[Help-gnutls] Re: Chained Certificate Woes [was: Re: Wildcard Certificate Woes]

[Ben Goldsbury]

Dan,

Thanks for your help.  I was able to fix the problem with your advice.

For reference, I used the order of "my cert" -> "goddady cert" ->
"valicert cert" (or least -> most trusted) to create my new server.crt.

I realized after the fact that my openssl s_client/s_server setup was
invalid and giving me bad data.

I owe you a box of cookies.

Thanks again.

On Mon, 2008-05-19 at 10:41 -0400, Daniel Kahn Gillmor wrote:
> On Mon 2008-05-19 10:05:04 -0400, Ben Goldsbury wrote:
> 
> > I have a valid wildcard certificate purchased from Godaddy.  This
> > certificate has the normal cert/key and an issuing certificate.  The
> > issuing certificate is actually a chain of 3 certificates.
> 
> I haven't had a chance to test this myself, but it sounds to me like
> you're having a problem with certificate chaining, not with the
> wildcard itself.  In particular, it sounds like your gnutls-cli
> instance can't complete the trust path from the offered certificate to
> one of its trusted CAs because it lacks information about the
> intermediate CAs.
> 
> > Using openssl's tools, I am able to create a valid server/client
> > relationship.
> 
> Could you post an example of openssl commands you used which
> succeeded?
> 
> I suspect what you'll need to do is to add the intermediate
> certificates to server.crt (i dunno if they should go above or below
> the host's certificate) before invoking gnutls-serv, so that they'll
> be offered to complete the trust path.
> 
> the --x509cafile option for gnutls-serv is there to verify client
> certificates, and (afaik) isn't used to select intermediate certs to
> send on during the server certificate validation phase of connection
> negotiation.
> 
> hth,
> 
>         --dkg