SSL CA cert not working right
437 views
Skip to first unread message
Rog
Nov 21, 2014, 12:06:56 PM11/21/14
to nod...@googlegroups.com
Hello Guys and Gals,
I can use your help. I'm a n00b when it comes to SSL. This is my first time getting a CA signed cert issued and coding a node.js instance to use https/tls.
I have the node https/tls running without any error messages upon instantiation. I have followed the this code here to get some error messages to be produced from the server when a call comes in with the wrong authorization.
I'm using this for my credentials. Network solutions gave me 4 .crt and I attempted to cat filess < All_AddTrust_DV_2_CA.crt. Unfortunately I do not know if this is right or wrong, if it needs extra line feeds or whatever.
var secure_options = {
key: secure_fs.readFileSync('THE_PATH/sample.whataremindsfor.com.key', 'utf8'),
cert: secure_fs.readFileSync('THE_PATH/SAMPLE.WHATAREMINDSFOR.COM.crt', 'utf8'),
ca: secure_fs.readFileSync('THE_PATH/All_AddTrust_DV_2_CA.crt', 'utf8')
};
I found away to attempt to test the SSL CA cert with the following call from another terminal on the same machine, getting this output below.
I hope someone can help me here.
[2014-11-21 11:11:11.380] [INFO] console - server connected 'unauthorized'
[2014-11-21 11:46:57.673] [INFO] console - server connected 'unauthorized'openssl s_client -connect 127.0.0.1:46900
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = nsProtect Secure Xpress, CN =sample.whataremindsfor.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = nsProtect Secure Xpress, CN =sample.whataremindsfor.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = nsProtect Secure Xpress, CN =sample.whataremindsfor.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=nsProtect Secure Xpress/CN=sample.whataremindsfor.com
i:/C=US/ST=VA/L=Herndon/O=Network Solutions L.L.C./CN=Network Solutions DV Server CA 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQZKH2LzShxkMU//ZbvGTeKDANBgkqhkiG9w0BAQsFADB6
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVkExEDAOBgNVBAcTB0hlcm5kb24xITAf
BgNVBAoTGE5ldHdvcmsgU29sdXRpb25zIEwuTC5DLjEpMCcGA1UEAxMgTmV0d29y
ayBTb2x1dGlvbnMgRFYgU2VydmVyIENBIDIwHhcNMTQxMTE4MDAwMDAwWhcNMTUx
MTE4MjM1OTU5WjBqMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQx
IDAeBgNVBAsTF25zUHJvdGVjdCBTZWN1cmUgWHByZXNzMSMwIQYDVQQDExpzYW1w
bGUud2hhdGFyZW1pbmRzZm9yLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMml21naQ4VeSJTgO986uAxT65PGDsiR0Di7khtCSZBYbsIcxbI8K33B
VE6cEOb8rZXDzACG5XEBDkBAE1N/WEzfsFMEDRfDWMQkKDqgK5/GDetUHB6UFfDF
jhXVHItDo2yUHrVtDYa9uTLfQ78jp+fARwZ+VVu8kXEI7CojXC9hHTNyiHpwt1rF
Z5+pKMq8WCc1gQoBU6LFlFa4DTTKrpqSBhlJOHLe3GNj/TjMjxayTRilxh0EVx/M
Y+SBpkQYM7bbD++Ob9QXgANK7QwfGKj8HrLQCFVF8heSQVmRJKLRiyd+BDYj5i4N
JcrUbSoQMcfDoWSyXEIACMlznTwfFvkCAwEAAaOCAgcwggIDMB8GA1UdIwQYMBaA
FFHO31QdtyxXq2hhSAIa07KF7ECqMB0GA1UdDgQWBBSRr6nTyTFe3OIcMiKOkFV8
VlEbIDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0gBG4wbDBgBgwrBgEEAYYOAQIBCQEwUDBO
BggrBgEFBQcCARZCaHR0cDovL3d3dy5uZXR3b3Jrc29sdXRpb25zLmNvbS9sZWdh
bC9TU0wtbGVnYWwtcmVwb3NpdG9yeS1jcHMuanNwMAgGBmeBDAECATBJBgNVHR8E
QjBAMD6gPKA6hjhodHRwOi8vY3JsLm5ldHNvbHNzbC5jb20vTmV0d29ya1NvbHV0
aW9uc0RWU2VydmVyQ0EyLmNybDB7BggrBgEFBQcBAQRvMG0wRAYIKwYBBQUHMAKG
OGh0dHA6Ly9jcnQubmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zRFZTZXJ2
ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5uZXRzb2xzc2wuY29t
MEUGA1UdEQQ+MDyCGnNhbXBsZS53aGF0YXJlbWluZHNmb3IuY29tgh53d3cuc2Ft
