Problem: My own certificate seems to provoke problems with ucs services

ssl
certificates
ucs-4
problem
intermediate

#1

Problem:

When accessing several services within your UCS domain you run into errors like

Internal Server Error: service can’t be reached

The connection to the server could not be established. Please try again later. Error message: (‘Could not send request.’, SSLError(1, u’[SSL:CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl:c:661)’))

grafik

Also the following article might interesst you
Problem: My wildcard certificate seems to provoke problems with ucs services

Investigation:

You are using a commercial certificate for your UCS Domain which is signed by an Intermediate CA. When you check it you receive an error

openssl verify -verbose -show_chain /etc/myssl/domain.pem
error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/myssl/domain.pem: verification failed

In case you want to verify the to be installed Intermediate CA is the one which has signed your own certificate you might

openssl verify -verbose -show_chain -CAfile /usr/local/share/ca-certificates/Intermediate_R1.crt /etc/myssl/domain.pem

Be sure not to use a chain certificate when the RootCA is already in the trust store else this will cause the RootCA to be removed!

Solution

You have to copy the Intermediate CA to your Trusted Store

root@ucs:~# cp Intermediate_R1.crt /usr/local/share/ca-certificates/
root@ucs:~# update-ca-certificates --verbose --fresh

If you are using a chain certificate remove the RootCA from your Intermediate CA and store it as Provider_Intermediate.crt, also remove the file which contains the chain certificate. Again update your trust store

root@ucs:~# update-ca-certificates --verbose --fresh

Now you might verify if your certificate appears to be valid

openssl verify -verbose -show_chain /etc/myssl/domain.pem
/etc/myssl/domain.pem: OK

closed #2