He intentado configurar una autoridad de certificación y emitir un certificado de esa autoridad (sin intermediario entre la autoridad. Cubre *.node.consul
, y el certificado está debajo de eso en: i-0c2e25880dab06f71.node.consul
). Sin embargo, al ejecutar openssl Verify (pasar la opción -CAfile), parece que todavía no se puede completar la búsqueda:
root@i-0c2e25880dab06f71:~# openssl verify -verbose -CAfile /root/ssl-ca.crt /root/ssl-cert.pem
/root/ssl-cert.pem: CN = i-0c2e25880dab06f71.node.consul, emailAddress = [email protected], O = Instructure, OU = Ops, C = US, ST = UT, L = SLC
error 20 at 0 depth lookup:unable to get local issuer certificate
Leyendo los certificados con:
openssl x509 -in /root/ssl-cert.pem -text -noout
Conduce a las siguientes dos salidas:
para la ca:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d3:f3:bc:d7:8f:6c:43:2f:ad:9b:6c:3e:1d:13:8e:c4
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=*.node.consul/[email protected], O=Instructure, OU=Ops, C=US, ST=UT, L=SLC
Validity
Not Before: Jan 1 16:52:31 2018 GMT
Not After : Jan 1 16:52:31 2038 GMT
Subject: CN=*.node.consul/[email protected], O=Instructure, OU=Ops, C=US, ST=UT, L=SLC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:be:15:5d:e3:32:b0:58:bf:01:7b:73:c2:ad:b6:
7c:59:9f:ca:a0:6a:26:64:8b:56:83:6e:43:b6:aa:
e9:81:70:39:70:22:bd:10:a4:d8:d1:a1:a1:cb:0d:
eb:d2:5c:c3:f8:9c:d2:d9:a5:d0:48:65:bb:d1:a8:
1a:cc:a4:53:27:9a:ca:fc:23:84:e3:f7:59:97:d6:
05:35:f5:94:5e:af:aa:a8:4f:24:25:0a:8e:e1:21:
6a:35:a5:e7:da:ed:f4:50:2c:cc:ef:ac:a6:28:da:
c1:a3:ea:53:84:64:9f:2c:a0:6a:73:6a:8d:e6:7e:
03:10:dd:42:cc:89:24:13:d7:5d:14:43:e2:cc:9a:
12:ef:4b:c6:96:fb:20:88:0e:fc:6c:b3:88:ba:ed:
64:d9:f7:8f:97:e1:50:a0:ae:42:5f:4f:8e:8f:7e:
40:fd:e5:a3:f4:1d:fc:88:f0:c3:2e:d1:1d:32:fb:
95:85:00:23:ba:d3:cc:0c:65:8e:be:e0:dd:4f:5f:
22:fe:26:8d:1c:12:94:0a:d1:44:4d:0c:be:72:56:
c6:7e:be:cb:81:41:0f:20:d8:31:34:d9:4c:11:ae:
c5:12:57:35:bf:15:8c:ea:15:88:29:2d:81:c8:11:
fb:a8:13:7a:cb:eb:68:f8:32:47:98:fa:dc:86:a9:
07:4a:cf:96:0d:fd:ce:09:48:df:ac:f7:f4:57:d0:
13:d5:75:cc:3d:63:3c:26:2d:95:88:b7:f9:27:83:
2a:ff:1f:63:fd:b5:f0:e9:d3:cf:85:3b:7a:6e:0e:
56:46:70:29:1e:be:3f:02:81:81:0c:0b:d4:88:da:
7f:93:46:03:d1:0c:73:97:44:33:a3:0b:1a:a0:a6:
b5:4d:f1:95:ea:37:7f:ac:e2:71:e1:90:94:97:99:
5f:d8:84:f5:29:9e:9a:86:ff:cd:6e:7d:b0:64:2e:
a1:21:a8:4a:84:e3:6c:a9:ac:cf:62:3e:8f:fd:71:
14:c9:c1:dc:99:13:84:9a:47:9a:42:53:52:e0:72:
32:48:9d:1b:ab:ea:c4:97:24:20:a3:86:e3:d5:d5:
79:c6:bf:e1:b0:31:a7:8f:8d:bc:0b:f3:b4:ab:03:
f1:e2:68:08:e0:3a:c3:50:3e:c1:40:8b:42:ae:71:
7d:7b:24:24:34:75:df:9f:b2:75:16:63:af:7b:58:
fb:eb:0c:8e:44:a7:1b:bb:59:c9:b4:db:c1:b4:9a:
c1:b1:42:a5:4b:62:b4:84:ab:c9:b0:6e:fe:db:20:
9e:32:24:0c:3c:dd:8b:82:9a:f6:75:76:73:6f:73:
f6:34:d8:02:b7:01:7c:e2:f7:90:43:5e:d0:00:dc:
0f:4d:e1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Subject Alternative Name: critical
DNS:*.node.consul
Signature Algorithm: sha256WithRSAEncryption
53:52:50:d2:25:01:8f:7a:fb:03:18:2f:3c:cd:d2:85:4f:d2:
4d:39:8e:e4:06:bb:fa:8d:9a:9a:ab:e0:8f:ce:bb:6f:74:49:
1d:72:fb:27:e8:0f:bb:62:40:d7:06:69:71:4f:21:39:ac:ba:
78:b5:a8:43:8c:2d:6c:87:45:8e:75:9e:a4:79:65:cb:b0:bf:
47:0c:86:7a:a8:9b:40:80:71:30:a5:fe:db:1f:f2:2e:41:85:
f2:1d:8a:31:bd:ec:6d:94:58:a5:b5:93:25:6f:b8:bd:4e:13:
7a:40:d2:e2:bc:41:e6:33:fe:22:55:bb:01:5d:7e:af:8d:62:
9b:9f:9d:c9:e8:63:4d:7a:b5:f9:13:8f:f3:45:68:a8:1f:e7:
d5:5b:cc:77:49:eb:c9:26:3d:19:50:b6:34:e8:e4:21:14:37:
aa:76:d0:e0:77:69:77:ab:6a:da:0d:e7:22:6d:23:61:5c:8b:
da:64:da:48:5a:6f:01:42:0f:c1:24:06:5c:f6:06:3c:45:3a:
37:c0:3e:0a:ee:cb:44:aa:d3:a9:74:d0:e2:77:30:d4:0a:8b:
13:73:ba:a6:a2:3b:02:f0:60:fa:6e:27:20:d1:3d:23:64:38:
4d:54:36:c5:20:04:d1:2e:68:6d:5c:30:af:ef:5a:a5:7f:a5:
06:c2:f7:51:40:ec:14:c7:1d:bc:45:7f:fe:77:02:50:aa:37:
19:9d:2c:02:74:a3:56:e5:d4:36:e9:c0:33:bc:c8:52:e2:c8:
1e:21:26:83:cb:e3:b6:72:55:df:1e:dc:48:7b:d8:1a:ca:2a:
21:4f:eb:94:9f:de:82:f8:5b:82:0d:ef:d5:e9:89:99:b4:48:
ce:d5:9e:a4:ca:3b:c9:e1:19:a5:60:ec:04:36:31:11:b0:31:
7a:22:64:9c:6e:dd:82:e4:65:96:a2:e3:aa:9c:99:ec:f5:e1:
48:84:7c:f5:38:00:cb:24:cf:5d:ed:e5:87:a9:86:c5:cb:4f:
65:6a:35:21:2e:30:cd:e6:85:84:13:e3:ff:9c:72:4d:a8:9c:
fb:63:01:eb:a8:ae:6f:84:66:b8:bd:fe:0f:c9:17:96:8d:42:
9d:8c:0c:bc:90:ab:17:19:df:6f:6a:28:fc:8c:50:6d:88:69:
31:75:6e:d7:6d:f2:f4:70:f0:64:14:c2:fc:57:dc:f3:68:57:
9d:4c:fe:94:e5:13:d7:9f:ad:ee:68:1b:df:9c:af:bb:f4:73:
