Ticket #1127 (closed defect: fixed)

Opened 11 years ago

Last modified 11 years ago

SSLCA certificate validation is being carried out with the CA specified as `untrusted'

Reported by: Michael Fincham <[email protected]…> Owned by:
Priority: major Milestone:
Component: bcfg2-server Version: 1.0
Keywords: Cc: Chris St. Pierre <[email protected]…>


On my installation SSLCA managed certificates are only valid during the client run in which they are created, subsequent runs declare the certificate as invalid and delete it.

I see that diff:src/lib/Server/Plugins/[email protected]:f379b0e43cfa0137379ad0f78f48223eba7db61a on line 187 the way openssl is called was changed:

  • res = Popen(["openssl", "verify", "-CAfile", chaincert, cert],

+ res = Popen(["openssl", "verify", "-untrusted", chaincert, "-purpose", + "sslserver", cert],

This seems to cause validation of the stored cert to always fail:

Aug 27 18:26:48 manager bcfg2-server[29849]: SSLCA: /etc/stunnel/mysql-client-cert.pem failed verification against CA: /var/lib/bcfg2/SSLCA/etc/stunnel/mysql-client-cert.pem/ /C=NZ/O=Example/ 19 at 1 depth lookup:self signed cer

Changing "-untrusted" back to "-CAfile" allows validation to succeed:

SSLCA/etc/stunnel/mysql-client-cert.pem/ OK

Is there some reason I can't discern for why this was changed to "-untrusted"?


Change History

comment:1 Changed 11 years ago by

  • Owner changed from desai to
  • Status changed from new to accepted

comment:2 Changed 11 years ago by

  • Status changed from accepted to closed
  • Resolution set to fixed

Fixed in:

-CAfile was changed to -untrusted to support verifying against an intermediate cert, but it broke verification against a root CA cert. If you are verifying against a root CA cert, you will need to either apply the patch above and set root_ca = true in bcfg2.conf, or keep the change you've already made. If you're verifying against a cert bundle (i.e., a file that contains both the root cert and an intermediate cert), then you can split the root cert out and add it to your ca-bundle.crt, and just set chaincert to your intermediate cert.

comment:3 Changed 11 years ago by Michael Fincham <[email protected]…>

Thanks! I cannot tell you how much I appreciate your speedy patch for this :)

WARNING! You need to establish a session before you can create or edit tickets. Otherwise the ticket will get treated as spam.


Add a comment

Modify Ticket

Change Properties
<Author field>
as closed
The resolution will be deleted. Next status will be 'reopened'

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.