How to verify openssl certification chain
This document (7021187) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15 Service Pack 1 (SLES 15 SP1)
SUSE Linux Enterprise Server 15 (SLES 15)
SUSE Linux Enterprise Server 12 Service Pack 5 (SLES 12 SP5)
SUSE Linux Enterprise Server 12 Service Pack 4 (SLES 12 SP4)
SUSE Linux Enterprise Server 12 Service Pack 3 (SLES 12 SP3)
SUSE Linux Enterprise Server 12 (SLES 12)
Situation
Resolution
As 'root' user, from a terminal window, type :
mkdir cert
cd cert
echo |openssl s_client -connect <server_name>:<port> -servername <server_name> -showcerts 2>&1 |csplit - '/-----BEGIN CERTIFICATE-----/' '{*}'
If the last command shows more than 2 numbers (for file sizes) printed then there is more than one cert provided.
To print out details to those certificates:
(Note: xx00 will only contain openssl output until first certificate shown, so it can be deleted)
The last ca certificate in chain needs to be in /var/lib/ca-certificates/openssl/ symlinked by his hash or base64 encoded in bundle file /var/lib/ca-certificates/ca-bundle.pem which is deprecated.
For smt a check if server cert issuer hash matches the CA cert hash can be done as follows:
on SMT:
openssl x509 -in /srv/www/htdocs/smt.crt -noout -hash -issuer_hash -dates -fingerprint
There provided output must show identical results.
Following command should show the server cert location:
Per default SSLCertificatefile points to /etc/ssl/servercerts/servercert.pem, to check issuer hash
matches the hash from CA:
Cause
Possible reasons:
- 1. Wrong openssl version or library installed (in case of e.g. custom ldap version e.g. under
/usr/local
)- Check files are from installed package with "
rpm -V openssl
" - Check if
LD_LIBRARY_PATH
is not set to local library - Verify libraries used by openssl "
ldd $( which openssl
)"
- Check files are from installed package with "
- CA Certificate does not reside within the trust store
- In case of ldaps: Environment variable
LDAPCONF
points to a different config file with wrongTLS_CACERT
set - CA-Bundle file/var/lib/ca-certificates/ca-bundle.pem or
/var/lib/ca-certificates/openssl
does not contain the certificate - to add call "update-ca-certificates
" - When running zypper commands - Registration was not correct, please re-register without deleting or resetting registration
- In case of SMT client the SMT server still provides an old/invalid certificate.
- In case of ldaps: Environment variable
Additional Information
The following command will apply certificates across the system:
Additional note:
If the openssl command successfully completes and shows an issuer_hash for a server certificate which is not known to the system:
echo |openssl s_client -showcerts -connect <server>:<port> 2>&1 | tee /tmp/logfile_with_server_cert
openssl x509 -in /tmp/logfile_with_server_cert -noout -hash -issuer_hash
Additional note: The reason for this might be that the server provides CA certificates s which are signed by an trusted CA certificate already in storage: server cert -> CA -> CA -> CA (in trust store)
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7021187
- Creation Date: 08-Aug-2017
- Modified Date:22-Feb-2021
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com