5

I am having troubles connecting to an SSL site (not mine) from the command-line. The certification path goes "GeoTrust Global CA" > "GeoTrust SSL CA" > "*.131500.com.au". The server recently replaced their certificate, (valid from May 13 2013), which would be around the time this stopped working.

I see the same problem using curl, wget and "openssl s_client", whynopaddlock.com, and three different hosts (two different Ubuntu 13.04 hosts including a fresh VM, and one Windows-7-x64/cygwin).

I don't have an issue when using a browser though (Google Chrome 26.0.1410.64 m on Windows-7-x64).

Does anyone have any pointers here? I'd ordinarily blame my ssl client config, but this is happening on multiple hosts. I'd blame the site's config next, but why does it work fine in Chrome?

Is it possible something's changed with GeoTrust that requires a config change?

www.whynopadlock.com reports:

SSL verification issue (Possibly mis-matched URL or bad intermediate cert.). Details:
ERROR: cannot verify tdx.131500.com.au's certificate, issued by `/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA': Unable to locally verify the issuer's authority.

openssl s_client has the following to say: 

$ openssl s_client -connect tdx.131500.com.au:443
CONNECTED(00000003)
depth=0 serialNumber = 8z3ZNMMt8GMi9Qumrn0xficRkxAYJZQq, C = AU, ST = New South Wales, L = North Sydney, O = SERCO GROUP PTY LIMITED, CN = *.131500.com.au
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = 8z3ZNMMt8GMi9Qumrn0xficRkxAYJZQq, C = AU, ST = New South Wales, L = North Sydney, O = SERCO GROUP PTY LIMITED, CN = *.131500.com.au
verify error:num=27:certificate not trusted
verify return:1
depth=0 serialNumber = 8z3ZNMMt8GMi9Qumrn0xficRkxAYJZQq, C = AU, ST = New South Wales, L = North Sydney, O = SERCO GROUP PTY LIMITED, CN = *.131500.com.au
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/serialNumber=8z3ZNMMt8GMi9Qumrn0xficRkxAYJZQq/C=AU/ST=New South Wales/L=North Sydney/O=SERCO GROUP PTY LIMITED/CN=*.131500.com.au
   i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFDzCCA/egAwIBAgIDAjwuMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM
IENBMB4XDTEzMDUxMzA2MTYyNVoXDTE0MDYxNDIzMTE1NlowgaUxKTAnBgNVBAUT
IDh6M1pOTU10OEdNaTlRdW1ybjB4ZmljUmt4QVlKWlFxMQswCQYDVQQGEwJBVTEY
MBYGA1UECBMPTmV3IFNvdXRoIFdhbGVzMRUwEwYDVQQHEwxOb3J0aCBTeWRuZXkx
IDAeBgNVBAoTF1NFUkNPIEdST1VQIFBUWSBMSU1JVEVEMRgwFgYDVQQDDA8qLjEz
MTUwMC5jb20uYXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnn9NM
DgqNyrPFgvh+dH8Lf3DSWdr60eHYxDNnth8RDsFUWSxdpKW/nOJa8OL5DhCFgoAS
Gr53OhQw1WdK1bq8EMcVVydCs8JOZuZY5hJTKKGuO3yDXKrGkDzoGI5tI+n+oRG4
FTN+DGcQq43zRsb2BMZTCsuCBPbvb3DCSR+c+s7sJE+rG7nAB8lFzbxirNSJSXBD
8GoXHB5idMr81SeW0Ft02zc6Uc4Y+dvPsBuMijoJTB69EthaeMjp1nZc+bYrVnBt
qEOnZFXziOrvQGmpRYpLuzFLwT4wfyZBW4yHmAgSmpw2u9PONkdyvWtofr7fYNqd
A2/FX/5My4hYoRNbAgMBAAGjggGqMIIBpjAfBgNVHSMEGDAWgBRCeVQbYc1VKz5j
1TxIV/Wf+0XOSjAOBgNVHQ8BAf8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMCkGA1UdEQQiMCCCDyouMTMxNTAwLmNvbS5hdYINMTMxNTAwLmNv
bS5hdTA9BgNVHR8ENjA0MDKgMKAuhixodHRwOi8vZ3Rzc2wtY3JsLmdlb3RydXN0
LmNvbS9jcmxzL2d0c3NsLmNybDAdBgNVHQ4EFgQUhZiG+e9NpeswJV1uBQVPurXE
erMwDAYDVR0TAQH/BAIwADBvBggrBgEFBQcBAQRjMGEwKgYIKwYBBQUHMAGGHmh0
dHA6Ly9ndHNzbC1vY3NwLmdlb3RydXN0LmNvbTAzBggrBgEFBQcwAoYnaHR0cDov
L2d0c3NsLWFpYS5nZW90cnVzdC5jb20vZ3Rzc2wuY3J0MEwGA1UdIARFMEMwQQYK
YIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNv
bS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBBQUAA4IBAQB3NHVqrUfXC6o75PTE
B5EBjWkQhK/wzP8hYcN72E3zwGtHCjimSse7DDkitla4w/hrI9in9VvsWmZ8jeH4
b3H+oNjhAewBx15CEGqCmMR8zzLjmW5xIwRtoi7pgCyD7bFhixH/SbrhLlloncPW
AgTXdN0655k4DT0hD4gHAdTfx271JKcYZmoKB3Y2yAHOUCd8QB0fzGY5Y26dpyjR
okUaMiVwXQKb4xNu6NBJwwippyccCFj712ceYUedjk2OEVYTS/91l95btJht4nkZ
y56H7sQlu3Te1m8mgBsRB1hbme8VPxt0WQ21Uqu7ROJcyxDxDAFto4ITs3oogx/z
QaXz
-----END CERTIFICATE-----
subject=/serialNumber=8z3ZNMMt8GMi9Qumrn0xficRkxAYJZQq/C=AU/ST=New South Wales/L=North Sydney/O=SERCO GROUP PTY LIMITED/CN=*.131500.com.au
issuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1435 bytes and written 536 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: 1D1C840AF8B831E4070232FC2E8057F0BAB6E1B5A37CB3C93F415C715E4CE05F
    Session-ID-ctx:
    Master-Key: A00FD977D39342B4F1DEA1A4ECCD74BDD09E709FAB7468105D78D476D9E22D330102891E341AB177B98B8BD8E29C9238
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1369021662
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
closed
Martin
  • 185
  • 1
  • 2
  • 5

2 Answers2

8

The server is not configured properly — it does not send the required intermediate certificate. Note that there is only one certificate in the certificate chain:

---
Certificate chain
 0 s:/serialNumber=8z3ZNMMt8GMi9Qumrn0xficRkxAYJZQq/C=AU/ST=New South Wales/L=North Sydney/O=SERCO GROUP PTY LIMITED/CN=*.131500.com.au
   i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
---

There should be a second certificate after this with the subject s:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA.

In Apache intermediate certificates are configured using the SSLCertificateChainFile option.

As for why this site seems to work for you in Chrome, there are several possible explanations:

  1. Different browsers may use separate certificate stores, and your Chrome may have the GeoTrust SSL CA certificate trusted directly (however, this is unlikely to be the case if the CA intended to use that certificate as intermediate).

  2. Browsers often cache intermediate certificates in their certificate stores, therefore if you previously had visited another site which had the GeoTrust SSL CA intermediate certificate properly configured, you may then be able to access a site which uses the same intermediate certificate, but does not properly send it to clients, without security warnings, because the browser can get the required intermediate certificate from its cache and is able to verify the certificate chain.

  3. The end entity certificate in question contains an HTTP URL which could be used to fetch the intermediate certificate:

        Authority Information Access: 
        OCSP - URI:http://gtssl-ocsp.geotrust.com
        CA Issuers - URI:http://gtssl-aia.geotrust.com/gtssl.crt

    (the CA Issuers link here points to the issuer certificate in the DER format). Some systems may be able to use such links to fetch the intermediate certificate even if it is not returned by the server. According to the Mozilla Bug 399324, Firefox (and other software based on Mozilla) is not currently able to follow such AIA links; however, Internet Explorer is able to use them.

Sergey Vlasov
  • 6,088
  • 1
  • 19
  • 30
1

openssl cannot find the intermediate certificate(s). The fact that whynopadlock.com cannot either suggests they were not installed in the first place, and it works in (some) browsers because they already have the intermediate certificates. The site owner needs to install the intermediate certificates, which can be downloaded from the geotrust.com. Instructions for installation can also be found there.

If it sometimes works and sometimes fails, then the site owner has forgotten to install the intermediate certificates on all servers (or load balancers).

ramruma
  • 2,730
  • 1
  • 14
  • 8