Bug 868627 - mirror.openshift.com is missing intermediate certificate
Summary: mirror.openshift.com is missing intermediate certificate
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OKD
Classification: Red Hat
Component: Website
Version: 2.x
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: Troy Dawson
QA Contact: libra bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-21 10:24 UTC by Tobias Florek
Modified: 2015-05-15 01:15 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-11-06 18:48:19 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Tobias Florek 2012-10-21 10:24:12 UTC
hi,

title says it all.

> openssl s_client -showcerts -connect mirror.openshift.com:443

CONNECTED(00000003)
depth=0 serialNumber = VJ007OqVUpqL6ncl1rzkriz-yvA8kCKR, C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc, OU = RHC Cloud Operations, CN = mirror.openshift.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = VJ007OqVUpqL6ncl1rzkriz-yvA8kCKR, C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc, OU = RHC Cloud Operations, CN = mirror.openshift.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 serialNumber = VJ007OqVUpqL6ncl1rzkriz-yvA8kCKR, C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc, OU = RHC Cloud Operations, CN = mirror.openshift.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/serialNumber=VJ007OqVUpqL6ncl1rzkriz-yvA8kCKR/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc/OU=RHC Cloud Operations/CN=mirror.openshift.com
   i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
-----BEGIN CERTIFICATE-----
MIIEnTCCA4WgAwIBAgIDAWjwMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM
IENBMB4XDTEyMDUxMTA3NTkzNVoXDTE0MDUxNDA4MjUwNFowgbcxKTAnBgNVBAUT
IFZKMDA3T3FWVXBxTDZuY2wxcnprcml6LXl2QThrQ0tSMQswCQYDVQQGEwJVUzEX
MBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcTB1JhbGVpZ2gxFDASBgNV
BAoTC1JlZCBIYXQgSW5jMR0wGwYDVQQLExRSSEMgQ2xvdWQgT3BlcmF0aW9uczEd
MBsGA1UEAxMUbWlycm9yLm9wZW5zaGlmdC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDoPeAXZ+5HVzlYWuEwzZGkbHHDf/Wh4t4hxlMkfF+TilbD
Zgs1hVSof48sfscZO+xQrWtiNKfChjBS8KJb7XzdXxJFneqe82QYX69iyHUe8/w4
G73KCRlE1RaxJ20mjhEUIOCudxPt8cRxMdmCePdnqaiYfEwcWNtyiGnwRv0I2D7h
LGOmUDgSQdjGgaq+DMtlgH/AfNtngPR8d+91oN+i7qbilSWv7ryafjfke+PexOot
G7gFgzdVGvVi6qgrXtYlGf42rMTrDSawokFRh/jwcrzI3ky2aF5+02nL4V2h+qm8
pImgUCMulAXpcN5fNZK43PbrjhCVqNFfMIyaCbDDAgMBAAGjggEmMIIBIjAfBgNV
HSMEGDAWgBRCeVQbYc1VKz5j1TxIV/Wf+0XOSjAOBgNVHQ8BAf8EBAMCBLAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdEQQYMBaCFG1pcnJvci5v
cGVuc2hpZnQuY29tMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9ndHNzbC1jcmwu
Z2VvdHJ1c3QuY29tL2NybHMvZ3Rzc2wuY3JsMB0GA1UdDgQWBBQY6zdB9bdveqb7
kz353EqWF8a1zzAMBgNVHRMBAf8EAjAAMEMGCCsGAQUFBwEBBDcwNTAzBggrBgEF
BQcwAoYnaHR0cDovL2d0c3NsLWFpYS5nZW90cnVzdC5jb20vZ3Rzc2wuY3J0MA0G
CSqGSIb3DQEBBQUAA4IBAQCCogO4xMhiQImOIZ6/R3qBvNI2GiywBhQSpoyjfYZO
KiMrXcSSOKBWQX34RenmnmT3IqtTDuC+653UI9KHHg5bzVq5o3XqURpXPl7JVnyj
Skhzy+jCPLdXjhWvYa+dYsC/7bCCBn/XrmvHa0C+fDZkEUkOj765HZrs3PmC/guY
Vp0WWfKXBNik+lnpDjIHzXRsfOaiyLWP8wAxDUWYyknEC96mgGeL4QA46fa9KZfn
CrOfHO35yMSGjB+r46pl2A+nnXnj4jnHMwKFVDYaR2J9J6IPNOS/DYDNbP0l9ReG
nKXMYbq03ly0D46IeJ6+kMeB4YQ0EaKVunIDOM8eUZyU
-----END CERTIFICATE-----
---
Server certificate
subject=/serialNumber=VJ007OqVUpqL6ncl1rzkriz-yvA8kCKR/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc/OU=RHC Cloud Operations/CN=mirror.openshift.com
issuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 2063 bytes and written 370 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 72C424803516AB34C05FC22ABBE5738065F27275DCBAE3684BDA9EE20CA19038
    Session-ID-ctx: 
    Master-Key: 8024BF6062495ABAE4D173DA66A9086C20E7430500C0DD657144801C8F55D5D52795C9CD20FC30BA7E8EDE11B133FBD3
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - 83 11 4c 54 12 24 88 d3-2f 03 c6 af f1 10 06 3e   ..LT.$../......>
    0010 - 7e 4e 29 77 2e e0 34 d7-c8 94 ec 58 5f 0a c2 dc   ~N)w..4....X_...
    0020 - b3 9f 82 04 83 a2 13 cc-36 41 fe 1c 25 c9 b8 e5   ........6A..%...
    0030 - ee 26 9e a3 51 f8 23 7a-06 40 c9 b3 23 ab 65 ba   .&..Q.#z.@..#.e.
    0040 - 2b 74 62 c4 a9 10 e5 76-7e 7c 64 e8 1a 29 e5 98   +tb....v~|d..)..
    0050 - 3d e5 3f fa f3 2b 4e d1-be 5a a0 6b 24 83 6f db   =.?..+N..Z.k$.o.
    0060 - 81 06 24 db 53 98 b5 83-8b fc c9 db 3b 53 54 dc   ..$.S.......;ST.
    0070 - c9 24 b2 a1 23 d4 36 a8-70 f1 5d a7 a0 91 6c f8   .$..#.6.p.]...l.
    0080 - aa 0c 7d 4e 03 93 c6 4e-42 d9 f7 97 1c 0e ac 2c   ..}N...NB......,
    0090 - 2f be 54 e4 23 48 0b 10-c0 b0 38 c7 02 9c 26 57   /.T.#H....8...&W
    00a0 - 6f 14 2c 68 6a 9f af f0-2b ce 3f fd 97 95 b7 07   o.,hj...+.?.....
    00b0 - af ad 26 94 e8 9e a9 a9-00 86 11 42 b6 fe e0 0a   ..&........B....

