I'm trying to test some services and they need to talk to each other over https ( and they can't talk over http). I want to:
- create a Root CA that I can install in my Ubuntu-based docker images
- sign a subdomain cert like
*.example.com
such that curl and openssl will validate against it, with the root CA cert manually installed into the Ubuntu system.
In pursuit of 2, I've tried following this chap's example, but I'm not sure if it works with star certs.
I cobbled together the sequence of steps into a bash script:
#!/bin/bash -x
SUBDOMAIN=example.com
openssl genrsa -des3 -out rootCA.key -passout pass:pass 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 2048 -out rootCA.crt \
-passin pass:pass \
-subj "/C=US/ST=WA/L=Seattle/O=Foo/OU=bar/CN=*.$SUBDOMAIN"
openssl genrsa -out star.$SUBDOMAIN.key 4096
openssl req -new -key star.$SUBDOMAIN.key -out star.$SUBDOMAIN.csr \
-subj "/C=US/ST=WA/L=Seattle/O=Foo/OU=bar/CN=*.$SUBDOMAIN"
cat > $SUBDOMAIN.ext <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.$SUBDOMAIN
EOF
openssl x509 -req -in star.$SUBDOMAIN.csr -CA rootCA.crt -CAkey rootCA.key \
-CAcreateserial -out star.$SUBDOMAIN.crt -days 3650 -sha256 -passin pass:pass \
-extfile $SUBDOMAIN.ext
openssl x509 -in star.$SUBDOMAIN.crt -text -noout
cat star.$SUBDOMAIN.crt star.$SUBDOMAIN.key > star.$SUBDOMAIN.pem
socat openssl-listen:4433,reuseaddr,fork,forever,cert=star.$SUBDOMAIN.pem,cafile=star.$SUBDOMAIN.crt \
exec:'/bin/cat' &
openssl s_client -CAfile rootCA.crt --connect localhost:4433
kill %
When openssl runs at the end, it fails to validate with a message:
[...]
Verification error: unable to verify the first certificate
[...]
Is there something glaring about this cert generation flow that would cause openssl to reject it? I've tried curl and openssl on full verbosity, but this eludes me.
Full log:
+ export SUBDOMAIN=example.com
+ SUBDOMAIN=example.com
+ openssl genrsa -des3 -out rootCA.key -passout pass:pass 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
..........................................................................................................................................++++
.............................++++
e is 65537 (0x010001)
+ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 2048 -out rootCA.crt -passin pass:pass -subj '/C=US/ST=WA/L=Seattle/O=Foo/OU=bar/CN=*.example.com'
+ openssl genrsa -out star.example.com.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
..............................................++++
........................................................................++++
e is 65537 (0x010001)
+ openssl req -new -key star.example.com.key -out star.example.com.csr -subj '/C=US/ST=WA/L=Seattle/O=Foo/OU=bar/CN=*.example.com'
+ cat
+ openssl x509 -req -in star.example.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out star.example.com.crt -days 3650 -sha256 -passin pass:pass -extfile example.com.ext
Signature ok
subject=C = US, ST = WA, L = Seattle, O = Foo, OU = bar, CN = *.example.com
Getting CA Private Key
+ openssl x509 -in star.example.com.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
71:bb:c2:01:cb:c8:e4:b0:b8:9f:0f:45:0b:52:67:b8:ae:9f:d8:af
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = WA, L = Seattle, O = Foo, OU = bar, CN = *.example.com
Validity
Not Before: Aug 4 02:52:01 2021 GMT
Not After : Aug 2 02:52:01 2031 GMT
Subject: C = US, ST = WA, L = Seattle, O = Foo, OU = bar, CN = *.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:97:13:94:b2:51:9d:40:2a:09:b3:b0:7a:57:d7:
a2:22:d5:91:8b:4f:6a:b0:2d:55:00:95:9e:79:31:
75:3e:44:85:6c:59:54:d5:1e:bb:d8:61:e2:f1:4e:
e1:7d:83:d7:a0:c2:56:fd:f8:b9:b9:b0:f4:db:69:
3b:51:76:63:04:43:04:37:3c:bb:53:33:6b:b2:32:
c2:9c:a3:0a:88:d3:be:ac:4d:5c:c8:05:0d:8c:79:
82:f4:b7:ac:00:d3:fb:14:a8:e7:84:d3:27:20:1e:
a7:79:13:86:b5:94:79:f1:cc:31:ff:d6:d9:2a:99:
ac:13:9c:c6:8c:67:17:19:c4:57:95:7d:ad:bd:f8:
2a:70:08:67:5f:2f:c7:09:5a:df:bd:a7:75:6a:a7:
f9:83:32:ee:24:2b:d5:a2:f5:ac:b5:76:78:32:e5:
67:88:2a:5b:e7:ed:c3:17:bb:b8:0f:dc:80:c5:f9:
0a:d3:68:51:78:fd:c8:33:b0:db:42:46:0c:e1:4e:
93:77:ad:fb:4f:2e:47:98:6b:09:4d:94:40:ba:cd:
88:ed:85:ce:3f:2a:85:25:e9:0a:7e:4c:ba:b5:da:
d6:b9:6d:75:9a:5d:40:94:fc:c6:d0:77:8c:55:99:
ff:fd:d7:71:49:0b:03:75:f0:7a:11:d5:9a:19:57:
57:17:12:18:c4:55:c2:c5:44:1e:d5:4b:06:60:39:
4f:2b:17:81:63:14:e0:f3:75:2c:fb:b2:78:76:c6:
74:e4:7d:7f:25:db:c5:66:0a:64:6a:36:c6:8d:b9:
f7:5c:dc:77:a9:2f:4a:94:1a:da:8c:fb:ac:b7:64:
e6:d4:6c:d0:e9:9c:64:05:5d:96:81:fa:20:87:2a:
56:25:dc:96:ce:90:8c:ba:ef:3b:2e:9a:8b:db:54:
84:48:4e:59:d1:e5:31:f8:e6:57:97:b5:3b:fa:d7:
de:63:c5:94:c2:2a:07:50:6d:58:5b:87:ed:b3:5e:
af:15:14:9e:2e:65:c1:df:2c:4d:35:2b:ce:24:f9:
ad:8b:5e:6c:00:6d:ce:28:2a:33:33:bd:8e:1a:64:
cd:15:72:85:79:7e:e7:bd:07:74:d7:0c:c6:8b:7d:
29:5f:71:d2:f7:82:17:15:00:57:2b:14:1c:f8:cb:
c4:25:51:79:62:d2:41:18:44:18:a4:4b:1e:6a:f2:
16:33:e5:47:39:73:5c:8b:d8:39:4b:f3:79:b2:12:
90:68:98:8f:18:8a:18:e8:5a:e0:c4:c8:88:e6:e4:
8f:5a:59:b4:9f:d7:81:ed:d5:e3:23:f9:86:6e:d1:
6d:a1:00:d0:f9:44:42:9e:3d:d3:50:97:ee:26:bf:
c3:18:35
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:44:EE:13:83:5C:D7:C8:11:78:64:A2:F1:E1:9C:CF:D9:F2:FE:57:7E
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Subject Alternative Name:
DNS:*.example.com
Signature Algorithm: sha256WithRSAEncryption
2c:fb:18:13:84:86:c4:f9:87:ab:ae:c6:bf:b9:48:75:d0:83:
a0:5b:06:01:ca:72:c5:8f:9e:f7:29:6d:eb:d2:6b:9d:2d:ad:
34:49:27:b8:8e:e6:06:70:52:94:e7:e6:54:67:73:93:dc:43:
05:28:ad:6d:f8:e1:34:ad:52:e2:bf:36:0d:e9:a6:f1:21:17:
87:8c:92:15:62:57:60:72:a2:c7:86:b9:b3:7d:8b:be:4b:14:
32:8e:4d:17:60:21:f2:76:d5:1f:55:89:d6:bb:b6:0e:f7:f9:
1d:98:cb:01:ee:59:43:a5:99:96:5d:3c:da:23:61:4a:5c:6a:
64:e2:87:eb:a0:02:e9:6c:1c:f5:32:52:b5:bb:56:c3:a8:10:
84:6e:b2:df:33:28:11:ec:fd:1f:08:d4:5a:45:ed:a7:ea:4d:
57:8e:9a:44:a1:b5:65:05:ed:5e:1e:8d:c1:52:fa:be:1d:1e:
6c:4a:be:5d:a2:fb:9f:19:3e:1e:5c:20:15:ce:0a:95:c3:d6:
b0:f8:44:71:3b:66:e3:e2:54:f2:f5:08:72:04:5a:90:fb:65:
47:e2:aa:9f:a7:5c:e1:e4:00:09:cc:e7:e7:a5:4a:58:04:53:
50:52:6b:92:60:2e:44:59:78:2c:5f:d0:b4:86:fe:e0:44:f1:
a2:0d:79:55:51:fb:65:81:c5:06:3c:d7:5a:4d:71:39:72:8c:
ee:df:4b:ed:2e:f8:f7:7a:59:b7:7b:76:93:bd:f5:1d:80:86:
19:23:5e:b8:d9:2e:e5:67:64:ce:7c:05:5d:c7:40:3f:cf:80:
50:40:42:38:34:12:ef:f0:e5:31:04:5e:1b:48:15:17:ed:a6:
76:f0:0d:fb:5e:40:fd:f4:6c:a0:4d:b8:06:37:c1:75:04:e2:
04:b8:ce:9c:17:cb:3a:ab:20:d9:a5:0b:4f:07:ed:14:71:13:
52:38:b5:dd:ca:05:e9:6c:27:37:9e:c2:44:40:2b:50:16:df:
eb:0a:11:6c:33:ec:05:82:6c:bc:24:5f:c1:12:44:19:02:62:
02:79:8b:1f:f4:7f:77:6b:e4:42:89:cd:19:61:65:e0:79:a3:
33:48:98:e4:da:76:86:48:42:19:da:a0:6f:e0:d8:34:ab:dc:
a5:c5:03:c4:a8:7a:7a:96:20:bd:08:b0:07:5e:6b:da:9b:30:
fa:71:15:27:ee:c8:38:73:33:8b:8e:f4:a4:f5:a4:4a:c6:41:
9e:96:34:d4:21:1b:88:60:48:22:61:2d:d0:5a:5f:a4:47:50:
1c:76:81:89:b6:84:dc:05:c0:e1:a4:ca:c7:cf:43:34:ba:ae:
ce:c4:a4:e3:5d:7c:21:d6
+ cat star.example.com.crt star.example.com.key
+ openssl s_client -CAfile rootCA.crt --connect localhost:4433
+ socat openssl-listen:4433,reuseaddr,fork,forever,cert=star.example.com.pem,cafile=star.example.com.crt exec:/bin/cat
depth=0 C = US, ST = WA, L = Seattle, O = Foo, OU = bar, CN = *.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = WA, L = Seattle, O = Foo, OU = bar, CN = *.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
139679332975040:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40
CONNECTED(00000005)
---
Certificate chain
0 s:C = US, ST = WA, L = Seattle, O = Foo, OU = bar, CN = *.example.com
i:C = US, ST = WA, L = Seattle, O = Foo, OU = bar, CN = *.example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFozCCA4ugAwIBAgIUcbvCAcvI5LC4nw9FC1JnuK6f2KwwDQYJKoZIhvcNAQEL
BQAwYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0dGxl
MQwwCgYDVQQKDANGb28xDDAKBgNVBAsMA2JhcjEWMBQGA1UEAwwNKi5leGFtcGxl
LmNvbTAeFw0yMTA4MDQwMjM2MzFaFw0zMTA4MDIwMjM2MzFaMGAxCzAJBgNVBAYT
AlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEMMAoGA1UECgwDRm9v
MQwwCgYDVQQLDANiYXIxFjAUBgNVBAMMDSouZXhhbXBsZS5jb20wggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQC8DW2AOpAMnsQuQwk21m4D5cmF0LjAcw68
LuML7g1TwqPRmVLfB4YEnhj63J4gT2wgk/p63ZaMQUOh1wc/b7biqtJCUXc/VL0d
CIW0qxq6cnvH2VhC0eLAJJWIUbemaRmz3E/TiLbmr+B2/jOjT9oSFmkDGhSbya5Y
Y/LD4AVmktnB/QJK8MfND+pptZ89i1Mk5Z/0QItT/iD3Y4Te3FwZkZ2E0V8Iwtih
oWKBj/7MaQgJVCLpIUs1sjjMvJAJ/gfD+2hVv3MP8loz3+pm2G1QNYNi49ZPd7F7
DbWN4bAiAnwCccozv7LkXm0KSB5pO5qK+KbKIGj6SKjy5c9yoRNrv0/1mz6+D80L
R6yVXGjwbEKD9KHiH9cP80GC70wmazHyknMq1dFMnqWgjzddfcqqYcpB89wkeh2l
M3tDXiXblfLe3iFl3lCjVxO2TrE9fLYN7D9i283xf3qF5zDo1ZIkmiIP2OoRXevv
Oi2c/fv+KjrvCFxJlvzHVNc6arWZs+f/+V+ICma8H26r1gx+FWk7mMktGWhAVzws
9y4xYW9774s2PRh02IJoKrd66kjxkDWzbnUoSr3Ec6F/uLSkVT/MIT4ga2SyxOdT
SCs2I0otq+VsM+buUfqCWmdez+r5h6DWPQbz/veFezQjC/iUa6gssTRG5adjEKl5
09/gdHJDWwIDAQABo1UwUzAfBgNVHSMEGDAWgBSfkf4s0l150XoIaVhcasDNnbCV
mjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DAYBgNVHREEETAPgg0qLmV4YW1wbGUu
Y29tMA0GCSqGSIb3DQEBCwUAA4ICAQA3pJbauHPX+o6MwwhNLECoFpQsQZZzfHhY
PrwXW6owrjiefzYwZCtMkPe/1mU6XJrRnAq/9VZX85Pzp1dTcztc1GnugGCE+okr
vvMDARlNZk8AAlE/zGWpL72paYVHvb71hkwTwVnvDIiKY2YtMut5fRTf4oanw5x7
1c2i1aInbRiU50VPTIJJksXG082ndm5XuLgnFpd/4x93kcQ064WS30YnCbIkWDkN
Prru79avjo9YAXl4JGi3DFKs3MnOC1C8sS9TcWPA6v2rlDpyR/xQ3e10SkW+8aKE
JN/KkrDCdukXfP6PeI4kS8hfGTBZQnQ6vumMxwf3jfS61l9zc9RA6h5R1r7h21Mj
9+K1VLgbCpmeE6fQj/hADkWYt+Osnf1MbhoZ+iotkHR6V4JkodSXOyvUahSPYz4d
mpSmBfKWkXyqe3lrXiWacw9mLMVKUEfQq0qFT0b/rnguo09rqAsBPJcgAvgnoGZ3
voGrW6LXUbIWlnsOuS3UEFaIbTlxwXi1zHQDGi7dsfIX5rWK9+xDALz58XeY5QFa
BvhZoJk9Vwx/fEdI2T8Y35vqUCJgqPTkHVSEu3aoXIz47IHlpXibS/UkyxRWr9RW
DO2FjK5VlgXQtmrBKbMyz0kEn+f463MUo9FigXa6/SZWIHATMEdlnyVMjimMPS+J
tQyAbcvB/Q==
-----END CERTIFICATE-----
subject=C = US, ST = WA, L = Seattle, O = Foo, OU = bar, CN = *.example.com
issuer=C = US, ST = WA, L = Seattle, O = Foo, OU = bar, CN = *.example.com
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2205 bytes and written 449 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: 093BFC9F755DDE826FA6D83C9DFFEAD03033DE4ED32247FBEF0A652D1DF8832C464FEBFD7533D08584B05882702FD649
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1628045521
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes
---
+ kill %