[SOLVED] Chromium Slackware 14.2 use system certificate authorities

usr345 · 03-18-2021, 07:35 AM

My OS is Slackware 14.2. I have both Firefox and Chromium installed. Also I have the freshest ca-certificates package in the system.

For some reason when I open the same web site: https://mx.usa-ip-address.com/ in different browsers, Firefox opens it, while Chromium says that the certificate is invalid.

We have fixed the CA chain on server (as far as we could). But it still doesn't work in Chromium. It is the Chromium issue or our site certificate issue?

Is it using my system certificates or has it's own database? Why does it work in Firefox?

ctrlaltca · 03-18-2021, 07:44 AM

Works here on both Firefox and Chromium on slackware -current.
But trying to check che certificate chain from console I get a failure:

Code:

root@server:~# openssl s_client -showcerts -connect mx.usa-ip-address.com:443     
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mx.usa-ip-address.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mx.usa-ip-address.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mx.usa-ip-address.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIGhzCCBW+gAwIBAgIRAP+XkyrIoYfnJyDnCiIXABUwDQYJKoZIhvcNAQELBQAw
gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xOTA3MTQwMDAwMDBaFw0yMTA4MTIyMzU5NTlaMFkxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UECxMLUG9zaXRpdmVTU0wxHjAc
BgNVBAMTFW14LnVzYS1pcC1hZGRyZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAM8+TBvkHv7arc0MHJczkBhRTpcfbcdbA1WH3e31jHYuFqYd
7iNwYRu3T0vXViGx4dU9KMAC8Y7PZzJM8mrZoC//SvAoQ96bEOeM0u/f+ccXYcCP
7yoHtmgl5aamswzPhhqBa6/+mTcQ6ugsGSIXvVCPqWQu1PyIzHrIDjdqULgloyUg
471j1D2Bg1DRGkVcL4A7Xf5DZtvOJkGJtdcL//fBm8oFn6zdkhXrkSe2iharxHfn
bVjEGzaVXO9n3sYTIr5RKPEPNZZkLykNTzFPBnqbd8r8MkUUBeNUj9fWsfT0rZ5x
5AwHm2iXKNXYM1fTbJQrT7r6gWKovTvJJFp9tucCAwEAAaOCAxEwggMNMB8GA1Ud
IwQYMBaAFI2MXsRUrYrhd+mb+ZsF4bgBjWHhMB0GA1UdDgQWBBR8KuDTNp1iL2jH
Lj3r3rgEJS4sTTAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQIC
BzAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwB
AgEwgYQGCCsGAQUFBwEBBHgwdjBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0
aWdvLmNvbS9TZWN0aWdvUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNB
LmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wOwYDVR0R
BDQwMoIVbXgudXNhLWlwLWFkZHJlc3MuY29tghl3d3cubXgudXNhLWlwLWFkZHJl
c3MuY29tMIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdgC72d+8H4pxtZOUI5eq
kntHOFeVCqtS6BqQlmQ2jh7RhQAAAWvxF1WJAAAEAwBHMEUCIQDeyuf5TXgT7/4W
gr09z0ndwGqbvjYciJ+sv1Pg/OtEEQIgK7PRoUWIhO12YJwDewG8MzqyzxqedVbb
wMHKhbfk4gsAdgBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAWvx
F1YSAAAEAwBHMEUCIBuXpITuX4lwZmeQkAgOvqLGNANR2Yva9P3pzVckt5H2AiEA
+T4jH8im5PDT0wPJbo5WTR1k9V6A1isvoijkQMnMlQIAdQBvU3asMfAxGdiZAKRR
Ff93FRwR2QLBACkGjbIImjfZEwAAAWvxF1WpAAAEAwBGMEQCIB+YMlleJExaaqgN
1sNXzxfYi5bHLxseChyqIgc1ZIgPAiAGNcJDQofpG05nzmkZzqs1LbGBxdDy1TXX
qp/PAZM7ZjANBgkqhkiG9w0BAQsFAAOCAQEAEyHH0ayAOKQi7X+QsLiBJPzOHzfN
1JQbJTa6R55xR1MB0CqjS6NPV1MDmqKXQIjHeURkfDewWfqCj4j5pHE0tCDiXhMc
cMZqkM4LytYimMrwUDzb+InksHjk86pzVjpfCqe5bxTnTsXJFtmjhmZwkLESfi9K
UMR+FaRFiYLPACRiU/Wch2me+hdowkU5wvzxJrdY3nforWK8efdPXFh3hrrodGLa
HANPRSJFxcQ/eL+fR0O/8ENZn3cxElgH0ihJA/2k2CiLexbbrTZxahxvHmVAzShh
7MDV9xhjcRa9EmFXt4gllTaRfBSvFud/x9KxRf/VXw+vPNw1fHf+ifVIbw==
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mx.usa-ip-address.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2366 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: C1CD70622E9B1DF3648BA07D3CE18BAF479C1D62E3EA62812AD8A8A3A8E38333
    Session-ID-ctx: 
    Master-Key: 863F08B12526E7A83F531CA093C8A716EE40A9DD8AC2613A4053EB3E5240346202A261544322F69BA41204AEE89EDED9
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - b6 c7 fa 45 c1 e7 42 3d-a7 cd 2c d5 c4 ce e3 78   ...E..B=..,....x
    0010 - 95 51 e7 e6 e4 24 d5 9c-1f 34 4c ac f6 00 b4 26   .Q...$...4L....&
    0020 - 04 b8 87 72 2a 3f 0a c2-c3 a6 5b 02 09 76 d7 5f   ...r*?....[..v._
    0030 - 6b 2e 05 e6 51 0d 64 25-39 89 b3 3e 86 0d 71 f9   k...Q.d%9..>..q.
    0040 - 39 68 02 02 9c 60 a2 0d-ff a2 2f ad 0a a5 26 b6   9h...`..../...&.
    0050 - 1e 89 7a 92 99 8b 08 40-d4 8d 1b a2 07 af e7 79   ..z....@.......y
    0060 - ae f2 21 6c 03 21 9d db-5d ce 50 96 72 c8 3e 54   ..!l.!..].P.r.>T
    0070 - eb a6 fb bf e6 12 40 57-78 9f 09 86 0f a6 fd 08   ......@Wx.......
    0080 - 78 81 92 03 cf f9 ad 84-c7 8f 4c 43 0f ae cd fc   x.........LC....
    0090 - 7b e2 b9 40 47 c5 07 34-f8 76 2c 56 0e 1a 7d cd   {..@G..4.v,V..}.
    00a0 - b1 4e b3 62 ae 70 3c 4b-7a 84 5c bc af a2 fd 21   .N.b.p<Kz.\....!
    00b0 - b6 17 d7 61 b7 07 4e f6-a1 fc 81 1e 40 63 88 47   ...a..N.....@c.G

