rxow/HraEg+PJdSTrE+qXD6Ue+sC5WN8zn
Bx7HfoVbye/Kel+ueT/FlSoHjegYOkSwAQ5XGtWfbsEgDVGLgl9lk2TBo6IebgLP
mRogbluFWxvlKN8wL5kuTMfGB6SJx+2ho1rhZsWHIgb/ShATeTax4Ck=
-----END CERTIFICATE-----
So, how can I find what is wrong with my certificates?
I have no idea how you've created the certificates. But the certificate CA1 was not used to sign the leaf certificate, something else was used.
Details: the public key of the shown intermediate certificate CA1 is an RSA key. Thish means that the signature algorithm for the server certificate must be sha256WithRSAEncryption or similar. But, as can be seen from your question it is actually ecdsa-with-SHA256. This means that the leaf certificate was signed with ECDSA (certificate with ECC public key) and not with RSA (certificate RSA public key). In other words: since the type does not match it could not have ben signed by the shown certificate for CA1.
I've got Webhosting on GoDaddy with their SSL certificate installed.
I'm trying to send the https POST request to my Python backend on my own server (with static IP) which is running gevent WSGIServer like this:
https_server = WSGIServer(('<backend ip>', 3000),
appFlask,
keyfile='server.key',
certfile='server.crt',
)
The server.key and server.crt I created by copy/paste from goddady->cPanelAdmin-> Manage SSL Hosts -> Autofill by Domain.
The Certificate: (CRT) -> server.crt. The Private Key (KEY) -> server.key.
The CRT:
-----BEGIN CERTIFICATE-----
MIIGQzCCBSugAwIBAgIJANvQSPtAlkYyMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE5MTEzMDEzNTAyM1oX
DTIwMTEzMDA4MTAzN1owPTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMRgwFgYDVQQDEw9hcXRzNjU1Mzc5ay5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC/sQsu+SEMu3TbaaCx96hw8A8YLjQehtm16t9cx5KOKOld
chA1rUVZXZq5LLbgXJ/11Ws4z+oqg8T7xmhUPB/sBbP0wd0/wyqAKzkCEfZndV52
Y4oc7+P0NVC5YSTyoMQ1/bx12+PcpkG0LTUbz0F91Z2ZuO/Cr9l3NaR07v35zhKC
aTDJVd1sSwJkRQ9StUXEpQD8M107vhRuBsPqR49qC0vbwXByzK1pC7DTrz2Z0HFR
l8u0d86M+HHZmn3n/vRfXA0PIW16enjLkdZIKMmidvCJmRCUUA6KSljhJz5nZuOF
G2IrsWUqW3AX7Dt8BL2WX/blToikbC5oiaezFoR5AgMBAAGjggLMMIICyDAMBgNV
HRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8B
Af8EBAMCBaAwOAYDVR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5nb2RhZGR5LmNv
bS9nZGlnMnMxLTE1NDcuY3JsMF0GA1UdIARWMFQwSAYLYIZIAYb9bQEHFwEwOTA3
BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBv
c2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhho
dHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jZXJ0
aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZGlnMi5jcnQwHwYDVR0j
BBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4wLwYDVR0RBCgwJoIPYXF0czY1NTM3
OWsuY29tghN3d3cuYXF0czY1NTM3OWsuY29tMB0GA1UdDgQWBBTCriFH/fyxral7
BYLxnzTLClIEIDCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AKS5CZC0GFgUh7sT
osxncAo8NZgE+RvfuON3zQ7IDdwQAAABbryTxeMAAAQDAEgwRgIhAJ2E4BRwFSUd
kxChyaNNt9rW8yUovUzHMJBGEm48FgKXAiEAxgo7kNBGm0wmQEUX7gxY6xG4pRLv
