You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When testing agoo with a LetsEncrypt certificate, openssl verification fails, because only the leaf certificate of the certificate chain was being returned by agoo; the intermediate issuer from LetsEncrypt was not being included, so openssl could not validate all the way to the root of the chain.
Note that not some libraries and browsers that already have the intermediate cached may not fail verification; I saw this particular issue initially in a docker container.
The cause of the bug is pretty simple, server.c loads the certificate using SSL_CTX_use_certificate_file, rather than SSL_CTX_use_certificate_chain_file; OpenSSL guidance (https://docs.openssl.org/3.3/man3/SSL_CTX_use_certificate/#notes) is to always use SSL_CTX_use_certificate_chain_file now to populate the full chain and return it in negotiation. The call will still support PEM files with just a single cert.
I've got a fork with the fix, will raise a PR momentarily.
The text was updated successfully, but these errors were encountered:
When testing agoo with a LetsEncrypt certificate, openssl verification fails, because only the leaf certificate of the certificate chain was being returned by agoo; the intermediate issuer from LetsEncrypt was not being included, so openssl could not validate all the way to the root of the chain.
Note that not some libraries and browsers that already have the intermediate cached may not fail verification; I saw this particular issue initially in a docker container.
The cause of the bug is pretty simple, server.c loads the certificate using
SSL_CTX_use_certificate_file, rather thanSSL_CTX_use_certificate_chain_file; OpenSSL guidance (https://docs.openssl.org/3.3/man3/SSL_CTX_use_certificate/#notes) is to always useSSL_CTX_use_certificate_chain_filenow to populate the full chain and return it in negotiation. The call will still support PEM files with just a single cert.I've got a fork with the fix, will raise a PR momentarily.
The text was updated successfully, but these errors were encountered: