OpenSSL on Ubuntu gotcha and fix for Crossbar with GoDaddy Certs April 20, 2015
Crossbar.ioUncategorized
0 Comment

If you are trying to get SSL/WSS working through Crossbar.io and are using a GoDaddy G2 cert, you maybe in for a surprise…

2015-04-20 13:48:06-0400 [Guest 10592] ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)

To solve this problem you may need to import your root and/or trusted CA certs (if using GoDaddy, get them here and make sure you use G2) into your certs directory:

cd /etc/ssl/certs
sudo wget https://certs.godaddy.com/repository/gdig2.crt.der

If your server has been online for a long time or you ran the above commands because you didn’t have the root or any intermediates for your cert provider, it might be worth running a quick command to update your CA’s as you may have outdated certs:

sudo update-ca-certificates

Expected output:

Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.

Also, there is a line in the crossbar.io docs that is very important! Make sure you put any intermediates AFTER your certs hash in your public.pem.

The certificates must be in PEM format and must be sorted starting with the subject’s certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, but excluding the highest level (root) CA.

Append any intermediate CA certificates to the server certificate:

cat ../sub.class1.server.sha2.ca.pem >> server_cert.pem

Here is a great link for some OpenSSL “cheat codes” I’ll copy below too in case your cert issuer does not include the pem format for download:

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert a PEM file to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Test your Cert making sure your specify CApath in Ubuntu or you will get a dreaded, “verify error:num=20:unable to get local issuer certificate” as documented here and here.

openssl s_client -connect example.com:443 -CApath /etc/ssl/certs/