Web lists-archives.com

Correct way to install Intermediate certificates in Debian




Hi,

I had trouble visiting these two websites in Firefox, Epiphany and
verifying with OpenSSL.

- Births Deaths and Marriages (Government of South Australia)
  https://bdm.cbs.sa.gov.au/bdmsaonline/dbweb.asp?dbcgm=1&prprc=oac

- Hostplus Superannuation Fund
  https://hostplus.com.au/

It appears the issue according to ssllabs[0][1] is that the intermediate
certificate is not provided to you when you visit the website. If you've
visited another website with that certificate these sites will work for
you as the intermediary certificates will be cached. Chrome and Internet
Explorer will automatically download the certificate from the AIA URL,
something that Firefox apparently won't do[2]. I was able to reproduce
this issue on Debian 8, 9, Tails and Firefox on Windows 10.

On Archlinux I was able to install this certificate trivially ie[3]:

$ wget -c http://cacerts.thawte.com/ThawteRSACA2018.crt
http://cacerts.geotrust.com/GeoTrustRSACA2018.crt

$ sudo trust -v anchor GeoTrustRSACA2018.crt
$ sudo trust -v anchor ThawteRSACA2018.crt

They were then added:

/etc/ca-certificates/trust-source
├── anchors
├── blacklist
├── GeoTrust_RSA_CA_2018.p11-kit
└── Thawte_RSA_CA_2018.p11-kit

Using OpenSSL I was then able to perform verification, (this in turn
allowed wget, curl to also work):

$ openssl s_client -connect hostplus.com.au:443 -showcerts
$ openssl s_client -connect bdm.cbs.sa.gov.au:443 -showcerts

I was also now able to visit the websites with a new Firefox profile,
without getting the  SEC_ERROR_UNKNOWN_ISSUER error.

I decided to try this on Debian.

$ sudo apt-get install p11-kit
$ wget -c http://cacerts.thawte.com/ThawteRSACA2018.crt
http://cacerts.geotrust.com/GeoTrustRSACA2018.crt

$ sudo trust -v anchor GeoTrustRSACA2018.crt
(p11-kit:1102) files_to_attrs: parsed file: GeoTrustRSACA2018.crt
p11-kit: no configured writable location to store anchors

$ sudo trust -v anchor ThawteRSACA2018.crt
(p11-kit:1104) files_to_attrs: parsed file: ThawteRSACA2018.crt
p11-kit: no configured writable location to store anchors

1) Why doesn't this work?
2) Is it related to [4][5][6]?
3) Can I fix it?

The other way I had seen to do it was:

$ sudo cp -vR *.crt /usr/local/share/ca-certificates
'GeoTrustRSACA2018.crt' ->
'/usr/local/share/ca-certificates/GeoTrustRSACA2018.crt'
'ThawteRSACA2018.crt' ->
'/usr/local/share/ca-certificates/ThawteRSACA2018.crt

$ sudo update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping GeoTrustRSACA2018.pem,it does not contain
exactly one certificate or CRL
rehash: warning: skipping ThawteRSACA2018.pem,it does not contain
exactly one certificate or CRL
130 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

However the sites do not seem to work in Firefox. I did wonder if that
was whether Firefox could read that store or if it only used it's own
one based on this link[7] - however that is pretty old.

That is no reason however why it doesn't work with OpenSSL.

Verify return code: 21 (unable to verify the first certificate)

[0]: https://www.ssllabs.com/ssltest/analyze.html?d=bdm.cbs.sa.gov.au
[1]: https://www.ssllabs.com/ssltest/analyze.html?d=hostplus.com.au
[2]: https://bugzilla.mozilla.org/show_bug.cgi?id=399324
[3]:
https://wiki.archlinux.org/index.php/Ca-certificates#Trust_a_certificate_authority_system-wide
[4]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752485
[5]: https://lists.freedesktop.org/archives/p11-glue/2017-July/000673.html
[6]: https://github.com/p11-glue/p11-kit/issues/115
[7]: http://blog.xelnor.net/firefox-systemcerts/

-- 
Tyler (tya99)
rsa4096/0x9C9954F88E388859