Thawte SSL with 3 certificates

Hi all,

After much googling, lots of hair pulling and still no result I’m hoping
someone here has seen this particular issue or else can help point me in
a direction that may help resolve it.

For a site I’m building I need to have SSL enabled - it’s ecom. I’ve
configured SSL on nginx before without too many problems though did get
caught out with a Thawte renewal which required the domain certificate
and the Thawte CA intermediate. Concatenating them into the same file
resolved the issue and all the sites I’ve had to do that with are
working fine. Until now that is…

On this latest file, Thawte has supplied not one intermediate CA
certificate but two - a primary and a secondary which need to be
included.

I started off in the same vein - creating a file with mine first, then
the two supplied by thawte - I have tried all the combinations of the
three certificates and can reliably make it break by moving the domain
cert out of first position but no combination of the other two appears
to work - including removal of one or the other.

Has anyone come across this issue at all with other certificate
authorities or even Thawte specifically? I’m literally a week from
launching the site so need to resolve this as certainly in browsers like
chrome you get the “this website is not secure” error message…

Weirdly the domain certificate information is available when you enquire
it in the browser however there’s no chaining information available when
you show the hierarchy. It show’s the domain cert as the root
certificate and it appears like this is where the error is coming from.

Any ideas what might be causing this effect?

Kind regards
ajfisher

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,204035,204035#msg-204035

On Sun, Jun 05, 2011 at 03:12:36AM -0400, ajfisher wrote:

resolved the issue and all the sites I’ve had to do that with are
to work - including removal of one or the other.

Any ideas what might be causing this effect?

You may investigate certificate chain using
“openssl s_client -connect …” as described here:
http://nginx.org/en/docs/http/configuring_https_servers.html#chains


Igor S.

Thanks for that Igor - I had already tried that process though I’ll
attempt the ssl client once I’m in at work tomorrow and see if it can
provide any more diagnostic information that might help debug it. I
think the issue is something to do with the fact there is the domain
certificate and there is both primary and secondary intermediate
certificates - so 3 in total which isn’t something I’ve seen before.

Will see what I can turn up in the morning.

Thanks
Andrew

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,204035,204069#msg-204069

Hello!

On Mon, Jun 06, 2011 at 07:59:47PM -0400, ajfisher wrote:

So after playing around with this further and using the openssl client
to see what is coming back it’s still not working. For some reason the
chain hierarchy isn’t coming through to the client. Even with openssl
client it can see there are three certificates but the one thing that
stands out for me is that there is a line in the response saying “No
client certificate CA names sent” which chimes with what I’m seeing on

The “No client certificate CA names sent” is normal unless you are
using ssl_verify_client.

[…]

2 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=© 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA

This is wrong order. It should be chain from your cert to one
signed by root cert, each cert should be followed by it’s issuer
cert (“i:” should be followed immediatly with identical “s:”).
I.e. in your case it should be

0 s:/C=AU/ST=Victoria/L=North Melbourne/O=My
Biz/OU=Marketing/CN=my.domain.com
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=© 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=© 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/[email protected]

You should change order of last two certs in your ssl_certificate
file.

Maxim D.

So after playing around with this further and using the openssl client
to see what is coming back it’s still not working. For some reason the
chain hierarchy isn’t coming through to the client. Even with openssl
client it can see there are three certificates but the one thing that
stands out for me is that there is a line in the response saying “No
client certificate CA names sent” which chimes with what I’m seeing on
the Chrome side which is that the certificate itself is valid but
there’s no hierarchy that allows the certificate to become authorised.

Any ideas with this? I’m totally stumped - especially because I’ve dealt
with 2 certificate set ups before with absolutely no problems once I
realised I needed to concatenate them…

For what it’s worth - this is the output of openssl client (obfuscated)

Cheers
ajfisher

CONNECTED(00000003)
depth=3 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/[email protected]
verify return:1
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=©
2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
verify return:1
depth=1 /C=US/O=Thawte, Inc./CN=Thawte SSL CA
verify return:1
depth=0 /C=AU/ST=Victoria/L=North Melbourne/O=My
Bizg/OU=Marketing/CN=my.domain.com
verify return:1

Certificate chain
0 s:/C=AU/ST=Victoria/L=North Melbourne/O=My
Biz/OU=Marketing/CN=my.domain.com
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
1 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=© 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/[email protected]
2 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=© 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA

Server certificate
-----BEGIN CERTIFICATE-----
… SNIP …
-----END CERTIFICATE-----
subject=/C=AU/ST=Victoria/L=North Melbourne/O=My
Biz/OU=Marketing/CN=my.domain.com
issuer=/C=US/O=Thawte, Inc./CN=Thawte SSL CA

No client certificate CA names sent

SSL handshake has read 3687 bytes and written 319 bytes

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
87D1AEB1E1625530ACACB0E88458C0AB310A4C94A2DAA8E5F9F7C333747FBD2D
Session-ID-ctx:
Master-Key: … SNIP …
Key-Arg : None
Krb5 Principal: None
Start Time: 1307404193
Timeout : 300 (sec)
Verify return code: 0 (ok)

read:errno=0

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,204035,204493#msg-204493

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs