how to make Gnu/Linux trust a certificate that's trusted by Windows out-of-the-box?
There is a server with a broken SSL chain, as reported by this SSL check:
I know this is a problem that should be solved on the server itself, but sometimes this is hard to have fixed (I'm not the admin of the server).
The thing is, that Chrome/Mozilla/Edge on Windows trust the site certificate anyway:
However, in a Gnu/Linux deployment (Ubuntu 18.04 in Docker) the certificate is not trusted:
curl: (60) SSL certificate problem: unable to get local issuer certificate
I tried update-ca-certificates and even imported the Globalsign Root certificate. update-ca-certificates reported a duplicate certificate in that case. Anyway, nothing works.
How to reproduce
Using Docker:
docker run -it ubuntu:18.04
# within container:
apt-get update
apt-get -y install curl
curl https://betriebsheft.vog.it # <---- "unable to get local issuer certificate"
How can I make Gnu/Linux trust this certificate?
PS: The same certificate is deployed correctly on another server.
curl openssl ssl certificates
edited Dec 23 '18 at 16:49
ctrl-alt-delor
11.1k42058
asked Dec 23 '18 at 14:09
Udo GUdo G
5282525
|
show 9 more comments
There is a server with a broken SSL chain, as reported by this SSL check:
I know this is a problem that should be solved on the server itself, but sometimes this is hard to have fixed (I'm not the admin of the server).
The thing is, that Chrome/Mozilla/Edge on Windows trust the site certificate anyway:
However, in a Gnu/Linux deployment (Ubuntu 18.04 in Docker) the certificate is not trusted:
curl: (60) SSL certificate problem: unable to get local issuer certificate
I tried update-ca-certificates and even imported the Globalsign Root certificate. update-ca-certificates reported a duplicate certificate in that case. Anyway, nothing works.
How to reproduce
Using Docker:
docker run -it ubuntu:18.04
# within container:
apt-get update
apt-get -y install curl
curl https://betriebsheft.vog.it # <---- "unable to get local issuer certificate"
How can I make Gnu/Linux trust this certificate?
PS: The same certificate is deployed correctly on another server.
curl openssl ssl certificates
edited Dec 23 '18 at 16:49
ctrl-alt-delor
11.1k42058
asked Dec 23 '18 at 14:09
Udo GUdo G
5282525
why the downvote?
– Udo G
Dec 23 '18 at 14:49
1
I'm voting to close this question as off-topic because the OP is asking something he can't influence himself. He said he can't modify anything server-side, so this probably belongs to superuser I think, as it describes a problem having no solution client-side.
– Vlastimil
Dec 23 '18 at 14:51
2
I am specifically asking for a client-side solution. I can't influence the server, but I have full control over the client O/S (Ubuntu) and I want this specific O/S installation to trust the certificate just like other O/S (Windows) do. It's not about fixing the HTTPS site for others.
– Udo G
Dec 23 '18 at 14:54
1
The question is about using/administering a *nix system and applications packaged therein
– Udo G
Dec 23 '18 at 15:01
1
You don't control the server, but you still can report the problem to the person who does control the server.
– Michael Hampton
Dec 23 '18 at 17:09
|
show 9 more comments
There is a server with a broken SSL chain, as reported by this SSL check:
I know this is a problem that should be solved on the server itself, but sometimes this is hard to have fixed (I'm not the admin of the server).
The thing is, that Chrome/Mozilla/Edge on Windows trust the site certificate anyway:
However, in a Gnu/Linux deployment (Ubuntu 18.04 in Docker) the certificate is not trusted:
curl: (60) SSL certificate problem: unable to get local issuer certificate
I tried update-ca-certificates and even imported the Globalsign Root certificate. update-ca-certificates reported a duplicate certificate in that case. Anyway, nothing works.
How to reproduce
Using Docker:
docker run -it ubuntu:18.04
# within container:
apt-get update
apt-get -y install curl
curl https://betriebsheft.vog.it # <---- "unable to get local issuer certificate"
How can I make Gnu/Linux trust this certificate?
