System Diagnostics - Check Validity Of SSL Certificate

ssl
diagnostic
ucs-4-3

#1

Greetings,

I hope you are well. I’ve recently purchased a wildcard SSL certificate and am using it with UCS. While I seem to have apache and the web interface working with it, system diagnostics show the error below:

Found invalid certificate ‘/etc/myssl/cert.pem’:
error /etc/myssl/cert.pem: verification failed

I followed these steps: Using your own SSL certificates

Any suggestions on how to fix this?

Thanks,
David.


#2

Hey,

my guess is that the CA you got the certificate from uses an intermediate CA that isn’t known to the UCS system.

Under the hood that system diagnostics script executes the following command: openssl verify /path/to/certificate.pem Armed with that knowledge one can deduce what’s to be done: register the intermediate CA certificate as a trusted CA certificate.

But first make sure this is actually the problem. Execute openssl verify /etc/myssl/cert.pem and post its output here, please.

If this is indeed the problem, you can register the intermediate CA. On Debian-based systems such as UCS the necessary steps are:

  1. Copy the intermediate CA’s certificate to /usr/local/share/ca-certificates. Note that it must be encoded in PEM (not DER), and that the file name’s extension must be .crt and not .pem.
  2. Execute the command update-ca-certificates as root.

Afterwards there should be symbolic links in /etc/ssl/certs pointing to the file you’ve copied to /usr/local/share/ca-certfiicates; one for the file name itself (this time with the extension .pem, curiously) and one for the hash of the certificate.

Now try that openssl verify /etc/myssl/cert.pem again.

Kind regards,
mosu


#3

Hi Mosu,

Thanks for your help.

Here’s the output of openssl verify /etc/myssl/cert.pem:

error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/myssl/cert.pem: verification failed

But you were completely right and I feel silly that I forgot to do something as simple as this. I failed to register the intermediate CA properly with UCS and after doing as you’ve instructed I no longer get the error in system diagnostics. Thank you very much for the easy fix!

Regards,
David.


#4

Glad I could help, and you’re very welcome.