cGxlLndoYXRhcmVtaW5kc2Zvci5jb20wDQYJKoZIhvcNAQELBQADggEBAExoI6yX
b0Dv4mlWrJ0pTpp3CQvu0zp8V1mWrXYtxB5DUss6VRf6r7fiL15Skb+uayILgFwx
egs63fb/KuX2LT8xIQyMGNZ429DSzoA2I4lJjYpShb3FS0wcrt0uWxbyByZM1Yt0
SN3ARpePSZupIaplcfcemNSdgSXSGFhmlrihiq+z/oW5k5/jZZ6TDt1bJwZ2Bxww
SIox9MdGV/92QrpjjXcnKsJ4gL5nSA9C4YRUN4pih7buffq+DFRnvEo6kBJctGeO
4qNdRkz+V+Rmev/JbbxEMtRWf/HCBginxbyG1fJaccMXzqrS6lf4X89DD6x6YUgd
ZDEirYzqLRoDtvY=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=nsProtect Secure Xpress/CN=sample.whataremindsfor.com
issuer=/C=US/ST=VA/L=Herndon/O=Network Solutions L.L.C./CN=Network Solutions DV Server CA 2
---
No client certificate CA names sent
---
SSL handshake has read 1711 bytes and written 581 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: 6328E390DEBF3DBF9377410DDA07D2F6795E32E0EE4E1FDC9D9C1539CD7AE212
Session-ID-ctx:
Master-Key: 16DE4CDDA2167BD8157406E3D95062DF37EE69409961E6A8F549EA0D16939800C9A402ECE052BC2907C57591EA3FC17E
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 8d e3 93 fb dd 5d d5 d1-5a 88 14 72 5d 70 6e f1 .....]..Z..r]pn.
0010 - 25 c3 4c af 6e 51 66 af-fb b4 08 09 47 2c bd 4d %.L.nQf.....G,.M
0020 - 7c 79 71 66 35 bb b9 30-ff 29 61 41 12 46 bb e6 |yqf5..0.)aA.F..
0030 - d4 ea d9 86 b3 59 75 dc-ad 2c 27 19 87 33 97 e4 .....Yu..,'..3..
0040 - bc 9c 1d 0b 02 96 1f 96-1b ef 4c d7 ab f6 32 b2 ..........L...2.
0050 - cc 1e fc 85 28 70 c1 bd-2f 94 aa df 9e 80 e3 6e ....(p../......n
0060 - 52 9d 89 5e ac 52 df 8e-16 8a 25 33 37 56 1f e0 R..^.R....%37V..
0070 - cc 24 c9 f2 e9 69 5d 14-15 56 22 c2 ae c4 8b 1f .$...i]..V".....
0080 - 09 4e 1c 1a 43 c1 27 38-35 77 21 db 8e d2 b4 26 .N..C.'85w!....&
0090 - d3 1e f0 bd f8 42 58 6e-7b b3 0f ef 55 58 1d 6c .....BXn{...UX.l
Start Time: 1416583205
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
welcome!Rog
Nov 22, 2014, 5:20:57 PM11/22/14
to nod...@googlegroups.com
Rog
Nov 22, 2014, 6:38:15 PM11/22/14
to nod...@googlegroups.com
Ok. I figured it out.
There are a few things wrong with the instructions from everyone that I have seen give out node examples for public CA-signed certs.
Again this is for NetworkSolutions as a CA provider. This is as a server CA and NOT a client CA. There is no dual-CA authentication, only the single side from the server.
The notes for adding the CA public certs are confusing, because the CA is not the CA attribute in the options. It is the cert attribute.
Symptoms for this are no matter what you do the same error appears and you can authenticate it if you use your creds as a part of the call
openssl s_client -CAfile 4_CRTs_Sample_DVServ_DVUser_AddT.crt -connect sample.whataremindsfor.com:56900Step 1: If you have several crts cat them all together using your full-qualified domain first.
cat SAMPLE.WHATAREMINDSFOR.COM.crt DV_NetworkSolutionsDVServerCA2.crt DV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > 4_CRTs_Sample_DVServ_DVUser_AddT.crtStep 2: Ensure that after you cat the files together the beginning and end tags are on a different line
NO:
-----BEGIN CERTIFICATE----------END CERTIFICATE-----YES:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----Step 3: Don't use the 'ca' attribute for server side CA. Only use the 'cert' attribute.
var secure_options = {
key: secure_fs.readFileSync('PATH/sample.whataremindsfor.com.key', 'utf8'),
cert: secure_fs.readFileSync('PATH/4_CRTs_Sample_DVServ_DVUser_AddT.crt', 'utf8'),
};Reply all
Reply to author
Forward
0 new messages