PS: The same certificate is deployed correctly on another server.
curl openssl ssl certificates
edited Dec 23 '18 at 16:49
ctrl-alt-delor
11.1k42058
asked Dec 23 '18 at 14:09
Udo GUdo G
5282525
There is a server with a broken SSL chain, as reported by this SSL check:
I know this is a problem that should be solved on the server itself, but sometimes this is hard to have fixed (I'm not the admin of the server).
The thing is, that Chrome/Mozilla/Edge on Windows trust the site certificate anyway:
However, in a Gnu/Linux deployment (Ubuntu 18.04 in Docker) the certificate is not trusted:
curl: (60) SSL certificate problem: unable to get local issuer certificate
I tried update-ca-certificates and even imported the Globalsign Root certificate. update-ca-certificates reported a duplicate certificate in that case. Anyway, nothing works.
How to reproduce
Using Docker:
docker run -it ubuntu:18.04
# within container:
apt-get update
apt-get -y install curl
curl https://betriebsheft.vog.it # <---- "unable to get local issuer certificate"
How can I make Gnu/Linux trust this certificate?
PS: The same certificate is deployed correctly on another server.
curl openssl ssl certificates
curl openssl ssl certificates
edited Dec 23 '18 at 16:49
ctrl-alt-delor
11.1k42058
asked Dec 23 '18 at 14:09
Udo GUdo G
5282525
edited Dec 23 '18 at 16:49
ctrl-alt-delor
11.1k42058
asked Dec 23 '18 at 14:09
Udo GUdo G
5282525
edited Dec 23 '18 at 16:49
ctrl-alt-delor
11.1k42058
edited Dec 23 '18 at 16:49
ctrl-alt-delor
11.1k42058
edited Dec 23 '18 at 16:49
ctrl-alt-delor
11.1k42058
11.1k42058
asked Dec 23 '18 at 14:09
Udo GUdo G
5282525
asked Dec 23 '18 at 14:09
Udo GUdo G
5282525
asked Dec 23 '18 at 14:09
Udo GUdo G
5282525
5282525
why the downvote?
– Udo G
Dec 23 '18 at 14:49
1
I'm voting to close this question as off-topic because the OP is asking something he can't influence himself. He said he can't modify anything server-side, so this probably belongs to superuser I think, as it describes a problem having no solution client-side.
– Vlastimil
Dec 23 '18 at 14:51
2
I am specifically asking for a client-side solution. I can't influence the server, but I have full control over the client O/S (Ubuntu) and I want this specific O/S installation to trust the certificate just like other O/S (Windows) do. It's not about fixing the HTTPS site for others.
– Udo G
Dec 23 '18 at 14:54
1
The question is about using/administering a *nix system and applications packaged therein
– Udo G
Dec 23 '18 at 15:01
1
You don't control the server, but you still can report the problem to the person who does control the server.
– Michael Hampton
Dec 23 '18 at 17:09
|
show 9 more comments
why the downvote?
– Udo G
Dec 23 '18 at 14:49
1
I'm voting to close this question as off-topic because the OP is asking something he can't influence himself. He said he can't modify anything server-side, so this probably belongs to superuser I think, as it describes a problem having no solution client-side.
– Vlastimil
Dec 23 '18 at 14:51
2
I am specifically asking for a client-side solution. I can't influence the server, but I have full control over the client O/S (Ubuntu) and I want this specific O/S installation to trust the certificate just like other O/S (Windows) do. It's not about fixing the HTTPS site for others.
– Udo G
Dec 23 '18 at 14:54
1
The question is about using/administering a *nix system and applications packaged therein
– Udo G
Dec 23 '18 at 15:01
1
You don't control the server, but you still can report the problem to the person who does control the server.
– Michael Hampton
Dec 23 '18 at 17:09
why the downvote?
– Udo G
Dec 23 '18 at 14:49
why the downvote?
– Udo G
Dec 23 '18 at 14:49
1
1
I'm voting to close this question as off-topic because the OP is asking something he can't influence himself. He said he can't modify anything server-side, so this probably belongs to superuser I think, as it describes a problem having no solution client-side.
– Vlastimil
Dec 23 '18 at 14:51
I'm voting to close this question as off-topic because the OP is asking something he can't influence himself. He said he can't modify anything server-side, so this probably belongs to superuser I think, as it describes a problem having no solution client-side.
– Vlastimil
Dec 23 '18 at 14:51
2
2
I am specifically asking for a client-side solution. I can't influence the server, but I have full control over the client O/S (Ubuntu) and I want this specific O/S installation to trust the certificate just like other O/S (Windows) do. It's not about fixing the HTTPS site for others.
– Udo G
Dec 23 '18 at 14:54
I am specifically asking for a client-side solution. I can't influence the server, but I have full control over the client O/S (Ubuntu) and I want this specific O/S installation to trust the certificate just like other O/S (Windows) do. It's not about fixing the HTTPS site for others.
– Udo G
Dec 23 '18 at 14:54
1
1
The question is about using/administering a *nix system and applications packaged therein
– Udo G
Dec 23 '18 at 15:01
The question is about using/administering a *nix system and applications packaged therein
– Udo G
Dec 23 '18 at 15:01
1
1
You don't control the server, but you still can report the problem to the person who does control the server.
– Michael Hampton
Dec 23 '18 at 17:09
You don't control the server, but you still can report the problem to the person who does control the server.
– Michael Hampton
Dec 23 '18 at 17:09
|
show 9 more comments
1 Answer
1
active
oldest
votes
The real fix for this is to ensure that your server presents all certificates in the chain and not just the end-entity (server) certificate.
Point your server administrator to RFC 5246 Section 7.4.2 which clearly states that This message conveys the server's certificate chain to the client.
If your admin refuses/can't do this for some reason, your alternative option is to try and get curl to work with the malformed handshake.
According to a message on the Curl mailing list:
Can someone confirm if cURL supports (or not) intermediate certificate?
Yes it does.
All ca certificates have a certificate chain going up to the root. The ca
bundle you use with curl needs to consist of the certs for the entire chain.
/ daniel.haxx.se
You should be able to add the Root CA and all intermediates certificates to a bundle and point curl to it using the --cacert <file> option.
As your browsers work, you can access the correct CA certificates from there. On the certificates tab (different for each browser, but I'm sure you'll figure that one out), view the certificate chain. Double-click the Root CA first Globalsign Root CA - G1 and on the Details tab, click on Copy to file.... Save it as root.cer. Do the same with the AlphaSSL CA - SHA256 - G2 and save it as issuing.cer. Join the two together in a single file (e.g. chain.cer) and use that as the argument to -cacert.
As kindly pointed out by @A.B. the missing certificate can also be found here.
Your browsers work because they cache CA certificates. If you've navigated to a correctly configured website at some point in the past, whose certificate was issued by the same CA as your server's certificate, it will be cached by the browser. When you subsequently visit your incorrectly configured site, your browser will use the CA certificates in its cache to build the chain. To you, it seems like everything is fine, although behind the scenes, the server is mis-configured.
Note that on Windows, IE/Edge and Chrome share the same cache, while Firefox uses its own.
In addition to the above, IE/Edge and Chrome (as they share the same crypto stack) will use an extension within certificates called the AuthorityInformationAccess. This has a caIssuer option which provides a URL from which the end-entity certificate's CA certificate can be downloaded. Therefore, even if one of these browsers hasn't cached the missing certificates from previous browsing, it can fetch it if required. Note that Firefox doesn't do this, which is why sometimes Firefox can show certificate errors when IE/Edge and Chrome seem to work.
answered Dec 23 '18 at 14:34
garethTheRedgarethTheRed
24.3k36280
1
It's not my server, so can't modify anything server-side. I tried to use the CA bundle from curl.haxx.se/docs/caextract.html (since Firefox trusts the certificate) and pass it using--cacert cacert.pembut CURL still does not accept the certificate.
– Udo G
Dec 23 '18 at 14:41
1
It is your server. Runecho q | openssl s_client -showcerts -connect betriebsheft.vog.it:443and you will see only one certificate being presented by your server. There should be two - the end-entity cert (which is presented) and the issuing CA - the Alpha SSL - SHA256 - G2 certificate. The latter isn't being sent by the server, but should.
– garethTheRed
Dec 23 '18 at 15:36
2
@garethTheRed : I understand that the server does not present all certificates, but the server is not under my control (that's what I meant with "not my server"). I'm just trying to access an API on an foreign server. Under Windows, none of my browsers complain about the certificate, only Linux/Debian/Ubuntu does.
– Udo G
Dec 23 '18 at 15:42
@A.B: thanks a lot! Installing all the root certificates from that page solved the issue. However, I'd like to understand why that manual step is necessary.
– Udo G
Dec 23 '18 at 15:50
2
The missing intermediate cert (as mentioned by @garethTheRed) can be found there: support.globalsign.com/customer/portal/articles/… . OP initially only tried to add the root cert which was probably already in place, thus achieving nothing.
– A.B
Dec 23 '18 at 16:17
|
show 4 more comments
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f490608%2fhow-to-make-gnu-linux-trust-a-certificate-thats-trusted-by-windows-out-of-the-b%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The real fix for this is to ensure that your server presents all certificates in the chain and not just the end-entity (server) certificate.
Point your server administrator to RFC 5246 Section 7.4.2 which clearly states that This message conveys the server's certificate chain to the client.
If your admin refuses/can't do this for some reason, your alternative option is to try and get curl to work with the malformed handshake.
According to a message on the Curl mailing list:
Can someone confirm if cURL supports (or not) intermediate certificate?
Yes it does.
All ca certificates have a certificate chain going up to the root. The ca
bundle you use with curl needs to consist of the certs for the entire chain.
/ daniel.haxx.se
You should be able to add the Root CA and all intermediates certificates to a bundle and point curl to it using the --cacert <file> option.
As your browsers work, you can access the correct CA certificates from there. On the certificates tab (different for each browser, but I'm sure you'll figure that one out), view the certificate chain. Double-click the Root CA first Globalsign Root CA - G1 and on the Details tab, click on Copy to file.... Save it as root.cer. Do the same with the AlphaSSL CA - SHA256 - G2 and save it as issuing.cer. Join the two together in a single file (e.g. chain.cer) and use that as the argument to -cacert.
As kindly pointed out by @A.B. the missing certificate can also be found here.
Your browsers work because they cache CA certificates. If you've navigated to a correctly configured website at some point in the past, whose certificate was issued by the same CA as your server's certificate, it will be cached by the browser. When you subsequently visit your incorrectly configured site, your browser will use the CA certificates in its cache to build the chain. To you, it seems like everything is fine, although behind the scenes, the server is mis-configured.
Note that on Windows, IE/Edge and Chrome share the same cache, while Firefox uses its own.
In addition to the above, IE/Edge and Chrome (as they share the same crypto stack) will use an extension within certificates called the AuthorityInformationAccess. This has a caIssuer option which provides a URL from which the end-entity certificate's CA certificate can be downloaded. Therefore, even if one of these browsers hasn't cached the missing certificates from previous browsing, it can fetch it if required. Note that Firefox doesn't do this, which is why sometimes Firefox can show certificate errors when IE/Edge and Chrome seem to work.
answered Dec 23 '18 at 14:34
garethTheRedgarethTheRed
24.3k36280
1
It's not my server, so can't modify anything server-side. I tried to use the CA bundle from curl.haxx.se/docs/caextract.html (since Firefox trusts the certificate) and pass it using--cacert cacert.pembut CURL still does not accept the certificate.
– Udo G
Dec 23 '18 at 14:41
1
It is your server. Runecho q | openssl s_client -showcerts -connect betriebsheft.vog.it:443and you will see only one certificate being presented by your server. There should be two - the end-entity cert (which is presented) and the issuing CA - the Alpha SSL - SHA256 - G2 certificate. The latter isn't being sent by the server, but should.
