Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to follow a solution in this post to understand some problem that I have with openssl. But though it mostly works, I have an error at the end.
Note that the errors on the first two commands (at the end) are expected, only the last one is a problem. According to the post the last command should work.
If someone could tell me what is wrong, that would be very helpful.
Following is the sequence of relevant commands. The "ls" are only here to follow what is happening.
Code:
...$ openssl req -newkey rsa:4096 -nodes -keyout ca-key.pem -sha384 -x509 -days 365 -out ca-crt.pem -subj /C=XX/ST=YY/O=RootCA
Generating a RSA private key
.........................................++++
.........................................................................................................++++
writing new private key to 'ca-key.pem'
-----
...$ ls
ca-crt.pem ca-key.pem
...$ openssl req -newkey rsa:3072 -nodes -keyout int-key.pem -new -sha384 -out int-csr.pem -subj /C=XX/ST=YY/O=IntermediateCA
Generating a RSA private key
........................++++
.......++++
writing new private key to 'int-key.pem'
-----
...$ ls
ca-crt.pem ca-key.pem int-csr.pem int-key.pem
...$ openssl x509 -req -days 360 -in int-csr.pem -CA ca-crt.pem -CAkey ca-key.pem -CAcreateserial -out int-crt.pem
Signature ok
subject=C = XX, ST = YY, O = IntermediateCA
Getting CA Private Key
...$ ls
ca-crt.pem ca-crt.srl ca-key.pem int-crt.pem int-csr.pem int-key.pem
...$
...$ openssl req -newkey rsa:2048 -nodes -keyout usr-key.pem -new -sha256 -out usr-csr.pem -subj /C=XX/ST=YY/O=LockCmpXchg8b
Generating a RSA private key
................+++++
................................................................................+++++
writing new private key to 'usr-key.pem'
-----
...$ ls
ca-crt.pem ca-crt.srl ca-key.pem int-crt.pem int-csr.pem int-key.pem usr-csr.pem usr-key.pem
...$ openssl x509 -req -days 360 -in usr-csr.pem -CA int-crt.pem -CAkey int-key.pem -CAcreateserial -out usr-crt.pem
Signature ok
subject=C = XX, ST = YY, O = LockCmpXchg8b
Getting CA Private Key
...$ ls
ca-crt.pem ca-crt.srl ca-key.pem int-crt.pem int-crt.srl int-csr.pem int-key.pem usr-crt.pem usr-csr.pem usr-key.pem
...$
...$ cat ca-crt.pem int-crt.pem > chain.pem
...$ ls
ca-crt.pem ca-crt.srl ca-key.pem chain.pem int-crt.pem int-crt.srl int-csr.pem int-key.pem usr-crt.pem usr-csr.pem usr-key.pem
...$
...$ openssl verify -CAfile ca-crt.pem usr-crt.pem
C = XX, ST = YY, O = LockCmpXchg8b
error 20 at 0 depth lookup: unable to get local issuer certificate
error usr-crt.pem: verification failed
...$ openssl verify -CAfile int-crt.pem usr-crt.pem
C = XX, ST = YY, O = IntermediateCA
error 2 at 1 depth lookup: unable to get issuer certificate
error usr-crt.pem: verification failed
...$ openssl verify -CAfile chain.pem usr-crt.pem
C = XX, ST = YY, O = IntermediateCA
error 24 at 1 depth lookup: invalid CA certificate
error usr-crt.pem: verification failed
...$
I don't think that post is a good place to start debugging your errors. It sounds like your keys are in a mess, and I would google the error and do any housekeeping along the way (e.g move temporarily non-kosher keys) that seems appropriate.
error 20 at 0 depth lookup: unable to get local issuer certificate
error usr-crt.pem: verification failed
and reckoned you had issues. Openssl is fairly good at sorting keys, once you give it half a chance. I would move those keys aside, follow a "Setting up …" type howto with an empty directory and see where you get. Your distro should have instructions. You can always move back the originals.
This is the exact same issue I'm seeing with keys being provided to me by another company.
I'm not familiar with openssl, other then openssl man pages, is there anything else to read up on, on how to troubleshoot? OP were you able to make any headway on this?
Last edited by JockVSJock; 07-23-2021 at 12:56 PM.
"Unable to get issuer certificate" means openssl can't find all the pieces of the cert chain. Forgive my lack of detail but it's been several. years since I have done cert work with openssl. It looks like you are trying to create a p7b (cert and entire chain in a single file), is that correct?
"Unable to get issuer certificate" means openssl can't find all the pieces of the cert chain. Forgive my lack of detail but it's been several. years since I have done cert work with openssl. It looks like you are trying to create a p7b (cert and entire chain in a single file), is that correct?
I'm not creating the digital cert. It coming from another company we are working with so we can access their server over a secure connection (either L2TP or PPTP. This other company want us to import the cert into Mozilla Firefox.
At first the cert wouldn't load into Firefox on a RHEL8 workstation (can't remember the exact error message as I'm at home typing this, not at work). I told the tech rep at the other company and he tried to pass it off that Firefox has been locked down. I don't think that is true as I can type
Code:
about:config
in the search bar and look at all of the various browser setting and change them, if I like. It the browser was truly locked down, I don't think I would be able to do that under RHEL8. Not even sure if that is an option under RHEL8. Windows with IE for sure with Group Policy.
That's when I started to investigate the certs more with openssl commands and found this same thread.
Last edited by JockVSJock; 07-24-2021 at 08:16 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.