    Compression: 1 (zlib compression)
    Start Time: 1350815015
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
^C

Comment 1 Troy Dawson 2012-10-23 21:14:14 UTC
Yep, missed that step when installing the certificates.
Have intermediate certs, and I'm fixing it now.

Comment 2 Troy Dawson 2012-10-23 21:31:58 UTC
Fixed
=====
> openssl s_client -showcerts -connect mirror.openshift.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = GeoTrust SSL CA
verify return:1
depth=0 serialNumber = VJ007OqVUpqL6ncl1rzkriz-yvA8kCKR, C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc, OU = RHC Cloud Operations, CN = mirror.openshift.com
verify return:1
---
Certificate chain
 0 s:/serialNumber=VJ007OqVUpqL6ncl1rzkriz-yvA8kCKR/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc/OU=RHC Cloud Operations/CN=mirror.openshift.com
   i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
...
...
...
    Compression: 1 (zlib compression)
    Start Time: 1351027768
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Comment 3 Yujie Zhang 2012-10-25 09:47:04 UTC
Tested this issue on devenv_2377, it has been fixed now, thanks.

[root@ip-10-12-181-214 ~]# openssl s_client -showcerts -connect mirror.openshift.com:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = GeoTrust SSL CA
verify return:1
depth=0 serialNumber = VJ007OqVUpqL6ncl1rzkriz-yvA8kCKR, C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc, OU = RHC Cloud Operations, CN = mirror.openshift.com
verify return:1
---
Certificate chain
 0 s:/serialNumber=VJ007OqVUpqL6ncl1rzkriz-yvA8kCKR/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc/OU=RHC Cloud Operations/CN=mirror.openshift.com
   i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
....
....

Compression: 1 (zlib compression)
    Start Time: 1351141069
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed


Note You need to log in before you can comment on or make changes to this bug.