glenpowell / certificate-transparency

Automatically exported from code.google.com/p/certificate-transparency
0 stars 0 forks source link

upload_server_cert.sh does not work due to openssl's output format #1

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
To reproduce:
src/client/upload_server_cert.sh www.idnet.net

The output from the 1st command in the script is not valid PEM:
openssl s_client -connect $SERVER:443 -showcerts < /dev/null | tee $TMP

Attached example output. Even after cleaning the non-PEM lines, CertChain still 
fails to load this chain.

Original issue reported on code.google.com by er...@google.com on 27 Jun 2013 at 1:32

Attachments:

GoogleCodeExporter commented 9 years ago
Full output:
[.../certificate-transparency/src/client,0]$ env GLOG_logtostderr=1 
./upload_server_cert.sh www.google.com
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
DONE
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority
-----BEGIN CERTIFICATE-----
MIIDgDCCAumgAwIBAgIKfoc8PQABAACPFjANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMzA2MTkxMjQ0MDRaFw0xMzEwMzEyMzU5NTla
MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw53d3cu
Z29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmG6NTsviPcKy
EY52/eNlfNaPk5xOp82AAU44ciesM+3dbVC2IgLweur3vFucUrdkXiXGgv4VQ8Hw
gFhKm3XZBkgSb6Rv8nf4bo/7pYzH8kiS81nmLZ5aQJv9hVBMt7sV6SYqDODn+nNR
6xVUssCNyTrQkeKZZPL8Yjg0L6/fXgECAwEAAaOCAVEwggFNMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU+VIcTn3LWcYokJCZEkoa21Bx
Q3QwHwYDVR0jBBgwFoAUv8Aw6/VDET5nup6R+/xq2uNrEiQwWwYDVR0fBFQwUjBQ
oE6gTIZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhv
cml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcmwwZgYIKwYBBQUHAQEEWjBY
MFYGCCsGAQUFBzAChkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVy
bmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNydDAMBgNVHRMB
Af8EAjAAMBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMA0GCSqGSIb3DQEBBQUA
A4GBAHQoAr0zsHAD0wW53D4YcE1LG4RuxdDmv33r44PlstwZ98hVQN3dALYNrLlh
V500nSw/rQ+OtMDdZcH4as4blw5zPl4xvs/VdWiUQAKm3r3rTtnYAz9UtMOOmByo
n4yutuiiPxdWxBIyJza9CRowpvGVgqVmNdrTo+Egj3d5BUYy
-----END CERTIFICATE-----
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIDFXfhMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIxMjEyMTU1ODUwWhcNMTMxMjMxMTU1ODUw
WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZ
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNf
NFlOCnowzdDXxFdF7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrb
qeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC7wFQeeT9adGnwKziV28CAwEAAaOBozCB
oDAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUv8Aw
6/VDET5nup6R+/xq2uNrEiQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAQYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v
Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAvprjecFG+iJsxzEF
ZUNgujFQodUovxOWZshcnDW7fZ7mTlk3zpeVJrGPZzhaDhvuJjIfKqHweFB7gwB+
ARlIjNvrPq86fpVg0NOTawALkSqOUMl3MynBQO+spR7EHcRbADQ/JemfTEh2Ycfl
vZqhEFBfurZkX0eTANq98ZvVfpg=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 2108 bytes and written 348 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-RC4-SHA
    Session-ID: 31053D39E3F4AA445B9DA89F88FFDD510B76D7F3C2F72434FEC5DB98EED3F518
    Session-ID-ctx: 
    Master-Key: BE8C9AEFCAFD8E588BA5773F817358F360DFF87247939AD2AF8452A88F7317946A23CBEEDE80511DD31A9E870A650A63
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 9f d8 a0 f4 9b 2e 96 32-84 4d 30 83 52 ca 4d 88   .......2.M0.R.M.
    0010 - 79 5a 94 39 7d 89 36 a3-4f c8 f1 5b 5e d9 e8 7c   yZ.9}.6.O..[^..|
    0020 - f0 09 3d 8e 83 74 6c a4-d6 f9 66 63 de 1c 07 94   ..=..tl...fc....
    0030 - a5 5c 02 22 ca 34 c7 33-b6 c3 af 39 01 a4 c5 90   .\.".4.3...9....
    0040 - 7a 2e 22 6c eb c2 80 1e-be 7e 31 d0 42 5c 93 07   z."l.....~1.B\..
    0050 - 63 ee 29 8d 97 30 08 b8-f5 19 42 52 4b 9b 32 7e   c.)..0....BRK.2~
    0060 - 4f 40 d3 fc 92 31 8f 3a-de 9d 0a 9a e5 8f 8f 5b   O@...1.:.......[
    0070 - 9b 57 e1 cc c8 aa 66 17-da d4 6d 84 ee 0d 30 f0   .W....f...m...0.
    0080 - 25 2e 15 ef 57 11 b8 2e-95 f3 03 77 4d de 34 ab   %...W......wM.4.
    0090 - fd 38 3d de                                       .8=.

    Start Time: 1372410013
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
ERROR: unknown command line flag 'logtostderr'
Try fixing the chain
Traceback (most recent call last):
  File "./fix-chain.py", line 9, in <module>
    from pyasn1 import debug
ImportError: No module named pyasn1
ERROR: unknown command line flag 'logtostderr'

Original comment by er...@google.com on 28 Jun 2013 at 9:01

GoogleCodeExporter commented 9 years ago
The problem is not that openssl does not produce valid PEM. It does.

The issue is that ct doesn't like the logtostderr option, which is odd - I 
believe glog should provide that.

Also, you appear not to have installed pyasn1.

Original comment by benl@google.com on 28 Jun 2013 at 9:09

GoogleCodeExporter commented 9 years ago
As Ben pointed out, it's the logtostderr option which was the problem. Without 
it, the ct client reads the file without any problems.

Original comment by er...@google.com on 12 Jul 2013 at 10:24