5T0JoUf31mCvEuYAdgBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAA
AW68k8a8AAAEAwBHMEUCIQC661NrwQ+pn9vG9F1Aw9rJrrlHldzPXmCOoeih8cQI
PwIgQaMQ1KAyVz8zI8wGoJ3S+snGHQq88N+oivNeeSggIQwwDQYJKoZIhvcNAQEL
BQADggEBALZuZ9oXPf8zazPGqiIZrok/zVi7DrimGKQfgVnbR3bE0IhYUFlbO/GN
eH/AcDgHnR8Rdb3t4sjD7pTe1jaD/Jrj0Pz3zhRXKh4l47ERQcRTUKqoNnHW/yxv
+pVHJ/wU/h+DVfAvKkMiIyPV/EbjZg5Vys09tzIDSSjA0n+l2BYq6JY7Z/SWf6QX
CZNsDocBW05Vf0Ot8LDswxgIf1hpw0x/icQj/wlgMdCRIlS46ai293r2A+TcFj5a
aSpcpIT7Yf6NJPOlMNhPiTABAkzb34iA47Ox4S0pFImLuBVqYDIw0kM+tM0pdKuB
nd0IIfQhBswJgpAr++R57vuggExKtxw=
-----END CERTIFICATE-----
The Certificate Authority Bundle:
-----BEGIN CERTIFICATE-----
MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT
B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMu
MTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTEx
MDUwMzA3MDAwMFoXDTMxMDUwMzA3MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsG
A1UECxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBE
YWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzDBNliF44v/z5lz4/OYuY8UhzaFkVLVat4
a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOvK/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7Q
jL7wMDge87Am+GZHY23ecSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1g
O7GyQ5HYpDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7neTOv
DCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMBAAGjggEaMIIBFjAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUQMK9J47MNIMwojPX+2yz
8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0
cDovL2NybC5nb2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMA0GCSqGSIb3
DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz91cxG7685C/b+LrTW+C05+Z5
Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSn
E3ANkR/0yBOtg2DZ2HKocyQetawiDsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z
2Czqrpv1KrKQ0U11GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeK
M+2xLXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
-----END CERTIFICATE-----
The client code is React app with hash router where on the button click the following is called:
let res = await axios
.create({ baseURL: "https://<backend ip>:3000" })
.post("/server_auth_user", data_obj)
.then(result => {
if (result.status === 200 && result.data.response) {
console.log(result);
Auth.login(() => {
this.props.history.push("/screens");
...
This is what happens when I run:
openssl s_client -connect <godaddy host>:443 -key 'server.key' -cert 'server.crt'
CONNECTED(00000005)
---
Certificate chain
0 s:OU = Domain Control Validated, CN = aqts655379k.com
i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
---
Server certificate
Server certificate
-----BEGIN CERTIFICATE-----
MIIGQzCCBSugAwIBAgIJANvQSPtAlkYyMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE5MTEzMDEzNTAyM1oX
DTIwMTEzMDA4MTAzN1owPTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMRgwFgYDVQQDEw9hcXRzNjU1Mzc5ay5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC/sQsu+SEMu3TbaaCx96hw8A8YLjQehtm16t9cx5KOKOld
chA1rUVZXZq5LLbgXJ/11Ws4z+oqg8T7xmhUPB/sBbP0wd0/wyqAKzkCEfZndV52
Y4oc7+P0NVC5YSTyoMQ1/bx12+PcpkG0LTUbz0F91Z2ZuO/Cr9l3NaR07v35zhKC
aTDJVd1sSwJkRQ9StUXEpQD8M107vhRuBsPqR49qC0vbwXByzK1pC7DTrz2Z0HFR
l8u0d86M+HHZmn3n/vRfXA0PIW16enjLkdZIKMmidvCJmRCUUA6KSljhJz5nZuOF
G2IrsWUqW3AX7Dt8BL2WX/blToikbC5oiaezFoR5AgMBAAGjggLMMIICyDAMBgNV
HRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8B
Af8EBAMCBaAwOAYDVR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5nb2RhZGR5LmNv
bS9nZGlnMnMxLTE1NDcuY3JsMF0GA1UdIARWMFQwSAYLYIZIAYb9bQEHFwEwOTA3
BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBv
c2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhho
dHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jZXJ0
aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZGlnMi5jcnQwHwYDVR0j
BBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4wLwYDVR0RBCgwJoIPYXF0czY1NTM3
OWsuY29tghN3d3cuYXF0czY1NTM3OWsuY29tMB0GA1UdDgQWBBTCriFH/fyxral7
BYLxnzTLClIEIDCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AKS5CZC0GFgUh7sT
osxncAo8NZgE+RvfuON3zQ7IDdwQAAABbryTxeMAAAQDAEgwRgIhAJ2E4BRwFSUd
kxChyaNNt9rW8yUovUzHMJBGEm48FgKXAiEAxgo7kNBGm0wmQEUX7gxY6xG4pRLv
5T0JoUf31mCvEuYAdgBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAA
AW68k8a8AAAEAwBHMEUCIQC661NrwQ+pn9vG9F1Aw9rJrrlHldzPXmCOoeih8cQI
PwIgQaMQ1KAyVz8zI8wGoJ3S+snGHQq88N+oivNeeSggIQwwDQYJKoZIhvcNAQEL
BQADggEBALZuZ9oXPf8zazPGqiIZrok/zVi7DrimGKQfgVnbR3bE0IhYUFlbO/GN
eH/AcDgHnR8Rdb3t4sjD7pTe1jaD/Jrj0Pz3zhRXKh4l47ERQcRTUKqoNnHW/yxv
+pVHJ/wU/h+DVfAvKkMiIyPV/EbjZg5Vys09tzIDSSjA0n+l2BYq6JY7Z/SWf6QX
CZNsDocBW05Vf0Ot8LDswxgIf1hpw0x/icQj/wlgMdCRIlS46ai293r2A+TcFj5a
aSpcpIT7Yf6NJPOlMNhPiTABAkzb34iA47Ox4S0pFImLuBVqYDIw0kM+tM0pdKuB
nd0IIfQhBswJgpAr++R57vuggExKtxw=
-----END CERTIFICATE-----
subject=OU = Domain Control Validated, CN = <godaddy.host>
issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3552 bytes and written 443 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: A1A0E86F59695161F06029EADB6F26C491F01A511A417CCCF07948F095139E3B
Session-ID-ctx:
Master-Key: DAA60D38F7D74D553478FB3B74DE8F7BE315D003FBF3F6847F812CF25693CFC3EDDADB3F4A2A2D278F7239330E156D92
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - da 97 5d f6 a9 8a 2d 9b-a0 dd 6f 3c 65 58 11 55 ..]...-...o<eX.U
0010 - c4 5d 24 c0 f3 03 6d 2e-16 75 9a 6f 9f 29 2d 4e .]$...m..u.o.)-N
0020 - 92 98 92 24 27 ab 92 2e-31 7d 83 26 70 ba c8 36 ...$'...1}.&p..6
0030 - e6 86 62 58 2a e1 8a be-1c 08 d0 a2 30 e6 36 8c ..bX*.......0.6.
0040 - be b8 6d 5b 72 37 6b fd-32 f5 16 3b 0b 24 e1 10 ..m[r7k.2..;.$..
0050 - 2d 71 f5 8d 1f bf d1 5a-74 2b d1 cd 1d ec f1 f9 -q.....Zt+......
0060 - 6f b3 89 66 10 fa d3 bb-df cc cc 94 fa 61 2b 54 o..f.........a+T
0070 - 0a 85 ac 0c f5 91 c8 53-06 a4 05 bc a8 bf 18 dc .......S........
0080 - 0f cc 71 46 5f af 23 fd-62 48 32 c8 95 20 8f bb ..qF_.#.bH2.. ..