83:d6:0a:54:fa:73:ec:02:f2:f2:87:35:7c:2a:58:df:20:32:
1a:c2:c2:ba:1d:4f:5f:8c:fe:3c:7e:e7:0c:80:0e:27:57:c2:
01:48:1f:58:f7:2c:f3:b7
Y para el propio certificado:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d7:9b:09:48:1f:62:44:95:80:ef:b7:e4:5c:e1:c7:4b
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=*.node.consul/[email protected], O=Instructure, OU=Ops, C=US, ST=UT, L=SLC
Validity
Not Before: Jan 1 18:41:57 2018 GMT
Not After : Jan 1 18:41:57 2021 GMT
Subject: CN=i-02da590eb53768ddc.node.consul/[email protected], O=Instructure, OU=Ops, C=US, ST=UT, L=SLC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:aa:77:6d:61:52:be:92:78:b6:b2:82:41:93:08:
86:ba:00:e3:fc:d4:43:2e:3a:e6:49:f8:9d:dc:e5:
40:f3:18:18:ac:56:ae:a1:96:b6:ff:35:63:97:8b:
9b:a7:cc:c0:f3:7b:99:82:8e:4c:cf:d4:25:56:c2:
32:2f:35:08:5f:79:ee:ea:52:02:2b:2f:11:ac:10:
ea:18:e7:00:b6:52:ee:df:c7:01:7a:68:7e:32:1c:
63:73:77:43:99:a0:a6:13:05:26:39:e2:4d:b9:e6:
c1:58:99:02:dc:0c:99:90:1f:d4:79:9e:fe:77:99:
58:a7:a7:26:42:9e:13:34:f3:e9:c2:f2:3a:6f:72:
33:55:ad:66:89:4a:39:4b:c9:67:a8:d2:8e:80:75:
42:c9:01:9e:e7:d0:b1:7a:63:f5:6b:f1:a4:66:be:
d9:e5:e9:87:4c:2e:99:87:0f:26:1f:2c:19:25:78:
82:fe:31:e2:26:6f:de:0d:93:75:65:7f:cc:c9:a3:
24:69:db:7b:57:57:fa:49:ec:39:8c:ac:92:2f:1c:
cc:3d:e4:e2:6c:48:4b:bb:35:20:74:77:91:80:ad:
7d:9d:9f:7b:53:7c:bf:98:bb:a6:27:15:de:aa:27:
e3:8b:87:3b:35:50:ac:6d:36:ba:2b:95:b5:4b:2b:
ce:6b:84:91:e0:4d:e0:21:fd:d3:80:43:17:98:ff:
66:b8:7f:32:f9:ed:d3:25:a3:6f:b4:e9:26:56:4c:
c3:d8:2f:2f:6e:f8:9a:85:4d:a9:05:d2:f5:60:1d:
42:df:29:75:1b:2c:66:b1:a4:56:8a:0b:43:14:b8:
7d:62:4d:5a:1b:a6:a1:da:98:64:4e:e2:e2:8b:8d:
c9:57:f9:7d:58:91:12:d7:dd:7b:52:7c:00:91:bc:
ab:25:a0:63:91:8c:02:c8:8f:7e:23:80:33:95:b2:
4a:ea:f9:ee:87:1a:17:f1:85:60:ae:db:f1:d3:63:
ab:0b:d8:ab:7c:56:90:8f:f5:9a:60:25:2b:81:b5:
df:bc:f7:0d:9c:47:8a:b6:4d:2b:88:21:cf:bd:d5:
fe:1a:d7:76:19:03:06:d1:9b:67:42:f9:8f:be:27:
61:9f:a8:9c:2a:57:96:e1:a2:d8:84:7f:9f:15:bb:
b2:ae:21:92:7a:4c:42:69:10:63:da:bf:b6:eb:74:
57:13:6f:d9:c2:a9:99:09:09:b5:d6:ff:e0:c4:eb:
91:bf:4d:9e:98:3e:e3:8c:69:7a:06:01:f7:d0:75:
df:d2:6e:78:b2:39:6a:73:70:41:dd:30:f5:00:c0:
f6:70:d3:63:76:98:01:ee:52:4a:92:77:39:c5:ab:
99:33:97
