All geek questions in one place

Thin rail server / eventmachine on windows does not work with user certificate

After creating my own SSL-enabled eventmachine / thin on Windows ( Install OpenSSL with Ruby for eventmachine on Windows 7 x86 ) I have one more problem with the SSL certificate: when I use the built-in self-signed thin tone, but it doesn’t answer any request when using a corporate certificate

Here is my way to get the certificate:

  • I created a private key with puttygen (ssl-private.key)
  • I created a CSR using the following command:

openssl req -out ssl.csr -key ssl-private.key -new

  1. I sent a CSR to CA and received a P7B file
  2. I converted P7B using the following command:

openssl pkcs7 -inform DER -outform PEM -in cert.p7b -print_certs> cert.crt

What could go wrong here?

What I checked:

openssl rsa -in ssl-private.key -check

says "RSA key ok"

openssl x509 -in cert.crt -text -noout

He speaks

Certificate: Data: Version: 3 (0x2) Serial Number: *** Signature Algorithm: sha1WithRSAEncryption Issuer: *** Validity Not Before: Feb 16 08:47:25 2004 GMT Not After : Feb 16 08:55:36 2024 GMT Subject: *** Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: *** Exponent: 3 (0x3) X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: *** 1.3.6.1.4.1.311.21.1: ... Signature Algorithm: sha1WithRSAEncryption ***

while the same verification is done on a self-signed certificate created with

 openssl genrsa -des3 -out server.orig.key 2048 openssl rsa -in server.orig.key -out server.key openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

He speaks

 Certificate: Data: Version: 1 (0x0) Serial Number: *** Signature Algorithm: sha256WithRSAEncryption Issuer: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org Validity Not Before: Jun 24 14:42:07 2015 GMT Not After : Jun 23 14:42:07 2016 GMT Subject: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: *** Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption ***

ok some kind of change: I changed the order of certs in the crt file, so that the final cert is not the last but the first, but the result is different: chrome disables the NET :: ERR_CERT_INVALID error, similar to IE, and neither one moves further

openssl s_client output (looks fine, *** Root CA 1 is trusted by windows):

 Loading 'screen' into random state - done CONNECTED(000001E8) depth=1 DC = com, DC = ***, CN = *** Enterprise CA 1 verify error:num=20:unable to get local issuer certificate --- Certificate chain 0 s:/C=***/ST=***/O=***/CN=***.com i:/DC=com/DC=***/CN=*** Enterprise CA 1 1 s:/DC=com/DC=***/CN=*** Enterprise CA 1 i:/DC=com/DC=***/CN=*** Root CA 1 --- Server certificate -----BEGIN CERTIFICATE----- *** -----END CERTIFICATE----- subject=/C=***/ST=***/O=***/CN=***.com issuer=/DC=com/DC=***/CN=*** Enterprise CA 1 --- No client certificate CA names sent --- SSL handshake has read 3404 bytes and written 665 bytes --- New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : AES256-GCM-SHA384 Session-ID: *** Session-ID-ctx: Master-Key: *** Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: *** Start Time: 1435319943 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- read:errno=0

I created a simple https server (lib / emtestssl):

 require 'rubygems' require 'bundler/setup' Bundler.require class ServerHandler < EM::Connection def post_init puts "post_init" start_tls :private_key_file => 'private.key', :cert_chain_file => 'comb.crt', :verify_peer => false end def receive_data(data) puts "Received data in server: #{data}" send_data("HTTP/1.1 200 OK\n\nHello world!") close_connection_after_writing end end EventMachine.run do puts 'Starting server...' EventMachine.start_server('145.245.202.233', 443, ServerHandler) end

It works fine without tls, the tls browser will not allow you to connect :(

by http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify the private key and certificate correspond

+1
source share
1 answer

it looks like (fixed) eventmachine is completely fine: I took a key / cert pair from an existing server and (after warning about URL mismatch in the browser) it works fine

after comparing the certificates, it looks like my CA failed and brought me a certificate with the wrong properties: the working one is described as Server Authentication (1.3.6.1.5.5.7.3.1), while one of them is authentication customer (1.3. 6.1.5.5.7.3.2)

I will release another csr and charge them for the lost day ...: /

perhaps one important discovery is the order of the certificates in the cert file: you need to go from the final certificate to the root at the end of the chain.

0
source

Source: https://habr.com/ru/post/982262/

More articles:


All Articles