Web lists-archives.com

Re: Correct way to install Intermediate certificates in Debian




On 13/4/19 3:57 pm, Alexander V. Makartsev wrote:
> On 13.04.2019 19:40, Tyler A wrote:
>> Hi,
>>
>> I had trouble visiting these two websites in Firefox, Epiphany and
>> verifying with OpenSSL.
>>
>> - Births Deaths and Marriages (Government of South Australia)
>>   https://bdm.cbs.sa.gov.au/bdmsaonline/dbweb.asp?dbcgm=1&prprc=oac
>>
>> - Hostplus Superannuation Fund
>>   https://hostplus.com.au/
>>
>> ...
> I can access both sites without any problems with my browser (Firefox).

Keep in mind, you must do this in a new profile. If you've ever visited
a website which has used the certificate it will be cached, and the site
will work. Firefox does not download the cert from the AIA link like
IE/Chrome does. So if you have Chromium, that will work. This masks the
issue.

This particularly effected me because I used a amnesic environment ie
debian-live-9.8.0-amd64-gnome.iso

> AFAIK, intermediate certs are not required to be installed, if they are
> valid and pass the check with Issuer Root CA cert.
> Only private certificates, that identify your client, are required to be
> installed, if remote server was configured to use them. Which is not the
> case for public web servers.
> Here [1] is the output from openssl for one connection attempt for both
> sites.

You seem to have some strange results there:

> $ openssl s_client -connect hostplus.com.au:443 2>&1
> 
> depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
> verify return:1
> depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3
> verify return:1
> depth=0 C = US, ST = Delaware, L = Dover, O = Incapsula Inc, CN = incapsula.com
> verify return:1
> CONNECTED(00000003)
> ---
> Certificate chain
>  0 s:/C=US/ST=Delaware/L=Dover/O=Incapsula Inc/CN=incapsula.com
>    i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA - SHA256 - G3
>  1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA - SHA256 - G3
>    i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

Whereas: I got:

> $ openssl s_client -connect hostplus.com.au:443 2>&1
> CONNECTED(00000003)
> depth=0 CN = *.hostplus.com.au
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = *.hostplus.com.au
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:CN = *.hostplus.com.au
>    i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018

As for your other example:

> $ openssl s_client -connect bdm.cbs.sa.gov.au:443 2>&1
> 
> depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
> verify return:1
> depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3
> verify return:1
> depth=0 C = US, ST = Delaware, L = Dover, O = Incapsula Inc, CN = incapsula.com
> verify return:1
> CONNECTED(00000003)
> ---
> Certificate chain
>  0 s:/C=US/ST=Delaware/L=Dover/O=Incapsula Inc/CN=incapsula.com
>    i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA - SHA256 - G3
>  1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA - SHA256 - G3
>    i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

I got:

> $ openssl s_client -connect bdm.cbs.sa.gov.au:443 2>&1
> CONNECTED(00000003)
> depth=0 C = AU, L = Adelaide, O = Attorney General's Department, OU = Consumer and Business Services, CN = bdm.cbs.sa.gov.au
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = AU, L = Adelaide, O = Attorney General's Department, OU = Consumer and Business Services, CN = bdm.cbs.sa.gov.au
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:C = AU, L = Adelaide, O = Attorney General's Department, OU = Consumer and Business Services, CN = bdm.cbs.sa.gov.au
>    i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte RSA CA 2018


I got the same certificates from a European VPN as I did from in
Australia (not what you got) which appears to be a CDN.

> Just to rule out possibility of any network misconfiguration, try to
> access both sites via Tor network or Opera browser's VPN feature, and
> without proxy server, if you use one.
> 
And no they didn't work on Tor on Tails either.

-- 
Tyler (tya99)
rsa4096/0x9C9954F88E388859