How did I get here?
A while ago we set up a new Jenkins server in a new environment. Our previous Jenkins server had an SSL certificate signed by Comodo (issued by the client-internal certificate process). This new server’s certificate was issued/signed by an organizations called “Sectigo” and “AddTrust.” The certificate had worked fine for a while…until we tried to point apt-get on Ubuntu 12 and 14 at this server (long story, don’t ask; “If they didn’t need us, we wouldn’t be here.”). The apt requests were failing with server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none Hmm…it worked for everything else; why fail now? My first thought was the certificate had too new of a signing chain for U12/U14. But first…
Let’s check the cert order in the PEM file
A quick google searched turned up this openssl one-liner:
openssl crl2pkcs7 -nocrl -certfile my_pem_file.pem | openssl pkcs7 -print_certs -noout
That produced an ouput like this:
subject=/OU=Domain Control Validated/OU=Issued through Our Company, Inc. E-PKI Manager/OU=COMODO SSL/CN=jenkins.ourcompany.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
subject=/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
subject=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
issuer=/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
subject=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
You SSL/TLS/etc. experts are probably way ahead of me here. My server’s certificate is first as it should be, yes, but the middle two entries are not in the order they should be. For a given certificate, its “issuer” should be the entry below it. For example, the certificate for the server has an issuer of “CN=Sectigo RSA Domain Validation Secure Server CA,” but the certificate below it is issued by “AddTrust External TTP Network/CN=AddTrust External CA Root.”
Reordering the certificates created the following output, and this worked fine with the U12/U14 clients!
subject=/OU=Domain Control Validated/OU=Issued through Our Company, Inc. E-PKI Manager/OU=COMODO SSL/CN=jenkins.ourcompany.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
subject=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
issuer=/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
subject=/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
subject=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
issuer=/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
Comments
comments powered by Disqus