0090 - f3 80 aa ca b0 cf 2e 5c-58 84 d9 65 e5 7e 57 a3 .......\X..e.~W.
00a0 - 09 99 98 72 91 77 21 a1-b9 3e a1 4e 4f 1b af 21 ...r.w!..>.NO..!
00b0 - ff 02 97 71 90 b6 42 51-04 17 c3 e8 ca 8c 35 f9 ...q..BQ......5.
00c0 - 33 07 ca 32 2f 9d c1 7e-59 52 37 db e0 c8 fa bf 3..2/..~YR7.....
Start Time: 1575195127
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
The strange things are:
on some devices/browsers I manage to go beyond the Submit button but then the redirected page /screens shows not secured, though certificate is valid
on other browsers I see in Python log - as if the godaddy now tries to validate my Python backend certificate?:
ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1076)
2019-12-01T09:59:25Z <Greenlet at 0x1a8fefe8048: _handle_and_close_when_done(<bound method StreamServer.wrap_socket_and_handle , <bound method StreamServer.do_close of <WSGIServer, (<gevent._socket3.socket [closed] object, fd=-1, )> failed with SSLError
openssl s_client -connect <godaddy_host>:80 ...
... ssl3_get_record:wrong version number
You are connecting to the HTTP port (80) not to the HTTPS port (443). No wonder it will fail with the TLS handshake. But this has nothing to do with the error you get in your Python script since I'm pretty sure you don't use port 80 there.
net::ERR_CERT_COMMON_NAME_INVALID
This happens if the subject of the server certificate does not match the hostname you use to access the server in your code. Since nothing about the server certificate and the code of your client is known I cannot be more specific where exactly the problem is.
gevent SSL with godaddy error: ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1051)
The error message you show in the title is yet another one. This suggests that the server is not accepting the client certificate you use. Note that you cannot use arbitrary certificates as client certificate but must provide the ones accepted by the server.
I suggest never, ever, ever publishing your certificates, they are private to yourself.
I am running nginx and i want to proxy another https host and to verify it's certificate.
I've created a CA cert, created a cert for the proxied host and signed it with the CA. The CA cert was added to the server's root certificates.
My nginx config is the following:
proxy_ssl_verify_depth 1; # tried 0,1,2,3
proxy_ssl_trusted_certificate /etc/nginx/ca.pem;
proxy_ssl_verify on;
When a request is done, nginx log returns:
[error] 26578#26578: *2 upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream
Running openssl s_client -connect 1.1.1.1:8000 returns:
CONNECTED(00000003)
depth=1 C = CY, ST = CY, L = CY, O = TEST.TEST, CN = TEST.TEST, emailAddress = admin#test.test
verify return:1
depth=0 C = CY, ST = CY, L = CY, O = TEST.TEST, OU = TEST.TEST, CN = 1.1.1.1
verify return:1
---
Certificate chain
0 s:/C=CY/ST=CY/L=CY/O=TEST.TEST/OU=test.test/CN=1.1.1.1
i:/C=CY/ST=CY/L=CY/O=TEST.TEST/CN=test.test/emailAddress=admin#test.test
---
Server certificate
-----BEGIN CERTIFICATE-----
.... cer
-----END CERTIFICATE-----
subject=/C=CY/ST=CY/L=CY/O=TEST.TEST/OU=test.test/CN=1.1.1.1
issuer=/C=CY/ST=CY/L=CY/O=TEST.TEST/CN=test.test/emailAddress=admin#test.test
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1491 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 94195986FED8C203B09C6A3870DC8B972A6FB3C98D69868CFAF9C4BFC2B7A714
Session-ID-ctx:
Master-Key: D804526744415E7E6C3E0AFBAF4F5BB3B6315BE8785C46FCF7AA232A31E6D7C780E7A8D4B8413BE8D1F1758CF8DD8FE8
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 0a 5f b9 15 a5 78 d0 6c-32 24 77 3b 16 7a 10 75 ._...x.l2$w;.z.u
0010 - 76 ed 08 18 8b 23 a8 15-24 3f eb 83 d8 6e 56 d6 v....#..$?...nV.
