0

We're trying to set up OpenWISP using a paid-for wildcard (*.ngv.com.au) SSL certificate. The certificate comes to us as a ZIP of these files:

AAACertificateServices.crt
SectigoRSADomainValidationSecureServerCA.crt
star.csr
star.key
STAR_ngv_com_au.crt
USERTrustRSAAAACA.crt

I presume STAR_ngv_com_au.crt is our certificate and the other .crt files are the chain.

However, I cannot input an acceptable certification authority into OpenWISP. When I enter our certificate and refer to the CA I've entered, OpenWISP responds

CA doesn't match, got the following error from pyOpenSSL: "unable to get local issuer certificate"

Following this advice, my best attempt at entering the certificate of the certification authority is the output of

cat STAR_ngv_com_au.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAAACA.crt AAACertificateServices.crt

or

cat SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAAACA.crt AAACertificateServices.crt

but each of those yields the CA doesn't match error, as does using each of the four .crt files individually.

What magic combination of files is required to satisfy OpenWISP/pyOpenSSL?

Improve this question
6
  • Exactly who are you paying, and for what? IINM Sectigo (now) transparency-logs everything and crt.sh doesn't show any '*.ngv.com.au' issued by Sectigo RSA DV-Server. It does show a series of 90-day certs issued by ZeroSSL ECC Domain, most recently this precert and cert. If that is the cert you are trying to use, you need this intermediate not one for Sectigo, and its parent is Usertrust ECC not Usertrust RSA.
    – dave_thompson_085
    Commented Mar 20 at 6:05
  • I presume STAR_ngv_com_au.crt is our certificate and the other .crt files are the chain. If YOU open YOUR certificate, who is the issuer? It is written right there, no presumption necessary.
    – Greg Askew
    Commented Mar 20 at 8:43
  • We paid Crazy Domains (don't judge me; not my choice). I don't see how to use those links because the only option that OpenWISP provides for CA entry is copy-paste of the -----BEGIN CERTIFICATE----- ... content.
    – Michael NGV
    Commented Mar 20 at 22:21
  • Our issuer is Crazy Domains but none of the six files in the bundle contain that information. They contain only ----BEGIN CERTIFICATE ..., -----BEGIN PRIVATE KEY ... etc.; i.e., the first line of each of the six files is -----BEGIN something and the last line of each of the six files is -----END something.
    – Michael NGV
    Commented Mar 20 at 22:24
  • @Greg Askew: "If YOU open YOUR certificate ..." are you saying there is some software, not just a plain text editor, with which I can open a .crt file (presumably also supplying the star.key file) and decode and view the content?
    – Michael NGV
    Commented Mar 21 at 4:33

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .