fossil ssl server mode cert chain
(1) By Richard Bowden (sentinel) on 2022-01-10 06:14:42 [source]
I ran in to an error where if you have a cert chain that includes the cert, plus inter and root ca certs in your pem file. Fossil fails to load this. This is not an problem if using public certs from a public CA... though this breaks if using a cert from another CA that provides a cert chain.
currently ssl_init_server
function is using the openssl function SSL_CTX_use_certificate_file
which only loads the first certificate in the file ignoring the rest if a chain is present.
the function SSL_CTX_use_certificate_chain_file
is better suited to using certs that either contain the cert and/or a chain of certs.
reference: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_use_certificate_file.html
(2.1) By Stephan Beal (stephan) on 2022-01-10 07:09:58 edited from 2.0 in reply to 1 [link] [source]
the function SSL_CTX_use_certificate_chain_file is better suited to using certs that either contain the cert and/or a chain of certs.
It actually uses the latter function everywhere except for one place, and that one place is reading a cert from memory, not from a file, so the latter function isn't applicable. Is the a counterpart to SSL_CTX_use_certification_chain_file() which reads a cert from memory?
Edit: correction: it uses the former function in the ssl_init_server(). i'll patch that and see if that improves the situation.
(4) By Stephan Beal (stephan) on 2022-01-10 07:19:38 in reply to 2.1 [link] [source]
Edit: correction: it uses the former function in the ssl_init_server(). i'll patch that and see if that improves the situation.
That's now corrected on trunk. It behaves properly with a single-level cert file (if that's the correct term) but is untested with a chain. If you are able, please try the latest trunk.
(5.1) By Richard Bowden (sentinel) on 2022-01-10 08:31:04 edited from 5.0 in reply to 4 [link] [source]
ok, will test it this evening.
there are two situations
- where the root ca cert and/or intimidates are in the OS root store (lets encrypt's root is in almost all OS stores I believe, they also ship certs with an intimidate along with the user cert (cert chain)
- where the root ca is not in the root store and shipped along with the cert
(8) By Richard Bowden (sentinel) on 2022-01-10 14:45:18 in reply to 4 [link] [source]
confirmed working for the cert chain issue I saw....
though does not seem to of fixed the issue in the other thread
(3) By Warren Young (wyoung) on 2022-01-10 07:11:00 in reply to 1 [link] [source]
There’s a chance this is what’s causing the Let’s Encrypt cert to fail in the other thread: they use a 2-level cert chain.
(6) By Richard Bowden (sentinel) on 2022-01-10 08:26:20 in reply to 3 [link] [source]
very good chance its this.
(7) By JesseMeyer on 2022-01-10 14:30:43 in reply to 6 [link] [source]
Unfortunately, I just tried 82c62e5f8d and it doesn't not resolve the issue.
(9) By Richard Bowden (sentinel) on 2022-01-10 14:46:37 in reply to 7 [link] [source]
oh dear...
it works for a none public ca cert chain...
I will get lets encrypt setup and see if I can repo the issue on the other thread