Opened 8 years ago

Closed 8 years ago

#998 closed defect (invalid)

Intermediate cert is not sent to client with recent

Reported by: jhoblitt@… Owned by:
Priority: critical Milestone:
Component: nginx-core Version: 1.10.x
Keywords: ssl tls Cc:
uname -a: Linux jenkins-master 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.10.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'

Description

I was preparing to replace a Alphassl DV wildcard TLS cert issued last year with one issued about a month ago. The old and new certs are signed with the same intermediate. Testing was OK with web browsers which have cached the Alphassl intermediate cert. However, curl, openssl, etc. all fail to validate the new cert. After about a day of hair pulling, I have determined that nginx is not returning the intermediate cert when using the new cert, despite it being present and in the proper order in the ssl_certificate file. To be pedantic, changing only the publicly signed cert and private key causes nginx to mysteriously stop returning the intermediate to clients. The debug log traces appear almost identically between the two certs. I have tried enabling/disabling OCSP with no change in behavior.

The new cert does have a slightly different policy attached to it but both versions are accepted by openssl's verify sub-command. I have to conclude that either alphassl is issuing certs with bad metadata, nginx is not correctly handling tls policy metadata, or both.

Attachments (10)

cert-chain.pem-new (3.2 KB ) - added by jhoblitt@… 8 years ago.
new tls cert
cert-chain.pem-old (3.2 KB ) - added by jhoblitt@… 8 years ago.
old tls cert
jenkins.conf (2.9 KB ) - added by jhoblitt@… 8 years ago.
nginx vhost conf
nginx-debug-new-cert.txt (2.6 KB ) - added by jhoblitt@… 8 years ago.
ngin vhost debug log with new cert
nginx-debug-old-cert.txt (2.6 KB ) - added by jhoblitt@… 8 years ago.
ngin vhost debug log with old cert
root-chain.pem (2.7 KB ) - added by jhoblitt@… 8 years ago.
ssl_trusted_certificate (shared between new/old cert)
s_client-new-cert.txt (16.3 KB ) - added by jhoblitt@… 8 years ago.
openssl s_client trace with new cert
nginx-debug-old-cert.2.txt (2.6 KB ) - added by jhoblitt@… 8 years ago.
openssl s_client trace with old cert
verify-new-cert.txt (456 bytes ) - added by jhoblitt@… 8 years ago.
openssl verify output with new cert
verify-old-cert.txt (386 bytes ) - added by jhoblitt@… 8 years ago.
openssl verify output with old cert

Download all attachments as: .zip

Change History (11)

by jhoblitt@…, 8 years ago

Attachment: cert-chain.pem-new added

new tls cert

by jhoblitt@…, 8 years ago

Attachment: cert-chain.pem-old added

old tls cert

by jhoblitt@…, 8 years ago

Attachment: jenkins.conf added

nginx vhost conf

by jhoblitt@…, 8 years ago

Attachment: nginx-debug-new-cert.txt added

ngin vhost debug log with new cert

by jhoblitt@…, 8 years ago

Attachment: nginx-debug-old-cert.txt added

ngin vhost debug log with old cert

by jhoblitt@…, 8 years ago

Attachment: root-chain.pem added

ssl_trusted_certificate (shared between new/old cert)

by jhoblitt@…, 8 years ago

Attachment: s_client-new-cert.txt added

openssl s_client trace with new cert

by jhoblitt@…, 8 years ago

Attachment: nginx-debug-old-cert.2.txt added

openssl s_client trace with old cert

by jhoblitt@…, 8 years ago

Attachment: verify-new-cert.txt added

openssl verify output with new cert

by jhoblitt@…, 8 years ago

Attachment: verify-old-cert.txt added

openssl verify output with old cert

comment:1 by Maxim Dounin, 8 years ago

Resolution: invalid
Status: newclosed

The cert-chain.pem-new file is obviously corrupted, it doesn't contain the "-----END CERTIFICATE-----" line after the first certificate.

Note: See TracTickets for help on using tickets.