    Start Time: 1616071227
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

I'd try to configure SSLCertificateChainFile including all the intermediate certificates

EDIT: probably you can find them here: https://support.sectigo.com/Com_Know...A01N000000zFRh

Alien Bob · 03-18-2021, 01:43 PM

Quote:

Originally Posted by usr345

My OS is Slackware 14.2. I have both Firefox and Chromium installed. Also I have the freshest ca-certificates package in the system.

For some reason when I open the same web site: https://mx.usa-ip-address.com/ in different browsers, Firefox opens it, while Chromium says that the certificate is invalid.

We have fixed the CA chain on server (as far as we could). But it still doesn't work in Chromium. It is the Chromium issue or our site certificate issue?

Is it using my system certificates or has it's own database? Why does it work in Firefox?

Works fine here on Chromium 89, Slackware 14.2 64-bit. The website says "Hello". Certificate provided by "USERTrust RSA Certification Authority" did you obtain a new certificate after your first post?

usr345 · 03-18-2021, 03:30 PM

Quote:

Originally Posted by Alien Bob

Works fine here on Chromium 89, Slackware 14.2 64-bit. The website says "Hello". Certificate provided by "USERTrust RSA Certification Authority" did you obtain a new certificate after your first post?

No, I didn't change anything. Here it says:

Quote:

Your connection is not private
Attackers might be trying to steal your information from mx.usa-ip-address.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID

Chromium 88 Slackware 14.2, 32 bit.

usr345 · 03-18-2021, 04:33 PM

Ok, I did it! It was server side, not Slackware. I had to add intermediate certificates for certificate authority, that were valid until 2030, and it works in Chromium now.