HOWTO: Troubleshoot certificate issues on Linux

Version 1

    Question

    HOWTO: Troubleshoot certificate issues on Linux

     

    Answer

    With RES ONE Workspace Portable Relay Server the following error will be reported in the logfile when there is a problem with a certificate.

    Error in Server TLS Handshake [<IP address>:<port>]: certificate verify failed

    The following procedure can be used to troubleshoot such a scenario.
    In the example below the RES ONE Workspace Portable Relay Server connects to a RES ONE Workspace Relay Server on Windows that is configured with a domain certificate.
    By default domain certificates are not trusted by Linux machines.



    Export the wildcard certificate and root certificate from the RES ONE Workspace Relay Server for Microsoft Windows
    Export the certificate and save it as a PFX file (e.g. nameorwildcard.yourdomain.local.pfx).
    • Start Manage computer certificates from Control Panel.
    • Open the installed certificate in the Personal store.
    • Use the option Copy to File on the tab Details to start the Certificate Export Wizard.
    • Choose the options Yes, export the private key and Include all certificates during the export.
    • Save the certificate as PFX file (e.g.: wildcard.yourdomain.local.pfx for a wildcard certificate)
    Export the root certificate and save it as a CER file (e.g. rootca.yourdomain.local.cer).
    • Start Manage computer certificates from Control Panel.
    • Open the installed certificate in the Personal store.
    • Select the root certificate on the tab Certification Path and click View Certificate.
    • Use the option Copy to File on the tab Details to start the Certificate Export Wizard.
    • Choose the format Base-64 encoded X.509 (.CER) during the export.
    • Save the certificate as CER file (e.g.: rootca.yourdomain.local.cer).
    Copy the certficates and convert the PFX certificate
    Copy the certificates (CER and PFX files) to the machine that runs the RES ONE Workspace Portable Relay Server for Linux.
    Change the name of the certificate in the examples below to the actual name of the certificate before converting it.
    openssl pkcs12 -in nameorwildcard.yourdomain.local.pfx -out output.pem -nodes -password pass:passwordofpfx
    sed -n '/^-----BEGIN PRIVATE KEY-----/,/^-----END PRIVATE KEY-----/p' output.pem > certificatekey.key
    sed -n '/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/p' output.pem > certificate.crt
    rm -f "$TEMP"/output.pem

    Use the tool dos2unix (or a similar tool) to prevent text file format problems.
    dos2unix rootca.yourdomain.local.cer


    View certificate to check the content (optional step)
    View the content of the certificate file.
    openssl x509 -in certificate.crt -text -noout

    The CRT file needs to start with the host certificate, followed by all intermediate (CA) certificates (so not the root certificate).
    If there are no intermediate CA's involved, the certificate chain file only contains the host certificate.


    Verify the certificate without specifying a root certificate
    This will verify the certificate chain against the trusted root authorities that are configured for the system.
    openssl verify certificate.crt

    Correct result: certificate.crt: OK
    Incorrect result (example): error 20 at 0 depth lookup:unable to get local issuer certificate

    When the verification fails then the root certificate is not trusted or an intermediate certificate is missing in the certificate chain.


    Verify certificate against the copied root certificate
    If the previous step failed then this step will show if the problem is caused by a wrong or missing root certificate.
    As both the certificate and root certificate have been exported manually, there should be no problems with this step.
    openssl verify -CAfile rootca.yourdomain.local.cer certificate.crt

    Correct result: certificate.crt: OK
    Incorrect result (example): error 20 at 0 depth lookup:unable to get local issuer certificate

    When this verification fails then the root certificate is not the correct one or an intermediate certificate is missing in the certificate chain.
    The depth gives an indication on which level in the certificate chain the failure occurs.
    A depth of 0 tells that there is a problem with the root certificate.


    Verify certificate against the installed root certificate by specifying the path
    If the previous step succeeded then this step might prove that the installed root certificate is not the correct one.
    On Red Hat Enterprise Linux (RHEL) and CentOS.
    openssl verify -CAfile /etc/pki/ca-trust/source/anchors/rootca.yourdomain.local.cer certificate.crt

    On Ubuntu (the extension is CRT instead of CER).
    openssl verify -CAfile /usr/local/share/ca-certificates/rootca.yourdomain.local.crt certificate.crt

    Correct result: certificate.crt: OK
    Incorrect result (example): error 20 at 0 depth lookup:unable to get local issuer certificate

    When this step fails and the previous step succeeded then the root certificate needs to be replaced.


    Install a new root certificate (optional step if the root certificate is incorrect or missing)
    Only follow this step if the steps above show that the copied root certificate is fine and the installed one is wrong.
    Use the verify steps again to confirm that there are no more errors.

    Copy the root certificate on Red Hat Enterprise Linux (RHEL) and CentOS.
    cp rootca.yourdomain.local.cer /etc/pki/ca-trust/source/anchors/rootca.yourdomain.local.cer
    chmod 644 /etc/pki/ca-trust/source/anchors/rootca.yourdomain.local.cer
    update-ca-trust

    Copy root certificate on Ubuntu (the extension needs to be renamed to CRT).
    cp rootca.yourdomain.local.cer /usr/local/share/ca-certificates/rootca.yourdomain.local.crt
    chmod 644 /usr/local/share/ca-certificates/rootca.yourdomain.local.crt
    update-ca-certificates