I have tried everything I can think of, and even though I have certificates that are marked as "valid" when I look at the lock icon for an https: site, I get a verification "fail":
CERT: Pre-verification error: self-signed certificate in certificate chain
From everything I have read, my understanding is that every chain of certificates starts with a self-signed certificate
I have even queried my Windows certificate management, and the issuer of the certificate is Entrust, which is on the list of trusted issuers. Within openssl, I get the same error:
error 18 at 0 depth lookup: self signed certificate
There is talk of a CApath, as well as lists of trusted issuers, but I do not understand anything within the documentation for stunnel which suggests how to access this information and incorporate it in the functioning of the program. Any help would be much appreciated! Thanks in advance -William Wood
On 24.07.24 00:45, William Wood wrote:
I have tried everything I can think of, and even though I have certificates that are marked as "valid" when I look at the lock icon for an https: site, I get a verification "fail":
CERT: Pre-verification error: self-signed certificate in certificate chain
From everything I have read, my understanding is that every chain of certificates starts with a self-signed certificate
I have even queried my Windows certificate management, and the issuer of the certificate is Entrust, which is on the list of trusted issuers. Within openssl, I get the same error:
error 18 at 0 depth lookup: self signed certificate
There is talk of a CApath, as well as lists of trusted issuers, but I do not understand anything within the documentation for stunnel which suggests how to access this information and incorporate it in the functioning of the program.
I'm not well-versed with stunnel anymore, but I think I can help you with the general concepts here:
In order to verify a peer's certificate, software follows the chain of CA( certificate)s that signed the previously-looked-at cert. Verification succeeds if it hits a CA cert that it has been configured to trust (its "trust anchors").
Those trust anchors do *not* need to be *Root* CAs (i.e., self-signed); e.g., the VPN server of company XYZ might want to trust client certs issued by the "VPN" sub-CA but not everything that goes back to the XYZ Root CA (or even further up if XYZ bought its PKI from a commercial CA).
However, if following the chain hits a *self-signed* CA cert, the chain necessarily *ends* there - and if that cert *still* isn't one of the trusted ones, verification fails.
Your problem looks like stunnel uses a *different* repository of trust anchors than your browser+Windows, one that does *not* contain Entrust's CA cert.
(FWIW, the *other* way a chain may fail to verify is when the verifying software doesn't have the next cert in the chain available to continue checking; that's why the peer is *usually* supposed to send the *entire* chain of its cert, minus the "top" CA cert it expects us to trust and thus already have present among the trust anchors.)
Kind regards,
-
Jochen Bern -
William Wood