0020 - 98 13 c2 36 62 35 17 42-b4 f9 e9 f7 99 50 14 77 ...6b5.B.....P.w
0030 - 8b a3 e6 b5 2f ef ca af-7d 25 7c d8 7e b8 3a 96 ..../...}%|.~.:.
0040 - 11 87 b2 e2 0a d6 de b6-60 75 c5 4a 58 57 8b 1b ........`u.JXW..
0050 - 73 6d 36 c6 9f 6a ec 31-71 2d 02 ad 50 45 8a 14 sm6..j.1q-..PE..
0060 - 01 c1 6c 4a 2f 46 9b cb-e6 4c 09 97 17 fa 46 f4 ..lJ/F...L....F.
0070 - 29 e6 a5 cb a7 37 fb 31-b3 a0 d7 55 ac cb fd 59 )....7.1...U...Y
0080 - 42 a5 7b 45 9a 53 24 90-52 8c 8e 1c eb c4 db f9 B.{E.S$.R.......
0090 - 27 04 b9 7e ba 0a 2d 9e-3b 92 67 ec 42 d6 69 78 '..~..-.;.g.B.ix
Start Time: 1527255600
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
IP/cert names replaced by dummy versions in this result.
curl https://1.1.1.1 also works without problems.
I've been reading googling and checking all similar stackoverflow questions, but none of the proposed fixes seemed to resolve this.
So in the AWS IoT tutorial I get this:
pi#raspberrypi:~/certs $ openssl s_client -connect iot.us-west-2.amazonaws.com:443 -CAfile root-CA.pem -cert certificate.pem.crt -key private.pem.key
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = "Amazon.com, Inc.", CN = iot.us-west-2.amazonaws.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=iot.us-west-2.amazonaws.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
STUFFHERE
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=iot.us-west-2.amazonaws.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
---
SSL handshake has read 3264 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: FC6ABAE41818994E5D7B6AE83DCE0F717396D7F5314CFB096CD967489A136CCA
Session-ID-ctx:
Master-Key: STUFFHERE
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 10800 (seconds)
TLS session ticket:
0000 - d5 b9 92 64 2c 92 37 2c-79 c2 68 04 28 ef f4 d7 ...d,.7,y.h.(...
0010 - e1 31 dc 7e 80 51 a8 ef-da ab 0f 60 7e 5b 1d 52 .1.~.Q.....`~[.R
0020 - b1 03 06 52 ac 8b 32 12-54 1f 86 72 f4 a7 2b f3 ...R..2.T..r..+.
0030 - ba 3b f8 91 a6 fc ce 53-d2 0c d9 96 75 a2 4c f1 .;.....S....u.L.
0040 - 31 bd f4 84 f2 c6 b8 51-06 8c 36 22 12 b3 82 99 1......Q..6"....
0050 - b6 13 b9 f8 fa 54 e4 0d-eb 01 b6 c4 82 b2 1b 88 .....T..........
0060 - c6 af 3b 54 58 83 77 4b-69 b2 b1 8c cb 0a 7c 81 ..;TX.wKi.....|.
0070 - 70 a9 d5 d2 fd f8 3b 21-e3 8e b2 e6 c4 83 f9 af p.....;!........
0080 - bc 3f 8e fa 33 ae 28 7b-be e6 8d 6b aa 96 4e 56 .?..3.({...k..NV
0090 - 12 6f b3 9d bc b5 53 fa-23 3c 79 5b 41 a1 ae 5a .o....S.#<y[A..Z
Start Time: 1457306705
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
I have the followings in the ~/certs folder:
pi#raspberrypi:~/certs $ ls
certificate.pem.crt private.pem.key public.pem.key root-CA.pem