[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: error:0B07C065:x509 certificate
From:       Arnaud Launay <asl () launay ! org>
Date:       2009-03-17 10:20:38
Message-ID: 20090317102038.GA907 () launay ! org
[Download RAW message or body]

Le Mon, Mar 16, 2009 at 04:15:02PM -0400, Victor Duchovni a écrit:
> > So it should be broken on debian and gentoo...
> No wonder so many of the Google hits for this error message are for Gentoo
> systems. Please file a bug report with the distribution maintainers.

Originally, it comes from Debian:

ca-certificates (20080809) unstable; urgency=low

  * New cacert.org.pem joining both CACert Class 1 and Class 3 certificates.
    This file can be used for proper certificate chaining if CACert
    server certificates are used.  The old class3.pem and root.pem
    certificates are deprecated.  This new file could safely serve as
    a replacement for both.  (Closes: #494343)
  * This also reintroduces the old name for the CACert certificate,
    thus closing a long-standing bug about its rename to root.crt.
    (Closes: #413766)

 -- Philipp Kern <pkern@debian.org>  Sat, 09 Aug 2008 14:58:24 -0300


Just took the last debian testing package:

citron cacert.org # ls -l
total 16
-rw-r--r-- 1 root root 4720 févr. 16 11:48 cacert.org.crt
-rw-r--r-- 1 root root 2151 févr. 16 11:48 class3.crt
-rw-r--r-- 1 root root 2569 févr. 16 11:48 root.crt

and split cacert.org.crt into two files, results:

citron cacert.org # openssl x509 -fingerprint -sha1 -noout -in cacert.org.crt 
SHA1 Fingerprint=13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
citron cacert.org # openssl x509 -fingerprint -sha1 -noout -in root.crt 
SHA1 Fingerprint=13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33
citron cacert.org # openssl x509 -fingerprint -sha1 -noout -in cacert2.org    
SHA1 Fingerprint=DB:4C:42:69:07:3F:E9:C2:A3:7D:89:0A:5C:1B:18:C4:18:4E:2A:2D
citron cacert.org # openssl x509 -fingerprint -sha1 -noout -in class3.crt 
SHA1 Fingerprint=DB:4C:42:69:07:3F:E9:C2:A3:7D:89:0A:5C:1B:18:C4:18:4E:2A:2D

Seems to me they added cacert.org.crt containing the class1 and
class3 certs, but forgot to delete the older files...

Tested deleting class3.crt and root.crt --> Verify return code:
21 (unable to verify the first certificate)

Tested deleting cacert.org.crt --> works OK, no more strange message.

Back to distros bugs.

Thanks for the help with the debugging,
	Arnaud.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic