48

I am stuck with a issue and trying to debug it. We purchased a Verisign certificate. When we use:

openssl> s_client -connect myweb.com:443 -showcerts

SSL Handshake never completes and at the end we see error:

Verify return code: 19 (self signed certificate in certificate chain)

It shows 3 ---BEGIN/END CERTIFICATE--- tags. Two certificates in chain are Verisign signed but one is self signed.

  1. If someone can please explain how this self-signed certificate shows up in a CA signed certificate?

  2. Is this error 19 (self signed certificate in certificate chain) benign? If not, what could be causing it?

  3. Client has the CA certificate in trusted store but there is nothing for the self-signed certificate. Do you think that could be causing problem? If yes, how do I:

    1. How can I get rid of the self-signed certificate from the chain certificate leaving behind only 2 CA signed certificates in chain?
    2. Add this self signed certificate on client trusted store?
techraf
  • 64,883
  • 27
  • 193
  • 198
curiousone
  • 601
  • 1
  • 6
  • 13
  • Thanks Brettski. I will check the intermediate certs. I would like to add more info: When client sends the above openssl command, "client hello" reaches server but we never receive "server hello" at the client. Do you expect this kind of behaviour if intermediate cert is missing? Device is a windows mobile device and server is apache web server. – curiousone Nov 05 '10 at 04:10
  • What type of server/device is the certificate loaded on? – Brettski Nov 05 '10 at 04:11
  • Can you connect via OpenSSL from other devices/computers? Which version of Windows Mobile, I have had nightmare experience with Windows mobile and security certificates. – Brettski Nov 05 '10 at 04:17
  • Try sending a blank line as input to the server: echo "" | openssl .... – Jason Harrison May 04 '15 at 17:10

5 Answers5

79

Root certificates issued by CAs are just self-signed certificates (which may in turn be used to issue intermediate CA certificates). They have not much special about them, except that they've managed to be imported by default in many browsers or OS trust anchors.

While browsers and some tools are configured to look for the trusted CA certificates (some of which may be self-signed) in location by default, as far as I'm aware the openssl command isn't.

As such, any server that presents the full chain of certificate, from its end-entity certificate (the server's certificate) to the root CA certificate (possibly with intermediate CA certificates) will have a self-signed certificate in the chain: the root CA.

openssl s_client -connect myweb.com:443 -showcerts doesn't have any particular reason to trust Verisign's root CA certificate, and because it's self-signed you'll get "self signed certificate in certificate chain".

If your system has a location with a bundle of certificates trusted by default (I think /etc/pki/tls/certs on RedHat/Fedora and /etc/ssl/certs on Ubuntu/Debian), you can configure OpenSSL to use them as trust anchors, for example like this:

openssl s_client -connect myweb.com:443 -showcerts -CApath /etc/ssl/certs
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • 2
    what would the -CApath be for OS X? – Jonathan Feb 01 '12 at 21:00
  • 6
    I don't think OSX has one by default, since it relies on the Keychain for this. You could go in Keychain Access, select all the certificates in "System Roots" (except those crossed out, if any), right click and export all the items into a PEM file, then use `-CAfile` (instead of `-CApath`) to point to that file. – Bruno Feb 02 '12 at 00:10
  • 2
    @Bruno How i can get tursted certificated in windows? They are in registry. I cannot get -CAfile and -CApath – Kahn Dec 20 '13 at 13:36
  • @Jonathan : try using https://certifi.io/en/latest/ - "carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts". It provides downloadable CA bundle or a Python/Ruby/Node/Go/Erlang package. – Greg Dubicki Feb 17 '17 at 15:48
  • 4
    I still get `verify error:num=19:self signed certificate in certificate chain` – Janac Meena Jul 13 '18 at 19:11
  • I could only get -CAfile to work, not sure why -CApath would not work. – BLang Dec 11 '20 at 02:22
9

It sounds like the intermediate certificate is missing. As of April 2006, all SSL certificates issued by VeriSign require the installation of an Intermediate CA Certificate.

It could be that you don't have the entire certificate chain loaded on your server. Some businesses do not allow their computers to download additional certificates, causing a failure to complete an SSL handshake.

Here is some information on intermediate chains:
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD146

Intermediate CA Certificates

Brettski
  • 19,351
  • 15
  • 74
  • 97
5

About the server can deliver to the clients the root cert or not, extracted from the RFC-5246 'The Transport Layer Security (TLS) Protocol Version 1.2' doc it says:

certificate_list
This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the
assumption that the remote end must already possess it in order to validate it in any case.

About the term 'MAY', extracted from the RFC-2119 "Best Current Practice" says:

5.MAY
This word, or the adjective "OPTIONAL", mean that an item is truly optional. One vendor may choose to include the item because a
particular marketplace requires it or because the vendor feels that
it enhances the product while another vendor may omit the same item.
An implementation which does not include a particular option MUST be
prepared to interoperate with another implementation which does
include the option, though perhaps with reduced functionality. In the same vein an implementation which does include a particular option
MUST be prepared to interoperate with another implementation which
does not include the option (except, of course, for the feature the
option provides.)

In conclusion, the root may be at the certification path delivered by the server in the handshake.

A practical use.
Think about, not in navigator user terms, but on a transfer tool at a server in a militarized zone with limited internet access.
The server, playing the client role at the transfer, receives all the certs path from the server.
All the certs in the chain should be checked to be trusted, root included.
The only way to check this is the root be included at the certs path in transfer time, being matched against a previously declared as 'trusted' local copy of them.

Nunser
  • 4,512
  • 8
  • 25
  • 37
garcia
  • 59
  • 1
  • 2
3

Here is a link to VeriSign's SSL Certificate Installation Checker: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1130

Enter your URL, click "Test this Web Server" and it will tell you if there are issues with your intermediate certificate authority.

Aaron
  • 55,518
  • 11
  • 116
  • 132
  • Tried that tool in Mac: safari,firefox,& chrome, as well as on Win: IE, and Firefox. It failed in all cases. POS – CarpeNoctem Feb 17 '14 at 17:53
1

When you see "Verify return code: 19 (self signed certificate in certificate chain)", then, either the servers is really trying to use a self-signed certificate (which a client is never going to be able to verify), or OpenSSL hasn't got access to the necessary root but the server is trying to provide it itself (which it shouldn't do because it's pointless - a client can never trust a server to supply the root corresponding to the server's own certificate).

Again, adding -showcerts will help you diagnose which.

Littm
  • 4,923
  • 4
  • 30
  • 38
Dev
  • 11
  • 1