– garethTheRed
Dec 23 '18 at 15:36
2
@garethTheRed : I understand that the server does not present all certificates, but the server is not under my control (that's what I meant with "not my server"). I'm just trying to access an API on an foreign server. Under Windows, none of my browsers complain about the certificate, only Linux/Debian/Ubuntu does.
– Udo G
Dec 23 '18 at 15:42
@A.B: thanks a lot! Installing all the root certificates from that page solved the issue. However, I'd like to understand why that manual step is necessary.
– Udo G
Dec 23 '18 at 15:50
2
The missing intermediate cert (as mentioned by @garethTheRed) can be found there: support.globalsign.com/customer/portal/articles/… . OP initially only tried to add the root cert which was probably already in place, thus achieving nothing.
– A.B
Dec 23 '18 at 16:17
|
show 4 more comments
The real fix for this is to ensure that your server presents all certificates in the chain and not just the end-entity (server) certificate.
Point your server administrator to RFC 5246 Section 7.4.2 which clearly states that This message conveys the server's certificate chain to the client.
If your admin refuses/can't do this for some reason, your alternative option is to try and get curl to work with the malformed handshake.
According to a message on the Curl mailing list:
Can someone confirm if cURL supports (or not) intermediate certificate?
Yes it does.
All ca certificates have a certificate chain going up to the root. The ca
bundle you use with curl needs to consist of the certs for the entire chain.
/ daniel.haxx.se
You should be able to add the Root CA and all intermediates certificates to a bundle and point curl to it using the --cacert <file> option.
As your browsers work, you can access the correct CA certificates from there. On the certificates tab (different for each browser, but I'm sure you'll figure that one out), view the certificate chain. Double-click the Root CA first Globalsign Root CA - G1 and on the Details tab, click on Copy to file.... Save it as root.cer. Do the same with the AlphaSSL CA - SHA256 - G2 and save it as issuing.cer. Join the two together in a single file (e.g. chain.cer) and use that as the argument to -cacert.
As kindly pointed out by @A.B. the missing certificate can also be found here.
Your browsers work because they cache CA certificates. If you've navigated to a correctly configured website at some point in the past, whose certificate was issued by the same CA as your server's certificate, it will be cached by the browser. When you subsequently visit your incorrectly configured site, your browser will use the CA certificates in its cache to build the chain. To you, it seems like everything is fine, although behind the scenes, the server is mis-configured.
Note that on Windows, IE/Edge and Chrome share the same cache, while Firefox uses its own.
In addition to the above, IE/Edge and Chrome (as they share the same crypto stack) will use an extension within certificates called the AuthorityInformationAccess. This has a caIssuer option which provides a URL from which the end-entity certificate's CA certificate can be downloaded. Therefore, even if one of these browsers hasn't cached the missing certificates from previous browsing, it can fetch it if required. Note that Firefox doesn't do this, which is why sometimes Firefox can show certificate errors when IE/Edge and Chrome seem to work.
answered Dec 23 '18 at 14:34
garethTheRedgarethTheRed
24.3k36280
1
It's not my server, so can't modify anything server-side. I tried to use the CA bundle from curl.haxx.se/docs/caextract.html (since Firefox trusts the certificate) and pass it using--cacert cacert.pembut CURL still does not accept the certificate.
– Udo G
Dec 23 '18 at 14:41
1
It is your server. Runecho q | openssl s_client -showcerts -connect betriebsheft.vog.it:443and you will see only one certificate being presented by your server. There should be two - the end-entity cert (which is presented) and the issuing CA - the Alpha SSL - SHA256 - G2 certificate. The latter isn't being sent by the server, but should.
– garethTheRed
Dec 23 '18 at 15:36
2
@garethTheRed : I understand that the server does not present all certificates, but the server is not under my control (that's what I meant with "not my server"). I'm just trying to access an API on an foreign server. Under Windows, none of my browsers complain about the certificate, only Linux/Debian/Ubuntu does.
– Udo G
Dec 23 '18 at 15:42
@A.B: thanks a lot! Installing all the root certificates from that page solved the issue. However, I'd like to understand why that manual step is necessary.
– Udo G
Dec 23 '18 at 15:50
2
The missing intermediate cert (as mentioned by @garethTheRed) can be found there: support.globalsign.com/customer/portal/articles/… . OP initially only tried to add the root cert which was probably already in place, thus achieving nothing.
– A.B
Dec 23 '18 at 16:17
|
show 4 more comments
The real fix for this is to ensure that your server presents all certificates in the chain and not just the end-entity (server) certificate.
Point your server administrator to RFC 5246 Section 7.4.2 which clearly states that This message conveys the server's certificate chain to the client.
If your admin refuses/can't do this for some reason, your alternative option is to try and get curl to work with the malformed handshake.
According to a message on the Curl mailing list:
Can someone confirm if cURL supports (or not) intermediate certificate?
Yes it does.
All ca certificates have a certificate chain going up to the root. The ca
bundle you use with curl needs to consist of the certs for the entire chain.
/ daniel.haxx.se
You should be able to add the Root CA and all intermediates certificates to a bundle and point curl to it using the --cacert <file> option.
As your browsers work, you can access the correct CA certificates from there. On the certificates tab (different for each browser, but I'm sure you'll figure that one out), view the certificate chain. Double-click the Root CA first Globalsign Root CA - G1 and on the Details tab, click on Copy to file.... Save it as root.cer. Do the same with the AlphaSSL CA - SHA256 - G2 and save it as issuing.cer. Join the two together in a single file (e.g. chain.cer) and use that as the argument to -cacert.
As kindly pointed out by @A.B. the missing certificate can also be found here.
Your browsers work because they cache CA certificates. If you've navigated to a correctly configured website at some point in the past, whose certificate was issued by the same CA as your server's certificate, it will be cached by the browser. When you subsequently visit your incorrectly configured site, your browser will use the CA certificates in its cache to build the chain. To you, it seems like everything is fine, although behind the scenes, the server is mis-configured.
Note that on Windows, IE/Edge and Chrome share the same cache, while Firefox uses its own.
In addition to the above, IE/Edge and Chrome (as they share the same crypto stack) will use an extension within certificates called the AuthorityInformationAccess. This has a caIssuer option which provides a URL from which the end-entity certificate's CA certificate can be downloaded. Therefore, even if one of these browsers hasn't cached the missing certificates from previous browsing, it can fetch it if required. Note that Firefox doesn't do this, which is why sometimes Firefox can show certificate errors when IE/Edge and Chrome seem to work.
answered Dec 23 '18 at 14:34
garethTheRedgarethTheRed
24.3k36280
The real fix for this is to ensure that your server presents all certificates in the chain and not just the end-entity (server) certificate.
Point your server administrator to RFC 5246 Section 7.4.2 which clearly states that This message conveys the server's certificate chain to the client.
If your admin refuses/can't do this for some reason, your alternative option is to try and get curl to work with the malformed handshake.
According to a message on the Curl mailing list:
Can someone confirm if cURL supports (or not) intermediate certificate?
Yes it does.
All ca certificates have a certificate chain going up to the root. The ca
bundle you use with curl needs to consist of the certs for the entire chain.
/ daniel.haxx.se
You should be able to add the Root CA and all intermediates certificates to a bundle and point curl to it using the --cacert <file> option.
As your browsers work, you can access the correct CA certificates from there. On the certificates tab (different for each browser, but I'm sure you'll figure that one out), view the certificate chain. Double-click the Root CA first Globalsign Root CA - G1 and on the Details tab, click on Copy to file.... Save it as root.cer. Do the same with the AlphaSSL CA - SHA256 - G2 and save it as issuing.cer. Join the two together in a single file (e.g. chain.cer) and use that as the argument to -cacert.
