J'ai tenté de configurer une autorité de certification et d'émettre un certificat de cette autorité (sans intermédiaire intermédiaire. L'autorité couvre *.node.consul
, et le certificat est en dessous à: i-0c2e25880dab06f71.node.consul
). Cependant, lors de l'exécution de la vérification openssl (en passant l'option -CAfile), il ne semble toujours pas possible de terminer la recherche:
root@i-0c2e25880dab06f71:~# openssl verify -verbose -CAfile /root/ssl-ca.crt /root/ssl-cert.pem
/root/ssl-cert.pem: CN = i-0c2e25880dab06f71.node.consul, emailAddress = [email protected], O = Instructure, OU = Ops, C = US, ST = UT, L = SLC
error 20 at 0 depth lookup:unable to get local issuer certificate
Lecture des certificats avec:
openssl x509 -in /root/ssl-cert.pem -text -noout
Mène aux deux sorties suivantes:
pour le ca:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d3:f3:bc:d7:8f:6c:43:2f:ad:9b:6c:3e:1d:13:8e:c4
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=*.node.consul/[email protected], O=Instructure, OU=Ops, C=US, ST=UT, L=SLC
Validity
Not Before: Jan 1 16:52:31 2018 GMT
Not After : Jan 1 16:52:31 2038 GMT
Subject: CN=*.node.consul/[email protected], O=Instructure, OU=Ops, C=US, ST=UT, L=SLC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:be:15:5d:e3:32:b0:58:bf:01:7b:73:c2:ad:b6:
7c:59:9f:ca:a0:6a:26:64:8b:56:83:6e:43:b6:aa:
e9:81:70:39:70:22:bd:10:a4:d8:d1:a1:a1:cb:0d:
eb:d2:5c:c3:f8:9c:d2:d9:a5:d0:48:65:bb:d1:a8:
1a:cc:a4:53:27:9a:ca:fc:23:84:e3:f7:59:97:d6:
05:35:f5:94:5e:af:aa:a8:4f:24:25:0a:8e:e1:21:
6a:35:a5:e7:da:ed:f4:50:2c:cc:ef:ac:a6:28:da:
c1:a3:ea:53:84:64:9f:2c:a0:6a:73:6a:8d:e6:7e:
03:10:dd:42:cc:89:24:13:d7:5d:14:43:e2:cc:9a:
12:ef:4b:c6:96:fb:20:88:0e:fc:6c:b3:88:ba:ed:
64:d9:f7:8f:97:e1:50:a0:ae:42:5f:4f:8e:8f:7e:
40:fd:e5:a3:f4:1d:fc:88:f0:c3:2e:d1:1d:32:fb:
95:85:00:23:ba:d3:cc:0c:65:8e:be:e0:dd:4f:5f:
22:fe:26:8d:1c:12:94:0a:d1:44:4d:0c:be:72:56:
c6:7e:be:cb:81:41:0f:20:d8:31:34:d9:4c:11:ae:
c5:12:57:35:bf:15:8c:ea:15:88:29:2d:81:c8:11:
fb:a8:13:7a:cb:eb:68:f8:32:47:98:fa:dc:86:a9:
07:4a:cf:96:0d:fd:ce:09:48:df:ac:f7:f4:57:d0:
13:d5:75:cc:3d:63:3c:26:2d:95:88:b7:f9:27:83:
2a:ff:1f:63:fd:b5:f0:e9:d3:cf:85:3b:7a:6e:0e:
56:46:70:29:1e:be:3f:02:81:81:0c:0b:d4:88:da:
7f:93:46:03:d1:0c:73:97:44:33:a3:0b:1a:a0:a6:
b5:4d:f1:95:ea:37:7f:ac:e2:71:e1:90:94:97:99:
5f:d8:84:f5:29:9e:9a:86:ff:cd:6e:7d:b0:64:2e:
a1:21:a8:4a:84:e3:6c:a9:ac:cf:62:3e:8f:fd:71:
14:c9:c1:dc:99:13:84:9a:47:9a:42:53:52:e0:72:
32:48:9d:1b:ab:ea:c4:97:24:20:a3:86:e3:d5:d5:
79:c6:bf:e1:b0:31:a7:8f:8d:bc:0b:f3:b4:ab:03:
f1:e2:68:08:e0:3a:c3:50:3e:c1:40:8b:42:ae:71:
7d:7b:24:24:34:75:df:9f:b2:75:16:63:af:7b:58:
fb:eb:0c:8e:44:a7:1b:bb:59:c9:b4:db:c1:b4:9a:
c1:b1:42:a5:4b:62:b4:84:ab:c9:b0:6e:fe:db:20:
9e:32:24:0c:3c:dd:8b:82:9a:f6:75:76:73:6f:73:
f6:34:d8:02:b7:01:7c:e2:f7:90:43:5e:d0:00:dc:
0f:4d:e1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Subject Alternative Name: critical
DNS:*.node.consul
Signature Algorithm: sha256WithRSAEncryption
53:52:50:d2:25:01:8f:7a:fb:03:18:2f:3c:cd:d2:85:4f:d2:
4d:39:8e:e4:06:bb:fa:8d:9a:9a:ab:e0:8f:ce:bb:6f:74:49:
1d:72:fb:27:e8:0f:bb:62:40:d7:06:69:71:4f:21:39:ac:ba:
78:b5:a8:43:8c:2d:6c:87:45:8e:75:9e:a4:79:65:cb:b0:bf:
47:0c:86:7a:a8:9b:40:80:71:30:a5:fe:db:1f:f2:2e:41:85:
f2:1d:8a:31:bd:ec:6d:94:58:a5:b5:93:25:6f:b8:bd:4e:13:
7a:40:d2:e2:bc:41:e6:33:fe:22:55:bb:01:5d:7e:af:8d:62:
9b:9f:9d:c9:e8:63:4d:7a:b5:f9:13:8f:f3:45:68:a8:1f:e7:
d5:5b:cc:77:49:eb:c9:26:3d:19:50:b6:34:e8:e4:21:14:37:
aa:76:d0:e0:77:69:77:ab:6a:da:0d:e7:22:6d:23:61:5c:8b:
da:64:da:48:5a:6f:01:42:0f:c1:24:06:5c:f6:06:3c:45:3a:
37:c0:3e:0a:ee:cb:44:aa:d3:a9:74:d0:e2:77:30:d4:0a:8b:
13:73:ba:a6:a2:3b:02:f0:60:fa:6e:27:20:d1:3d:23:64:38:
4d:54:36:c5:20:04:d1:2e:68:6d:5c:30:af:ef:5a:a5:7f:a5:
06:c2:f7:51:40:ec:14:c7:1d:bc:45:7f:fe:77:02:50:aa:37:
19:9d:2c:02:74:a3:56:e5:d4:36:e9:c0:33:bc:c8:52:e2:c8:
1e:21:26:83:cb:e3:b6:72:55:df:1e:dc:48:7b:d8:1a:ca:2a:
21:4f:eb:94:9f:de:82:f8:5b:82:0d:ef:d5:e9:89:99:b4:48:
ce:d5:9e:a4:ca:3b:c9:e1:19:a5:60:ec:04:36:31:11:b0:31:
7a:22:64:9c:6e:dd:82:e4:65:96:a2:e3:aa:9c:99:ec:f5:e1:
48:84:7c:f5:38:00:cb:24:cf:5d:ed:e5:87:a9:86:c5:cb:4f:
65:6a:35:21:2e:30:cd:e6:85:84:13:e3:ff:9c:72:4d:a8:9c:
fb:63:01:eb:a8:ae:6f:84:66:b8:bd:fe:0f:c9:17:96:8d:42:
9d:8c:0c:bc:90:ab:17:19:df:6f:6a:28:fc:8c:50:6d:88:69:
31:75:6e:d7:6d:f2:f4:70:f0:64:14:c2:fc:57:dc:f3:68:57:
9d:4c:fe:94:e5:13:d7:9f:ad:ee:68:1b:df:9c:af:bb:f4:73:
83:d6:0a:54:fa:73:ec:02:f2:f2:87:35:7c:2a:58:df:20:32:
1a:c2:c2:ba:1d:4f:5f:8c:fe:3c:7e:e7:0c:80:0e:27:57:c2:
01:48:1f:58:f7:2c:f3:b7
Et pour le certificat lui-même:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d7:9b:09:48:1f:62:44:95:80:ef:b7:e4:5c:e1:c7:4b
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=*.node.consul/[email protected], O=Instructure, OU=Ops, C=US, ST=UT, L=SLC
Validity
Not Before: Jan 1 18:41:57 2018 GMT
Not After : Jan 1 18:41:57 2021 GMT
Subject: CN=i-02da590eb53768ddc.node.consul/[email protected], O=Instructure, OU=Ops, C=US, ST=UT, L=SLC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:aa:77:6d:61:52:be:92:78:b6:b2:82:41:93:08:
86:ba:00:e3:fc:d4:43:2e:3a:e6:49:f8:9d:dc:e5:
