Opened 3 years ago

Closed 3 years ago

#998 closed defect (invalid)

Intermediate cert is not sent to client with recent

Reported by: jhoblitt@… Owned by:
Priority: critical Milestone:
Component: nginx-core Version: 1.10.x
Keywords: ssl tls Cc:
uname -a: Linux jenkins-master 3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12 11:03:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.10.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'

Description

I was preparing to replace a Alphassl DV wildcard TLS cert issued last year with one issued about a month ago. The old and new certs are signed with the same intermediate. Testing was OK with web browsers which have cached the Alphassl intermediate cert. However, curl, openssl, etc. all fail to validate the new cert. After about a day of hair pulling, I have determined that nginx is not returning the intermediate cert when using the new cert, despite it being present and in the proper order in the ssl_certificate file. To be pedantic, changing only the publicly signed cert and private key causes nginx to mysteriously stop returning the intermediate to clients. The debug log traces appear almost identically between the two certs. I have tried enabling/disabling OCSP with no change in behavior.

The new cert does have a slightly different policy attached to it but both versions are accepted by openssl's verify sub-command. I have to conclude that either alphassl is issuing certs with bad metadata, nginx is not correctly handling tls policy metadata, or both.

Attachments (10)

cert-chain.pem-new (3.2 KB) - added by jhoblitt@… 3 years ago.
new tls cert
cert-chain.pem-old (3.2 KB) - added by jhoblitt@… 3 years ago.
old tls cert
jenkins.conf (2.9 KB) - added by jhoblitt@… 3 years ago.
nginx vhost conf
nginx-debug-new-cert.txt (2.6 KB) - added by jhoblitt@… 3 years ago.
ngin vhost debug log with new cert
nginx-debug-old-cert.txt (2.6 KB) - added by jhoblitt@… 3 years ago.
ngin vhost debug log with old cert
root-chain.pem (2.7 KB) - added by jhoblitt@… 3 years ago.
ssl_trusted_certificate (shared between new/old cert)
s_client-new-cert.txt (16.3 KB) - added by jhoblitt@… 3 years ago.
openssl s_client trace with new cert
nginx-debug-old-cert.2.txt (2.6 KB) - added by jhoblitt@… 3 years ago.
openssl s_client trace with old cert
verify-new-cert.txt (456 bytes) - added by jhoblitt@… 3 years ago.
openssl verify output with new cert
verify-old-cert.txt (386 bytes) - added by jhoblitt@… 3 years ago.
openssl verify output with old cert

Download all attachments as: .zip

Change History (11)

Changed 3 years ago by jhoblitt@…

new tls cert

Changed 3 years ago by jhoblitt@…

old tls cert

Changed 3 years ago by jhoblitt@…

nginx vhost conf

Changed 3 years ago by jhoblitt@…

ngin vhost debug log with new cert

Changed 3 years ago by jhoblitt@…

ngin vhost debug log with old cert

Changed 3 years ago by jhoblitt@…

ssl_trusted_certificate (shared between new/old cert)

Changed 3 years ago by jhoblitt@…

openssl s_client trace with new cert

Changed 3 years ago by jhoblitt@…

openssl s_client trace with old cert

Changed 3 years ago by jhoblitt@…

openssl verify output with new cert

Changed 3 years ago by jhoblitt@…

openssl verify output with old cert

comment:1 Changed 3 years ago by mdounin

  • Resolution set to invalid
  • Status changed from new to closed

The cert-chain.pem-new file is obviously corrupted, it doesn't contain the "-----END CERTIFICATE-----" line after the first certificate.

Note: See TracTickets for help on using tickets.