On 24.07.24 00:45, William Wood wrote:
I have tried everything I can think of, and even though I have certificates that are marked as "valid" when I look at the lock icon for an https: site, I get a verification "fail":
CERT: Pre-verification error: self-signed certificate in certificate chain
From everything I have read, my understanding is that every chain of certificates starts with a self-signed certificate
I have even queried my Windows certificate management, and the issuer of the certificate is Entrust, which is on the list of trusted issuers. Within openssl, I get the same error:
error 18 at 0 depth lookup: self signed certificate
There is talk of a CApath, as well as lists of trusted issuers, but I do not understand anything within the documentation for stunnel which suggests how to access this information and incorporate it in the functioning of the program.
I'm not well-versed with stunnel anymore, but I think I can help you with the general concepts here:
In order to verify a peer's certificate, software follows the chain of CA( certificate)s that signed the previously-looked-at cert. Verification succeeds if it hits a CA cert that it has been configured to trust (its "trust anchors").
Those trust anchors do *not* need to be *Root* CAs (i.e., self-signed); e.g., the VPN server of company XYZ might want to trust client certs issued by the "VPN" sub-CA but not everything that goes back to the XYZ Root CA (or even further up if XYZ bought its PKI from a commercial CA).
However, if following the chain hits a *self-signed* CA cert, the chain necessarily *ends* there - and if that cert *still* isn't one of the trusted ones, verification fails.
Your problem looks like stunnel uses a *different* repository of trust anchors than your browser+Windows, one that does *not* contain Entrust's CA cert.
(FWIW, the *other* way a chain may fail to verify is when the verifying software doesn't have the next cert in the chain available to continue checking; that's why the peer is *usually* supposed to send the *entire* chain of its cert, minus the "top" CA cert it expects us to trust and thus already have present among the trust anchors.)
Kind regards,