CA certificate ok in curl but nok in firefox or chrome

rbuquet · April 12, 2022, 3:06pm

Hi,

We have internal certificates deployed in our Rocky Linux 8.5 templates. When we try with curl the certificate is valid (see logs below)

But when I go with a browser on the same site certificate is not trusted.
Firefox : SEC_ERROR_UNKNOWN_ISSUER
Chrome: NET::ERR_CERT_AUTHORITY_INVALID

Browsers do not seem to use the CA.
I don’t see them in the CA list of Firefox.
When I try to add them in the trusted CA I don’t have the page to choose for what purpose to trust the CA and I think the import does not happen.

It used to work before reinstall / update of system packages, I don’t know when it started to fail.

If you have anything let me know, thanks

curl -v https://tela0-d1-ap-nextc.xxx.admin/
* Trying xxx.xxx.xxx.Xxx...
* TCP_NODELAY set
* Connected to tela0-d1-ap-nextc.xxx.admin (xxx.xxx.xxx.xxx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=MC; ST=MONACO; L=MONACO; O=xxx; OU=ADMIN; emailAddress=x.xxxxx@xxx.xx; CN=tela0-d1-ap-nextc.xxx.admin
* start date: Mar 2 15:45:14 2022 GMT
* expire date: Mar 1 15:45:14 2027 GMT
* subjectAltName: host "tela0-d1-ap-nextc.xxx.admin" matched cert's "tela0-d1-ap-nextc.xxx.admin"
* issuer: C=MC; ST=MONACO; L=MONACO; O=xxx; OU=ADMIN; CN=CA-xxx-ADMIN
* SSL certificate verify ok.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/1.1
> Host: tela0-d1-ap-nextc.xxx.admin
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 302 Found
< Server: nginx/1.19.9
< Date: Tue, 12 Apr 2022 14:37:23 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 0
< Connection: keep-alive
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
< X-XSS-Protection: 1; mode=block
< X-Powered-By: PHP/8.0.16
< Set-Cookie: ocklpsxc5591=d0044081a972aadf6f2ab2bddfaa9288; path=/; HttpOnly; SameSite=Lax
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: oc_sessionPassphrase=vIIcoGwJxEcDX3EqlcJjsfeifO%2FO0ZTXe3P%2BFuXI0553YL39pMYKitsdIvbheKrQUhpWQohDlyIWGjQ97h6mTcfjJ8S5VZ%2FIT3KNfZ22kqtoxJQfYJWDtv73qn2Y8ge9; path=/; HttpOnly; SameSite=Lax
< Set-Cookie: ocklpsxc5591=51e1af1a1e2aeef5821d789997d090cd; path=/; HttpOnly; SameSite=Lax
< Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-SEdYTXcyS3pBVFpIb2hvMFphTUgzMC8wRVYxNFI5ck81K1NWaG5ESUNWbz06VHdUOGhsTEdPUU1pOVZKZkNjNXltenVPUUNrMEY0TDkzdDNSOFJxcVhSTT0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< Set-Cookie: nc_sameSiteCookielax=true; path=/; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: nc_sameSiteCookiestrict=true; path=/; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Location: http://tela0-d1-ap-nextc.xxx.admin/login
<
* Connection #0 to host tela0-d1-ap-nextc.xxx.admin left intact

rbuquet · April 12, 2022, 4:38pm

Hi,

It turns out I finally find out what happens : after adding some security my normal user does not have reading rights on the certificates in /etc/pki/ca-trust/source/anchors where the system fetch them.

After copying the CA certificates in my home dir and adding rights to it it worked great !

Thanks

Raphaël

gerry666uk · April 12, 2022, 6:58pm

What security did you add?

rbuquet · April 13, 2022, 7:22am

Hi,

I followed the CIS for Centos 8 https://www.cisecurity.org/
In the items some of them include check or limit rights on filesystems.

The files in /etc/pki/ca-trust/source/anchors have only read and write from root rights.

Thanks

Raphael

Topic		Replies	Views
SSL Cert Location Rocky Linux General	12	7601	April 3, 2024
Updating pki certs to remove unwanted mozilla certs Rocky Linux General	3	312	August 24, 2023
CURL certificate error on apstream Rocky Linux General	10	7571	July 5, 2023
Curl Panics unsafe legacy renegotiation disabled Rocky Linux General	4	12864	August 25, 2023
Curl 60 error when updating system Rocky Linux General	19	26391	August 25, 2023

CA certificate ok in curl but nok in firefox or chrome

Related Topics