Trust an x509 certificate already trusted on another host

on Monday

I have two hosts, one with Debian Buster and the other with CentOS 7.

I want to connect to the SMTP server from these two servers via SSL. However, I can only do this on CentOS:

CentOS:

$ openssl s_client -connect smtp.server.com:587
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = server.com
verify return:1
---
Certificate chain
 0 s:/CN=server.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
...

Debian:

$ openssl s_client -connect smtp.server.com:587
CONNECTED(00000003)
depth=0 CN = server.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = server.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:CN = server.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---

It appears that the problem is that the Debian host is missing the Let's Encrypt certificate or doesn't trust it.

How to "transfer" trust from one computer to another? i.e. how do I make sure they both trust the same certificate?

garethTheRed

Install the CA certificate package

First, you need to confirm that the root CA certificate bundle is installed on your Debian machine.

running:

$ apt list --installed 2>/dev/null | grep ca-certificates

If the output is at [installed]the end of the line, it is installed , but the package is missing the root CA certificate - skip to the next section.

If the command doesn't output anything, you need to install the CA certificate with:

$ sudo apt install ca-certificates

At this point, test your command again.

If it still fails, you need to manually add the Root CA certificate like this:

Add root CA certificate to Trust-Anchor store

If you read here , you'll see that the correct root is Let's Encrypt's ISRG Root X1 . The Let's Encrypt issuing CA ( Let's Encrypt Authority X3 ) has been signed above and also cross-signed by Identrust's Root CA to improve compatibility with legacy systems. It's the latter used by CentOS boxes, but will expire next year, so it's not worth installing on a Debian box.

To get this working on your Debian machine, download Let's Encrypt ISRG Root X1 from the link above and save it to your Debian system (for example) ISRG_Root_X1.pemwith/usr/local/share/ca-certificates/

Before proceeding to the next step, please make sure that you confirm that the link I am providing is real ("We Encrypt" website) and secure (HTTPS) and not that I am trying to install a fake root CA certificate.

Now run:

$sudo update-ca-certificates

Add the new certificate to your truststore.

If you really want to use the Identrust root CA certificate, you can download it from here . This is the last link on the page.

Try your command again, hope it works.

SMTP server configuration error

If it still fails, you need to check that the SMTP server sent the certificate chain as part of the TLS handshake. Typically, server administrators only configure end-entity certificates and ignore the CA chain. Add the command -showcertson the Debian box and check if all certificates (PEM format) are displayed.

If they are missing, contact the server administrator and (happily) ask them to configure their server properly.

Related

Get trusted X509 certificate for Java SSLSocket

Jesse Wilson I can establish a TLS connection to https://google.com/ . The remote service returns a chain of 3 certificates: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US CN=Google Internet Authority G2, O=Google Inc, C=US CN=GeoTrust G

Automatically download X509 certificate chain from remote host

Thor I'm building some .net code that will run unattended on one of our servers. Part of its execution requires it to execute a Java executable that communicates with certain web resources and services over SSL. If Java does something over SSL and doesn't have

Certificate chain X509

Omar Amalfi Hi I want to generate certificate chain using c#. Something like this: I created this code for generation: using System; using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; namespace CC.CertificateCore { pu

Authenticate SOAP request with X509 certificate

Kiren Siva: I have a SOAP server. The SOAP request received on the server has the ws security header . Following is the main node of the request XML. BinarySecurityToken (X509PKIPathv1 certificate) summary method summary value Signature value SecurityTokenRefe

Java X509 certificate parsing and verification

Driss Amri I'm trying to handle X509 certificates in several steps and have run into two issues. I'm new to JCE so I'm not fully up to date yet. We want to be able to parse several different X509 certificates based on different encodings (PEM, DER and PCKS7).