Problem: Check validity of SSL certificates

Knowledge Base Community
, , , ,
#1

Problem:

You ran the systemdiagnostic and got the following message:

root@slave:/usr/local/share/ca-certificates# univention-run-diagnostic-checks -t 02_certificate_check
Domain Admin Login:Administrator
Password:

You can find the logging messages of the diagnostic modules at /var/log/univention/management-console-module-diagnostic.log


############################
## Check failed: 02_certificate_check - Überprüfe Gültigkeit der SSL Zertifikate
Ungültiges Zertifikat '/etc/schein/ssl/schein-me.pem' gefunden:
error /etc/schein/ssl/schein-me.pem: verification failed

Siehe {sdb} für Informationen zum Erneuern von Zertifikaten.
########### End #############

Investigation:

openssl verify /etc/schein/ssl/schein-me.pem
error /etc/schein/ssl/schein-me.pem: verification failed

Find the issuer in the certificate and check if this is in /etc/ssl/certs

openssl x509 -in /etc/schein/ssl/schein-me.pem -text -noout | grep -Ei "(issuer|subject)"
       Issuer: C = TLD, O = Security Cert Org, OU = Central Certification Authority, CN = Central Domain Validation CA SHA2
        Subject: C = DE, CN = *.schein-me.de  
        Subject Public Key Info:
                CA Issuers - URI:http://repository.secert.tld/myIssuerCA.cer <--
            X509v3 Subject Key Identifier:
            X509v3 Issuer Alternative Name:
            X509v3 Subject Alternative Name:

ls -lah /etc/ssl/certs/ |grep “Certum Domain Validation”
→ not found
Look in /usr/local/share/ca-certificates as well.

ls -l
lrwxrwxrwx 1 root staff 36 Apr 20  2017 ucsCA.crt -> /etc/univention/ssl/ucsCA/CAcert.pem

You will have there at least this one. The CA of your issuer should be here as well.

Solution

Get the CA from the issuer:

# /usr/local/share/ca-certificates# wget http://repository.certum.pl/myIssuerCA.cer
# file myIssuerCA.cer
myIssuerCA.cer: data

Convert the data to pem

# openssl x509 -inform der -in myIssuerCA.cer -out myIssuerCA.pem
# file myIssuerCA.pem
myIssuerCA.pem: PEM certificate

Rename it into the expected ending
# mv myIssuerCA.pem myIssuerCA.crt
and update the data

# /usr/local/share/ca-certificates# update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.

Check verification:
openssl verify -CAfile 'myIssuerCA.crt' /etc/schein/ssl/schein-me.pem

In more detail

2 Likes
Check the validity of the SSL certificates failure
#2
Mastodon