40:f3:18:18:ac:56:ae:a1:96:b6:ff:35:63:97:8b:
9b:a7:cc:c0:f3:7b:99:82:8e:4c:cf:d4:25:56:c2:
32:2f:35:08:5f:79:ee:ea:52:02:2b:2f:11:ac:10:
ea:18:e7:00:b6:52:ee:df:c7:01:7a:68:7e:32:1c:
63:73:77:43:99:a0:a6:13:05:26:39:e2:4d:b9:e6:
c1:58:99:02:dc:0c:99:90:1f:d4:79:9e:fe:77:99:
58:a7:a7:26:42:9e:13:34:f3:e9:c2:f2:3a:6f:72:
33:55:ad:66:89:4a:39:4b:c9:67:a8:d2:8e:80:75:
42:c9:01:9e:e7:d0:b1:7a:63:f5:6b:f1:a4:66:be:
d9:e5:e9:87:4c:2e:99:87:0f:26:1f:2c:19:25:78:
82:fe:31:e2:26:6f:de:0d:93:75:65:7f:cc:c9:a3:
24:69:db:7b:57:57:fa:49:ec:39:8c:ac:92:2f:1c:
cc:3d:e4:e2:6c:48:4b:bb:35:20:74:77:91:80:ad:
7d:9d:9f:7b:53:7c:bf:98:bb:a6:27:15:de:aa:27:
e3:8b:87:3b:35:50:ac:6d:36:ba:2b:95:b5:4b:2b:
ce:6b:84:91:e0:4d:e0:21:fd:d3:80:43:17:98:ff:
66:b8:7f:32:f9:ed:d3:25:a3:6f:b4:e9:26:56:4c:
c3:d8:2f:2f:6e:f8:9a:85:4d:a9:05:d2:f5:60:1d:
42:df:29:75:1b:2c:66:b1:a4:56:8a:0b:43:14:b8:
7d:62:4d:5a:1b:a6:a1:da:98:64:4e:e2:e2:8b:8d:
c9:57:f9:7d:58:91:12:d7:dd:7b:52:7c:00:91:bc:
ab:25:a0:63:91:8c:02:c8:8f:7e:23:80:33:95:b2:
4a:ea:f9:ee:87:1a:17:f1:85:60:ae:db:f1:d3:63:
ab:0b:d8:ab:7c:56:90:8f:f5:9a:60:25:2b:81:b5:
df:bc:f7:0d:9c:47:8a:b6:4d:2b:88:21:cf:bd:d5:
fe:1a:d7:76:19:03:06:d1:9b:67:42:f9:8f:be:27:
61:9f:a8:9c:2a:57:96:e1:a2:d8:84:7f:9f:15:bb:
b2:ae:21:92:7a:4c:42:69:10:63:da:bf:b6:eb:74:
57:13:6f:d9:c2:a9:99:09:09:b5:d6:ff:e0:c4:eb:
91:bf:4d:9e:98:3e:e3:8c:69:7a:06:01:f7:d0:75:
df:d2:6e:78:b2:39:6a:73:70:41:dd:30:f5:00:c0:
f6:70:d3:63:76:98:01:ee:52:4a:92:77:39:c5:ab:
99:33:97
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
AA:C7:CB:B6:22:D2:EF:05:72:89:92:DF:2E:44:6B:D5:33:00:D8:06
X509v3 Subject Alternative Name: critical
DNS:i-02da590eb53768ddc.node.consul
Signature Algorithm: sha256WithRSAEncryption
ab:dc:ad:f4:55:af:a6:ca:27:d2:7a:f6:77:b3:4f:1d:14:41:
7c:56:3a:a0:75:de:1f:0a:3c:7f:50:d0:4d:b0:1b:01:75:4c:
d0:19:c7:5d:86:c5:ac:85:10:9e:58:22:87:23:70:27:a5:75:
11:73:6f:2f:8e:f3:90:ca:51:c7:cb:75:46:59:91:3f:d3:f3:
dd:d4:60:4d:60:e1:82:a9:c6:e8:ac:3e:01:9d:4d:b8:cb:70:
90:2a:f6:58:ba:dd:44:67:e7:7e:71:70:cc:fc:5a:7e:1e:e4:
32:e4:2c:43:64:79:69:32:a4:d2:12:5a:fe:3e:e3:47:b9:3d:
8d:41:16:b5:5e:d8:bd:dd:39:e8:0a:8a:ee:7d:44:fd:98:bc:
02:79:57:d5:2d:dd:f7:14:87:f5:19:29:80:27:f4:3d:6e:0d:
0a:ce:78:fd:e1:1e:b3:7e:4b:cd:07:d7:e3:4e:50:35:56:a6:
8d:ea:3d:b3:ab:99:55:54:27:22:9d:3d:7d:93:37:b6:9d:51:
5d:f1:64:69:d9:72:de:58:e2:ec:4e:c0:0e:62:77:68:13:5e:
2d:01:7b:06:ec:8a:23:bc:6f:e5:ee:b5:1d:0b:4d:08:35:6c:
49:a4:43:24:32:99:ad:fd:34:44:24:ba:49:f7:79:28:0e:88:
cb:72:9b:ce:c4:9d:fc:e1:5f:3c:d9:f5:18:ae:e9:f4:4a:52:
72:03:cb:77:23:0d:9b:63:9a:1f:66:fe:6e:f1:78:87:85:80:
93:39:d7:59:dd:7b:4b:c5:b2:13:7b:f5:ab:78:ac:32:cf:b1:
b6:2b:08:5f:ba:46:fd:50:82:48:62:81:e6:9d:77:05:25:53:
40:c1:6d:8b:b2:89:5f:fb:6e:f9:d3:69:e7:d6:f8:7c:5e:72:
0a:19:d5:bc:ec:4f:f3:91:38:cc:88:58:f1:19:0b:08:8a:76:
45:c8:3f:30:52:ff:8c:83:01:5e:c8:f7:41:ee:38:13:db:ce:
9b:86:a3:0b:a3:3d:48:d1:03:2c:ab:6f:1c:b1:46:67:70:13:
64:99:c3:37:21:af:4d:ce:0a:28:9c:94:67:89:d4:04:5d:a2:
56:fa:e0:bb:82:5f:75:d4:a5:22:a7:57:53:dc:cb:f1:65:e3:
df:b6:66:a2:88:39:25:09:b5:84:a8:5b:a7:76:89:a1:46:7b:
16:d3:df:7f:ab:a2:41:c1:cb:0b:75:98:8c:d6:67:fd:5b:4a:
ad:50:a9:e0:af:5c:f3:28:a0:aa:80:62:f5:77:4d:17:d4:6a:
3f:2a:6a:59:47:c4:b1:88:36:f6:55:f2:32:84:6b:70:78:3a:
d2:b4:13:53:e2:1c:e8:ef
Je suppose que cela est probablement dû à quelque chose dans la façon dont j'ai généré les certificats, mais je ne sais pas vraiment où vérifier. Comme c'est ma compréhension, l'erreur 20 incapable de rechercher le certificat d'émetteur local se produit lorsqu'il ne trouve pas de certificat particulier dans la chaîne. Cependant, je ne sais pas pourquoi il ne peut pas trouver toutes les informations dont il a besoin.
Vos certificats CA ont les extensions suivantes:
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Subject Alternative Name: critical
DNS:*.node.consul
Mis à part le fait qu'il n'y a pas besoin d'extension de nom de sujet alternatif et d'utilisation de clé d'authentification client/serveur TLS Web pour un certificat de CA, aucune des utilisations de clés données n'est nécessaire pour une CA, mais celle qui est nécessaire est manquante.
Permet de voir quelles sont les utilisations clés dont vous disposez. Les citations pertinentes sont tirées de RFC 5280 section 4.2.1.3 Utilisation des clés .
En d'autres termes: aucune de ces utilisations clés n'est pertinente lors de la validation de la signature sur les certificats.
Mais il y a une utilisation de clé importante nécessaire lors de la validation des certificats:
Seulement, cette utilisation de clé est manquante sur votre certificat CA. C'est pourquoi il n'utilisera pas ce certificat CA pour valider la signature du certificat feuille et il ne parvient donc pas à créer la chaîne de confiance. Une fois que vous avez ajouté cette utilisation de clé à votre certificat d'autorité de certification (et que vous supprimez de préférence toute utilisation de clé, objectif et SAN inutiles), elle sera utilisée avec succès pour valider le certificat feuille.
Si c'était le cas, cela ressemblerait à
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, Key Encipherment