As kindly pointed out by @A.B. the missing certificate can also be found here.
Your browsers work because they cache CA certificates. If you've navigated to a correctly configured website at some point in the past, whose certificate was issued by the same CA as your server's certificate, it will be cached by the browser. When you subsequently visit your incorrectly configured site, your browser will use the CA certificates in its cache to build the chain. To you, it seems like everything is fine, although behind the scenes, the server is mis-configured.
Note that on Windows, IE/Edge and Chrome share the same cache, while Firefox uses its own.
In addition to the above, IE/Edge and Chrome (as they share the same crypto stack) will use an extension within certificates called the AuthorityInformationAccess. This has a caIssuer option which provides a URL from which the end-entity certificate's CA certificate can be downloaded. Therefore, even if one of these browsers hasn't cached the missing certificates from previous browsing, it can fetch it if required. Note that Firefox doesn't do this, which is why sometimes Firefox can show certificate errors when IE/Edge and Chrome seem to work.
answered Dec 23 '18 at 14:34
garethTheRedgarethTheRed
24.3k36280
edited Dec 23 '18 at 21:00
answered Dec 23 '18 at 14:34
garethTheRedgarethTheRed
24.3k36280
answered Dec 23 '18 at 14:34
garethTheRedgarethTheRed
24.3k36280
answered Dec 23 '18 at 14:34
garethTheRedgarethTheRed
24.3k36280
24.3k36280
1
It's not my server, so can't modify anything server-side. I tried to use the CA bundle from curl.haxx.se/docs/caextract.html (since Firefox trusts the certificate) and pass it using--cacert cacert.pembut CURL still does not accept the certificate.
– Udo G
Dec 23 '18 at 14:41
1
It is your server. Runecho q | openssl s_client -showcerts -connect betriebsheft.vog.it:443and you will see only one certificate being presented by your server. There should be two - the end-entity cert (which is presented) and the issuing CA - the Alpha SSL - SHA256 - G2 certificate. The latter isn't being sent by the server, but should.
– garethTheRed
Dec 23 '18 at 15:36
2
@garethTheRed : I understand that the server does not present all certificates, but the server is not under my control (that's what I meant with "not my server"). I'm just trying to access an API on an foreign server. Under Windows, none of my browsers complain about the certificate, only Linux/Debian/Ubuntu does.
– Udo G
Dec 23 '18 at 15:42
@A.B: thanks a lot! Installing all the root certificates from that page solved the issue. However, I'd like to understand why that manual step is necessary.
– Udo G
Dec 23 '18 at 15:50
2
The missing intermediate cert (as mentioned by @garethTheRed) can be found there: support.globalsign.com/customer/portal/articles/… . OP initially only tried to add the root cert which was probably already in place, thus achieving nothing.
– A.B
Dec 23 '18 at 16:17
|
show 4 more comments
1
It's not my server, so can't modify anything server-side. I tried to use the CA bundle from curl.haxx.se/docs/caextract.html (since Firefox trusts the certificate) and pass it using--cacert cacert.pembut CURL still does not accept the certificate.
– Udo G
Dec 23 '18 at 14:41
1
It is your server. Runecho q | openssl s_client -showcerts -connect betriebsheft.vog.it:443and you will see only one certificate being presented by your server. There should be two - the end-entity cert (which is presented) and the issuing CA - the Alpha SSL - SHA256 - G2 certificate. The latter isn't being sent by the server, but should.
– garethTheRed
Dec 23 '18 at 15:36
2
@garethTheRed : I understand that the server does not present all certificates, but the server is not under my control (that's what I meant with "not my server"). I'm just trying to access an API on an foreign server. Under Windows, none of my browsers complain about the certificate, only Linux/Debian/Ubuntu does.
– Udo G
Dec 23 '18 at 15:42
@A.B: thanks a lot! Installing all the root certificates from that page solved the issue. However, I'd like to understand why that manual step is necessary.
– Udo G
Dec 23 '18 at 15:50
2
The missing intermediate cert (as mentioned by @garethTheRed) can be found there: support.globalsign.com/customer/portal/articles/… . OP initially only tried to add the root cert which was probably already in place, thus achieving nothing.
– A.B
Dec 23 '18 at 16:17
1
1
It's not my server, so can't modify anything server-side. I tried to use the CA bundle from curl.haxx.se/docs/caextract.html (since Firefox trusts the certificate) and pass it using
--cacert cacert.pem but CURL still does not accept the certificate.– Udo G
Dec 23 '18 at 14:41
It's not my server, so can't modify anything server-side. I tried to use the CA bundle from curl.haxx.se/docs/caextract.html (since Firefox trusts the certificate) and pass it using
--cacert cacert.pem but CURL still does not accept the certificate.– Udo G
Dec 23 '18 at 14:41
1
1
It is your server. Run
echo q | openssl s_client -showcerts -connect betriebsheft.vog.it:443 and you will see only one certificate being presented by your server. There should be two - the end-entity cert (which is presented) and the issuing CA - the Alpha SSL - SHA256 - G2 certificate. The latter isn't being sent by the server, but should.– garethTheRed
Dec 23 '18 at 15:36
It is your server. Run
echo q | openssl s_client -showcerts -connect betriebsheft.vog.it:443 and you will see only one certificate being presented by your server. There should be two - the end-entity cert (which is presented) and the issuing CA - the Alpha SSL - SHA256 - G2 certificate. The latter isn't being sent by the server, but should.– garethTheRed
Dec 23 '18 at 15:36
2
2
@garethTheRed : I understand that the server does not present all certificates, but the server is not under my control (that's what I meant with "not my server"). I'm just trying to access an API on an foreign server. Under Windows, none of my browsers complain about the certificate, only Linux/Debian/Ubuntu does.
– Udo G
Dec 23 '18 at 15:42
@garethTheRed : I understand that the server does not present all certificates, but the server is not under my control (that's what I meant with "not my server"). I'm just trying to access an API on an foreign server. Under Windows, none of my browsers complain about the certificate, only Linux/Debian/Ubuntu does.
– Udo G
Dec 23 '18 at 15:42
@A.B: thanks a lot! Installing all the root certificates from that page solved the issue. However, I'd like to understand why that manual step is necessary.
– Udo G
Dec 23 '18 at 15:50
@A.B: thanks a lot! Installing all the root certificates from that page solved the issue. However, I'd like to understand why that manual step is necessary.
– Udo G
Dec 23 '18 at 15:50
2
2
The missing intermediate cert (as mentioned by @garethTheRed) can be found there: support.globalsign.com/customer/portal/articles/… . OP initially only tried to add the root cert which was probably already in place, thus achieving nothing.
– A.B
Dec 23 '18 at 16:17
The missing intermediate cert (as mentioned by @garethTheRed) can be found there: support.globalsign.com/customer/portal/articles/… . OP initially only tried to add the root cert which was probably already in place, thus achieving nothing.
– A.B
Dec 23 '18 at 16:17
|
show 4 more comments
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f490608%2fhow-to-make-gnu-linux-trust-a-certificate-thats-trusted-by-windows-out-of-the-b%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
why the downvote?
– Udo G
Dec 23 '18 at 14:49
1
I'm voting to close this question as off-topic because the OP is asking something he can't influence himself. He said he can't modify anything server-side, so this probably belongs to superuser I think, as it describes a problem having no solution client-side.
– Vlastimil
Dec 23 '18 at 14:51
2
I am specifically asking for a client-side solution. I can't influence the server, but I have full control over the client O/S (Ubuntu) and I want this specific O/S installation to trust the certificate just like other O/S (Windows) do. It's not about fixing the HTTPS site for others.
– Udo G
Dec 23 '18 at 14:54
1
The question is about using/administering a *nix system and applications packaged therein
– Udo G
Dec 23 '18 at 15:01
1
You don't control the server, but you still can report the problem to the person who does control the server.
– Michael Hampton
Dec 23 '18 at 17:09