Debian – Avoid the need of CAfile on client


I am trying to configure my apache that it is delivering all certificates files to get always a positive validation.
To be clear there is no issue with any browsers, I am talking about openssl s_client and curl.

Running for example openssl s_client gives the following output:

depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate chain
 0 s:/C=DE/CN=xxx
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
Server certificate
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
No client certificate CA names sent
SSL handshake has read 4602 bytes and written 518 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: C45A306052F9815DF5ED7CDC7B6AD21FE4E54AC47A7B51BF3BF433748DECB318
    Master-Key: 8396742DE006FC8CEAEDE280B2CD839D0575D1FAD51498C855825BED82D484CC28F8F1D9F549512F08182FCD3BFF3FCD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 67 85 0d a9 99 68 b2 cc-d6 fb a6 8f ee ba 67 4f   g....h........gO
    0010 - 09 c1 e9 a3 1d 3e a0 49-96 54 7f df cf 0d fb ef   .....>.I.T......
    0020 - 57 3c c3 b4 8b e2 d9 b2-c1 92 db c7 c1 0c 3f 4b   W<............?K
    0030 - 1c 3b 14 f4 bf 8d 94 09-7f 00 f7 20 9a 2b 6f f0   .;......... .+o.
    0040 - 34 48 d2 68 a5 e5 a0 58-3c 84 8b aa 3b 9a 27 27   4H.h...X<...;.''
    0050 - 16 4b cd 3d cb 74 40 b8-08 96 a4 95 52 86 f4 aa   .K.=.t@.....R...
    0060 - d9 38 fb 9f 3f fc a8 ab-b9 c9 72 20 cd 3c 75 06   .8..?.....r .<u.
    0070 - 2e b6 81 df bb e1 a6 b7-f4 bb 52 e1 8c ba 20 42   ..........R... B
    0080 - e5 db 5c 48 cd 30 d6 f2-23 24 c6 be 6c 23 09 fa   ..\H.0..#$..l#..
    0090 - 9a cf 44 78 13 e7 f6 3e-7d c1 4e e3 1f 81 08 46   ..Dx...>}.N....F
    00a0 - 49 3c 0e 80 00 d4 f5 f1-ad 95 99 9d 6f 33 e9 62   I<..........o3.b
    00b0 - b2 82 14 a2 5d 82 95 49-88 8c 54 e2 d4 64 a6 1d   ....]..I..T..d..
    00c0 - e0 0f 75 88 57 ec 9a 81-41 0c 7b 71 81 8a 93 34   ..u.W...A.{q...4

    Start Time: 1411561048
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

My apache configuration looks like:

SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /etc/apache2/ssl/....cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/....key.pem
SSLCertificateChainFile /etc/apache2/ssl/

I also tried to use the ca-bundle.pem as SSLCertificateChainFile and/or SSLCACertificateFile.
Second results in 19 (self signed certificate in certificate chain).

How can I configure apache to deliver the "right" CA file to get around installing the CA cert on the client?

What is wrong?

Thanks for any hints.

Best Answer

You can't get around having the top level CA certificate installed on the client, the CA certificate is required to establish the trust chain. Intermediate certificates may be supplied by the remote host, by Apache, but the top of the CA trust chain, the public CA root certificate needs to be present on the client.

From your output it looks like your webserver has a certificate issued by StartCom Ltd. a.k.a. Startssl.

It looks like the CA bundle certificate or CA directory on the host running openssl and cURL either does not include the StartCom Ltd. CA certificate, or the CA bundle or directory isn't loaded when you run those utilities. I think that is what results in the verify error:num=20:unable to get local issuer certificate error.

I don't have a pure Debian box at hand but Ubuntu may be similar enough that /etc/ssl/certs is the directory for CA certificates. You can try if forcing CA file with the --CAfile <filename>or -CApath /etc/ssl/certs on the openssl commandline does work correctly.