How to verify openssl certification chain

This document (7021187) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 Service Pack 2 (SLES 15 SP2)
SUSE Linux Enterprise Server 15 Service Pack 1 (SLES 15 SP1)
SUSE Linux Enterprise Server 15  (SLES 15)
SUSE Linux Enterprise Server 12 Service Pack 5 (SLES 12 SP5)
SUSE Linux Enterprise Server 12 Service Pack 4 (SLES 12 SP4)
SUSE Linux Enterprise Server 12 Service Pack 3 (SLES 12 SP3)
SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 12 (SLES 12)
 

Situation

Error message says "unknown CA" or "TLS certificate verification: Error, unable to get local issuer certificate"

Resolution

In order to check the certificate status, please proceed as below

As 'root' user, from a terminal window, type :
 
cd /tmp
mkdir cert
cd cert
echo |openssl s_client -connect <server_name>:<port> -servername <server_name> -showcerts 2>&1 |csplit - '/-----BEGIN CERTIFICATE-----/' '{*}'

If the last command shows more than 2 numbers (for file sizes) printed then there is more than one cert provided.

To print out details to those certificates:
rm xx00; for i in `ls xx*`; do openssl x509 -in $i -noout -subject -hash -issuer_hash; done
(Note: xx00 will only contain openssl output until first certificate shown, so it can be deleted)

The last ca certificate in chain needs to be in /var/lib/ca-certificates/openssl/ symlinked by his hash or base64 encoded in bundle file /var/lib/ca-certificates/ca-bundle.pem which is deprecated.

For smt a check if server cert issuer hash matches the CA cert hash can be done as follows:
on SMT:
openssl x509 -in /var/lib/CAM/YaST_Default_CA/cacert.pem -noout -hash -issuer_hash -dates -fingerprint
openssl x509 -in /srv/www/htdocs/smt.crt  -noout -hash -issuer_hash -dates -fingerprint

There provided output must show identical results.

Following command should show the server cert location:
egrep -ir SSLCertificatefile /etc/apache2/|grep -v "#"

Per default SSLCertificatefile points to /etc/ssl/servercerts/servercert.pem, to check issuer hash

matches the hash from CA:
openssl x509 -in /etc/ssl/servercerts/servercert.pem -noout -hash -issuer_hash -dates -fingerprint 
This should be equal to the output of "openssl s_client -connect <smtserver>". If not then Apache provides either the wrong, or an old, server certificate.

Cause

The CA certificate with the correct issuer_hash cannot be found.

Possible reasons:
  1. 1. Wrong openssl version or library installed (in case of e.g. custom ldap version e.g. under /usr/local)
    1. Check files are from installed package with "rpm -V openssl"
    2. Check if LD_LIBRARY_PATH is not set to local library
    3. Verify libraries used by openssl "ldd $( which openssl )"
  2. CA Certificate does not reside within the trust store
    1. In case of ldaps: Environment variable LDAPCONF points to a different config file with wrong TLS_CACERT set
    2. CA-Bundle file/var/lib/ca-certificates/ca-bundle.pem or /var/lib/ca-certificates/openssl does not contain the certificate - to add call "update-ca-certificates"
    3. When running zypper commands - Registration was not correct, please re-register without deleting or resetting registration
    4. In case of SMT client the SMT server still provides an old/invalid certificate.

Additional Information

Additional CA certificates can be added in /etc/pki/trust/anchors/ or /usr/share/pki/trust/anchors/ 

The following command will apply certificates across the system:
update-ca-certificates


Additional note:

If the openssl command successfully completes and shows an issuer_hash for a server certificate which is not known to the system:
echo |openssl s_client -showcerts -connect <server>:<port> 2>&1 | tee /tmp/logfile_with_server_cert

openssl x509 -in /tmp/logfile_with_server_cert -noout -hash -issuer_hash
Additional note: The reason for this might be that the server provides CA certificates s which are signed by an trusted CA certificate already in storage: server cert -> CA -> CA -> CA (in trust store)

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7021187
  • Creation Date: 08-Aug-2017
  • Modified Date:22-Feb-2021
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center