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
AA:C7:CB:B6:22:D2:EF:05:72:89:92:DF:2E:44:6B:D5:33:00:D8:06
X509v3 Subject Alternative Name: critical
DNS:i-02da590eb53768ddc.node.consul
Signature Algorithm: sha256WithRSAEncryption
ab:dc:ad:f4:55:af:a6:ca:27:d2:7a:f6:77:b3:4f:1d:14:41:
7c:56:3a:a0:75:de:1f:0a:3c:7f:50:d0:4d:b0:1b:01:75:4c:
d0:19:c7:5d:86:c5:ac:85:10:9e:58:22:87:23:70:27:a5:75:
11:73:6f:2f:8e:f3:90:ca:51:c7:cb:75:46:59:91:3f:d3:f3:
dd:d4:60:4d:60:e1:82:a9:c6:e8:ac:3e:01:9d:4d:b8:cb:70:
90:2a:f6:58:ba:dd:44:67:e7:7e:71:70:cc:fc:5a:7e:1e:e4:
32:e4:2c:43:64:79:69:32:a4:d2:12:5a:fe:3e:e3:47:b9:3d:
8d:41:16:b5:5e:d8:bd:dd:39:e8:0a:8a:ee:7d:44:fd:98:bc:
02:79:57:d5:2d:dd:f7:14:87:f5:19:29:80:27:f4:3d:6e:0d:
0a:ce:78:fd:e1:1e:b3:7e:4b:cd:07:d7:e3:4e:50:35:56:a6:
8d:ea:3d:b3:ab:99:55:54:27:22:9d:3d:7d:93:37:b6:9d:51:
5d:f1:64:69:d9:72:de:58:e2:ec:4e:c0:0e:62:77:68:13:5e:
2d:01:7b:06:ec:8a:23:bc:6f:e5:ee:b5:1d:0b:4d:08:35:6c:
49:a4:43:24:32:99:ad:fd:34:44:24:ba:49:f7:79:28:0e:88:
cb:72:9b:ce:c4:9d:fc:e1:5f:3c:d9:f5:18:ae:e9:f4:4a:52:
72:03:cb:77:23:0d:9b:63:9a:1f:66:fe:6e:f1:78:87:85:80:
93:39:d7:59:dd:7b:4b:c5:b2:13:7b:f5:ab:78:ac:32:cf:b1:
b6:2b:08:5f:ba:46:fd:50:82:48:62:81:e6:9d:77:05:25:53:
40:c1:6d:8b:b2:89:5f:fb:6e:f9:d3:69:e7:d6:f8:7c:5e:72:
0a:19:d5:bc:ec:4f:f3:91:38:cc:88:58:f1:19:0b:08:8a:76:
45:c8:3f:30:52:ff:8c:83:01:5e:c8:f7:41:ee:38:13:db:ce:
9b:86:a3:0b:a3:3d:48:d1:03:2c:ab:6f:1c:b1:46:67:70:13:
64:99:c3:37:21:af:4d:ce:0a:28:9c:94:67:89:d4:04:5d:a2:
56:fa:e0:bb:82:5f:75:d4:a5:22:a7:57:53:dc:cb:f1:65:e3:
df:b6:66:a2:88:39:25:09:b5:84:a8:5b:a7:76:89:a1:46:7b:
16:d3:df:7f:ab:a2:41:c1:cb:0b:75:98:8c:d6:67:fd:5b:4a:
ad:50:a9:e0:af:5c:f3:28:a0:aa:80:62:f5:77:4d:17:d4:6a:
3f:2a:6a:59:47:c4:b1:88:36:f6:55:f2:32:84:6b:70:78:3a:
d2:b4:13:53:e2:1c:e8:ef
Supongo que esto se debe probablemente a algo en la forma en que he generado los certificados, pero no estoy realmente seguro de dónde verificar. Como tengo entendido, el error 20 no puede buscar el certificado del emisor local cuando no puede encontrar un certificado en particular en la cadena. Sin embargo, no estoy seguro de por qué no puede encontrar la información completa que necesita.