Join Log in
Score:-1
Mike Fry avatar Ubuntu

Ubuntu Focal Root Certificate Not Found

cn flag
Mike Fry

My company has issued it's own issuing and root signing certificates. My server has a ssl cert for apache. I put the root and 4 issuing certs in /etc/ssl/certs. Then I ran update-ca-certificates. Using Chrome, I browse to the site and I get a certificate validation error. I have performed these steps several times without error. Our PKI team confirms the certifcat is valid. What else should I check?

image

41
0 + 0
ssl
Score:1
Steffen Ullrich avatar Ubuntu
in flag
Steffen Ullrich

Chrome does not use the certificates in /etc/ssl/certs but comes with its own root CA store in Linux. So you need to import the root CA in Chrome (Manage certificates inside Settings). Same with Firefox, with also uses its own CA store not shared with Chrome.

0 + 0
Mike Fry avatar
cn flag
Mike Fry
Thank you. I should have mentioned that I did import the root cert into Chrome. I have compared this when another internal site secured with the same chain and it is good. This tells me the Chrome has the correct root cert. The more I dig into this, it is leading to be a bad cerificate.
0
Reply
Steffen Ullrich avatar
in flag
Steffen Ullrich
@MikeFry: check what certificate is shown in Chrome for this site and if it shows the trust chain to the CA you've imported. If the server certificate is the expected one (check subject, expiration - ideally fingerprint) and if the trust chain is shown to the expect CA then something else is wrong, like wrong time on the machine. Please check (and provide in your question) the actual error message you get in Chrome and also the details shown after following the link to advanced information.
0
Reply
Score:-1
Tilman avatar Ubuntu
cn flag
Tilman

Start by checking the details of the certificate validation error. That will tell you why the validation failed. Continue your investigation from there. For example, if Chrome claims the certificate is not yet valid, check the clock settings of all involved machines. If Chrome says the issuer is not trusted, check if it has your company's root certificate installed. If there's a different reason, other checks will be relevant.

0 + 0
ru flag
Thomas Ward
OP indicates they already validated the cert is valid. They are using /etc/ssl/certs which is the global system store which Chrome and Firefox do not use in Linux. Which means they need to import the CA certs chain into Chrome and Firefox and that should resolve their issues (as indicated in the other answer)
0
Reply
Tilman avatar
cn flag
Tilman
I don't think you read the question correctly. The OP indicates they put the certificate in `/etc/ssl/certs` on the *server* but the validation error is happening on the *client*, so he needs to check why the *client* claims the certificate is invalid while the *server* assures it is valid.
0
Reply
ru flag
Thomas Ward
if they're custom CA as OP says ("My company has issued it's own issuing and root signing certificates") then the signing certs for the custom CA still need to eb imported into Chrome and Firefox indepednently. That still remains a given, regardless. Custom CAs don't get automatically accepted. (I know this from experience, I have a custom CA with MULTIPLE signing and intermediate certs, and several groups I work with do too, the solution is "Import these CAs into the Chrome and Firefox stores first" - regardless of the situation.)
0
Reply
Tilman avatar
cn flag
Tilman
Of course. But the OP also indicates it worked on previous occasions, so it is quite possible that he did that already. Therefore before jumping to conclusions he should follow proper troubleshooting procedure, starting by actually looking at the error message. Note that I already named your solution as one possible outcome. It's just not yet sure that this is really the reason, based on the information in the question.
0
Reply
Mike Fry avatar
cn flag
Mike Fry
A couple of years ago when we switched over to internal CA, I wrote a debian package that imported all required certs into the store for Chrome and Firefox. Thank you for all the comments and suggestions. We are goign to try a difference CA given to us by our PKI team.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.