7

Followed what appears to be the standard procedure to add a cert to the Linux trust, and it seems to add the cert:

$ sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt`
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

However curl and wget refuse to connect to a server with that cert, with these errors: 

verify error: Unable to get local issuer certificate

Unable to locally verify the issuer's authority

(It connects if verification is disabled with curl -k, but this is not a solution.)

The certificate itself was created using this command, and is used to enable SSL on a local Gitlab instance (nginx):

$ openssl req -x509 -days 365 -newkey rsa:1024 -keyout bar.pem -nodes -out foo.crt -config openssl_conf

where openssl_conf is:

distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = XX
ST = XX
L = XXX
O = XXXX
OU = XXXX
CN = ...
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = XX.XX.X.X
Improve this question

1 Answer 1

Reset to default
6

The issue seemed to be with openssl config file for cert generation (looks like it hasn't been sufficiently populated). Certs created with this new config file were being successfully added to the trust store with update-ca-certificates. Based on this post, it appears the key line here is basicConstraints = CA:true.

[req]
days                   = 180
serial                 = 1
distinguished_name     = req_distinguished_name
x509_extensions        = v3_ca
prompt = no

[req_distinguished_name]
countryName            = XX
stateOrProvinceName    = XX
localityName           = XX
organizationName       = XXX
organizationalUnitName = XXX
commonName             = new-cert

[v3_ca]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:true
keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
issuerAltName          = issuer:copy
subjectAltName = @alt_names
[alt_names]
IP.1 = X.X.XX.XX

(Same cert generation command)

$ openssl req -x509 -days 365 -newkey rsa:1024 -keyout bar.pem -nodes -out foo.crt -config openssl_conf

(Same method for adding cert to trust store)

$ sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt`
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .