acme-client, error 21 at 0 depth lookup:unable to verify the first certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

acme-client, error 21 at 0 depth lookup:unable to verify the first certificate

openbsd-25
Hello, I need some help to configure my acme-client the right way.

Obtain certificates itself works using OpenBSD -current #434 from April
1st.

I have a CAA record

$ dig -t CAA our.bio-planet.earth +short
0 issue "letsencrypt.org"

The configuration for httpd.conf and relayd.conf are taken fron honk
https://cvsweb.openbsd.org/ports/www/honk/pkg/README?rev=1.4&content-type=text/x-cvsweb-markup

The acme-client.conf is taken from /etc/examples/ and the settings for
the domain are

$ tail -f /etc/acme-client.conf
domain our.bio-planet.earth {
         domain key "/etc/ssl/private/our.bio-planet.earth.key"
         domain certificate "/etc/ssl/our.bio-planet.earth.crt"
         domain full chain certificate
"/etc/ssl/our.bio-planet.earth.fullchain.pem"
         sign with letsencrypt
}

The FQHN equals the domain and I don´t want to use other / sub domains.
The .crt file is required for the tls keypair part in relayd.conf.

If I try to verify the certificate using

$ openssl verify our.bio.planet.earth.fullchain.pem
CN = our.bio-planet.earth
error 21 at 0 depth lookup:unable to verify the first certificate
CN = our.bio-planet.earth
error 21 at 0 depth lookup:unable to verify the first certificate
/etc/ssl/our.bio-planet.earth.fullchain.pem: verification failed: 21
(unable to verify the first certificate)

On the other hand

$ openssl verify /etc/ssl/cert.pem
cert.pem: OK

How can I fix this as it did not work if I try to use the certs for
example for prosody.

Thanks and regards,


Christoph

Reply | Threaded
Open this post in threaded view
|

Re: acme-client, error 21 at 0 depth lookup:unable to verify the first certificate

openbsd-25
Self solved.

Am 02.04.2021 14:02, schrieb [hidden email]:

> Hello, I need some help to configure my acme-client the right way.
>
> Obtain certificates itself works using OpenBSD -current #434 from April
> 1st.
>
> I have a CAA record
>
> $ dig -t CAA our.bio-planet.earth +short
> 0 issue "letsencrypt.org"
>
> The configuration for httpd.conf and relayd.conf are taken fron honk
> https://cvsweb.openbsd.org/ports/www/honk/pkg/README?rev=1.4&content-type=text/x-cvsweb-markup
>
> The acme-client.conf is taken from /etc/examples/ and the settings for
> the domain are
>
> $ tail -f /etc/acme-client.conf
> domain our.bio-planet.earth {
>         domain key "/etc/ssl/private/our.bio-planet.earth.key"
>         domain certificate "/etc/ssl/our.bio-planet.earth.crt"
>         domain full chain certificate
> "/etc/ssl/our.bio-planet.earth.fullchain.pem"
>         sign with letsencrypt
> }
>
> The FQHN equals the domain and I don´t want to use other / sub
> domains. The .crt file is required for the tls keypair part in
> relayd.conf.
>
> If I try to verify the certificate using
>
> $ openssl verify our.bio.planet.earth.fullchain.pem
> CN = our.bio-planet.earth
> error 21 at 0 depth lookup:unable to verify the first certificate
> CN = our.bio-planet.earth
> error 21 at 0 depth lookup:unable to verify the first certificate
> /etc/ssl/our.bio-planet.earth.fullchain.pem: verification failed: 21
> (unable to verify the first certificate)
>
> On the other hand
>
> $ openssl verify /etc/ssl/cert.pem
> cert.pem: OK
>
> How can I fix this as it did not work if I try to use the certs for
> example for prosody.
>
> Thanks and regards,
>
>
> Christoph

Reply | Threaded
Open this post in threaded view
|

Re: acme-client, error 21 at 0 depth lookup:unable to verify the first certificate

Florian Obser
https://xkcd.com/979/

On Sat, Apr 03, 2021 at 05:43:36PM +0200, [hidden email] wrote:

> Self solved.
>
> Am 02.04.2021 14:02, schrieb [hidden email]:
> > Hello, I need some help to configure my acme-client the right way.
> >
> > Obtain certificates itself works using OpenBSD -current #434 from April
> > 1st.
> >
> > I have a CAA record
> >
> > $ dig -t CAA our.bio-planet.earth +short
> > 0 issue "letsencrypt.org"
> >
> > The configuration for httpd.conf and relayd.conf are taken fron honk
> > https://cvsweb.openbsd.org/ports/www/honk/pkg/README?rev=1.4&content-type=text/x-cvsweb-markup
> >
> > The acme-client.conf is taken from /etc/examples/ and the settings for
> > the domain are
> >
> > $ tail -f /etc/acme-client.conf
> > domain our.bio-planet.earth {
> >         domain key "/etc/ssl/private/our.bio-planet.earth.key"
> >         domain certificate "/etc/ssl/our.bio-planet.earth.crt"
> >         domain full chain certificate
> > "/etc/ssl/our.bio-planet.earth.fullchain.pem"
> >         sign with letsencrypt
> > }
> >
> > The FQHN equals the domain and I don´t want to use other / sub
> > domains. The .crt file is required for the tls keypair part in
> > relayd.conf.
> >
> > If I try to verify the certificate using
> >
> > $ openssl verify our.bio.planet.earth.fullchain.pem
> > CN = our.bio-planet.earth
> > error 21 at 0 depth lookup:unable to verify the first certificate
> > CN = our.bio-planet.earth
> > error 21 at 0 depth lookup:unable to verify the first certificate
> > /etc/ssl/our.bio-planet.earth.fullchain.pem: verification failed: 21
> > (unable to verify the first certificate)
> >
> > On the other hand
> >
> > $ openssl verify /etc/ssl/cert.pem
> > cert.pem: OK
> >
> > How can I fix this as it did not work if I try to use the certs for
> > example for prosody.
> >
> > Thanks and regards,
> >
> >
> > Christoph
>

--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: acme-client, error 21 at 0 depth lookup:unable to verify the first certificate

openbsd-25
Yeah, like that but Google was no help.

Am 03.04.2021 19:10, schrieb Florian Obser:
> https://xkcd.com/979/
>

Reply | Threaded
Open this post in threaded view
|

Re: acme-client, error 21 at 0 depth lookup:unable to verify the first certificate

Stuart Henderson
On 2021-04-03, [hidden email] <[hidden email]> wrote:
> Yeah, like that but Google was no help.
>
> Am 03.04.2021 19:10, schrieb Florian Obser:
>> https://xkcd.com/979/
>>
>
>

But if you follow-up with information about what the problem was
and how you fixed it, then it might be helpful for someone who comes
along in the future.


Reply | Threaded
Open this post in threaded view
|

Re: acme-client, error 21 at 0 depth lookup:unable to verify the first certificate

openbsd-25
Hello Stuart !

Yes, you are right. I was long time not here (used another E - Mail
before) so I was not sure if it is really interesting.

tedu uses for honk relayd as TLS endpoint. If someone uses the default
/etc/examples/acme-client.conf with httpd only everything works fine. If
the certs are obtained using domain.fullchain.pem and the domain.key and
the paths are in the tls section of httpd.conf all is fine.

Relayd expects - if the tls keypair option - is used in relayd.conf a
.crt file (relayd -n or the try to start ends in errors refering to the
relay section of missing certs). So I added just the line in the
acme-client.conf to obtain a certificate file too. Basically things work
fine with this configuration but at some points I get a x509 error about
a self signed certificate. tedus doku is fine I just overlooked it. BTW
tls keypair did not require to link the IPs to which relayd listens to
the cert files (is as fallback defined in the man page).

As this .crt file contains only a part (0) of the cert chain I got the
error 21 as (1) from the cert chain is missing.

The solution is as tedu does, to name the fullchein certificate
domain.crt or, if used the default above acme-client.conf just copy
domain.fullchain.pem to domain.crt. This is only important for relayd
and tls keypair.

The try to local verify the cert chain still fails with the tried
command but I think it is just a thing of the used options. But

openssl s_client -showcerts -connect our.bio-planet.earth:443

now reports

Verify return code: 0 (ok) instead of 21 and all is fine as the whole
cert chain is transmitted.

Another day I will look at prosody ;-) and the cert thing.

Regards,

Christoph

Am 03.04.2021 22:38, schrieb Stuart Henderson:

> On 2021-04-03, [hidden email] <[hidden email]> wrote:
>> Yeah, like that but Google was no help.
>>
>> Am 03.04.2021 19:10, schrieb Florian Obser:
>>> https://xkcd.com/979/
>>>
>>
>>
>
> But if you follow-up with information about what the problem was
> and how you fixed it, then it might be helpful for someone who comes
> along in the future.