Open lwfitzgerald opened 8 years ago
Is there any progress being done on this, or will it be addressed?
I've tried bundling my certs ala
copy mydomain.crt + bundle.crt all.crt
openssl pkcs12 -in all.crt -inkey mydomain.key -export -out all.pfx
(with no password)
then
var server = new SocketHttpListener.Net.HttpListener(new X509Certificate2(@"C:\Temp\cert\all.pfx", ""))
and this works fine in Chrome, but it fails in CURL and other tools because they "can't verify the local issuer certificate"
CURL:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
(Running with -k obviously works)
Checking it with openssl - openssl s_client -connect mydomain:8013
- gives:
CONNECTED(00000194)
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=MYDOMAINHERE
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
It works fine in Chrome, but I guess it just has a bunch of certs built in.
Hm, I suspect this is related to star certs.. ours is a *.domain.tld and curl doesn't like it even with the production system running nginx and other magic elsewhere..
Right now we are waiting for the mono 4.8 release and will re-evaluate after we've tested the revamped TLS support based on Google BoringSSL:
http://www.mono-project.com/docs/about-mono/releases/4.8.0/
Please note, it is not our intention with this library to any kind of SSL support that mono is missing natively, although pull request enhancements would be welcome.
I've recently switched to using certificates from LetsEncrypt which are signed by their intermediate CA which is itself cross-signed by a browser-accepted root CA: (screenshot of certificate chain sent by Apache)
Because the intermediate CA certificate is not in the trust stores of any browsers it must be included in the certificate chain sent by the server.
Even if I include both certificates in the PKCS12 file, only the first is sent to any clients: