Problem:
I recently tried to use LetsEncrypt to setup custom certificates but I am running into problems I issued the certificate from letsencrypt and I have my Cert/Key and CA Cert. When I tried to install the check seemed to fail checking the CA Bundle against the certificate file. Both were provided by Letencrypt. What am I missing?
# katello-certs-check -t foreman -c server.mydomain.com.cer -k server.mydomain.com.key -b fullchain.cer
Checking server certificate encoding:
[OK]
Checking expiration of certificate:
[OK]
Checking expiration of CA bundle:
[OK]
Checking if server certificate has CA:TRUE flag
[OK]
Checking for private key passphrase:
[OK]
Checking to see if the private key matches the certificate:
[OK]
Checking CA bundle against the certificate file:
[FAIL]
The /root/.acme.sh/server.mydomain.com/fullchain.cer does not verify the /root/.acme.sh/server.mydomain.com/server.mydomain.com.cer
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
error 2 at 2 depth lookup: unable to get issuer certificate
error /root/.acme.sh/server.mydomain.com/server.mydomain.com.cer: verification failed
Checking CA bundle size: 3
[OK]
Checking Subject Alt Name on certificate
[OK]
Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]
Checking Key Usage extension on certificate for Key Encipherment
[OK]
Checking for use of shortname as CN
[OK]
Expected outcome:
I expect the check to pass as everything was provided by certificate creation process. Not sure what I am missing here
Foreman and Proxy versions:
foreman-3.1.2
katello-4.3.0
As the error messages says, your chain file does not contain all necessary files for the chain including the root. In your case, it seems to be missing the issuer ca certificate for “USERTrust RSA Certification Authority”. Although that’s odd if you are using letsencrypt because I think letsencrypt doesn’t use USERTrust. Are you sure you have set up to obtain the certificate from letsencrypt?
Yes its using letsencrypt. I used certbot to obtain the certificate and the logfile indicates it’s connecting to https://acme-v02.api.letsencrypt.org. I tried using the acme.sh script as well and got the same results.
If you are using certbot, how does the certificate get into /root/.acme.sh/ ? Doesn’t look like the standard certbot/letsencrypt paths in /etc/letsencrypt… Is it possible you are using acme.sh and certbot obtaining certificates from different sources?
View the whole content of /root/.acme.sh/server.mydomain.com/fullchain.cer and copy&paste each BEGIN/END CERTIFICATE block into openssl to see the issuer and subject of each chain cert…
Sorry I used acme.sh initially but thought it might be related the script. So I switched over to certbot as I saw more examples with regards to that. So my initial paste of the failed check was against the acme.sh script however when I switched over I got the same response with the certbot certificates [just different path]. I did the checks you sugestted and all come back as Lets Encrypt:
So it is showing that its setup with Lets Encrypt. I can only thing that the CA bundle in the fullchain.pem [or .cer file for the acme.sh] isn’t being read correctly for the CA bundle. I was under the impression tha thte fullchain.pem included the intermediate certificate. Do I need to provide another certificate to validate this?
Also here is the output from the certbot certificates:
# katello-certs-check -c fullchain.pem -k privkey.pem -b fullchain.pem
Checking server certificate encoding:
[OK]
Checking expiration of certificate:
[OK]
Checking expiration of CA bundle:
[OK]
Checking if server certificate has CA:TRUE flag
[OK]
Checking for private key passphrase:
[OK]
Checking to see if the private key matches the certificate:
[OK]
Checking CA bundle against the certificate file:
[FAIL]
The /etc/letsencrypt/archive/server.mydomain.com/fullchain1.pem does not verify the /etc/letsencrypt/archive/server.mydomain.com/fullchain1.pem
C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error /etc/letsencrypt/archive/server.mydomain.com/fullchain1.pem: verification failed
Checking CA bundle size: 3
[OK]
Checking Subject Alt Name on certificate
[OK]
Checking if any Subject Alt Name on certificate matches the Subject CN
[OK]
Checking Key Usage extension on certificate for Key Encipherment
[OK]
Checking for use of shortname as CN
[OK]
OK weird. I am still getting the failure when I run the katello-certs-check but I ran the foreman-installer again and it seems to be working. Certs installed and site is now running secure. Not sure what’s different but I’ll take it.
You didn’t do it right. My first two commands where for the server certificate, not the fullchain file.
For the second part, where you have to copy&paste each block from the fullchain file, you also didn’t seem to do it right. It seems like you only copied the first certificate from the chain each time. Each certificate in the fullchain file should be different, starting with the server certificate itself…
On a sidenote: don’t invent fake domain names which properly belong to someone else. Always use example.com or example.org instead, which are reserved for this purpose…
I think you should use the /etc/letsencrypt/live path to access the current certs and chains. For -b you should properly use the chain.pem and not fullchain.pem because the latter includes the server cert. chain.pem is really only the chain.
For letencrypt, if you check the certs in fullchain.pem it should look something like this:
Now that looks like you have not installed the trusted root ca from your distribution or you have configured your system or enviroment not to use the default root ca certs.
Yeah I realized this afterwards. The system is registered to my FreeIPA server which is likely what caused the issue. After running the foreman-installer though my letsencrypt certs were used and now I can access it via HTTPS without that stinky unsecure lock! Thanks for your guidance though Now to deal with the other certificate issue with my release.gpg signing for ubuntu repository sync.
