Trouble using a SSL certificate: 'self signed certificate in certificate chain'

ruby-on-rails macos ssl certificate

11,781

Solution 1

SSL verifies the validity of a host by checking the certificate of the host.

Every certificate is either:

Self-Signed
Signed by another certificate.

If it is signed by another certificate, it checks the certificate that signed it.

Now, at some point, to verify if a certificate is valid or not, it has to match that certificate against a store of 'valid' certificates it has on the system (Eg: Firefox maintains its own store, Windows has its own store, etc.). If it matches some certificate in the hierarchy against the store, then it treats that certificate as valid, and therefore all certificates signed by it are valid.

However, if the certificate is self-signed and isn't in the store, then it will reject it, or warn you that it cannot verify the certificate.

If the certificate is for you to test out an application, or for a very limited scale deployment where you can ask people to add your certificate to their store, this is alright. However, if you are planning to move your application to a production site at somedomain.com, then you will probably need to buy a certificate for that domain.

Note: in either case, the self-signed certificate you have for localhost is valid only for 'localhost', not even if it is accessed on an intranet via IP

Solution 2

The purpose of certificates [in SSL] is to prove that the host is the one it claims to be and not the fake one. To do this certificates are issued by certificate authorities, who [are supposed to properly] check the identity of the person or organization that requests a certificate. Consequently, self-signed certificate doesn't reliably identify the host (even if it's a localhost). So most applications report a validation error when they see a self-signed certificate in a chain of certificates. The only exception is [usually] when the certificate is explicitly added to the list of private certificates in the system - in this case it's accepted as valid.

Consequently, if you have created your self-signed certificate for test purposes on your computer, then you can add it to trusted list. Otherwise (if you need a certificate for a public host), you will need to buy a certificate from one of certificate authorities.

11,781

Author by

user502052

Updated on June 04, 2022

Comments

user502052 about 2 years

I am using a self generated wildcard SSL certificate and I would like to know if the following is a problem and, if so, what I can do to fix that. Certificate is for my web Ruby on Rails 3 application running on localhost.

I am using a Mac OS running "Snow Leopard" 1.6.6. Typing in the Terminal

<my_user_name>$ openssl s_client -connect localhost.com:443

I get the following:

CONNECTED(00000003)
depth=1 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = My Name\Surname
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=*localhost.com
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=My Name\Surname
 1 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=My Name\Surname
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=My Name\Surname
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICJDCCAY0CAQEwDQYJKoZIhvcNAQEEBQAwWTELMAkGA1UEBhMCQVUxEzARBgNV
BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
ZDESMBAGA1UEAwwJU2VyZ2lvIEwuMB4XDTExMDIxODIwMDAwOFoXDTEyMDIxODIw
MDAwOFowXDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNV
BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEVMBMGA1UEAwwMKnBqdG5hbWUu
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDM46dH9rWKy5sNKBwJ7oo
wytsjw8fFLRskJGE0QqgKpz5ZtYK8yC/kifI4gpWZYVySePmVqHR6+wpv8Ry1KVx
Bl2qhF6ssLBbc5bvOK4eF2Rx9LNAZ/ndy+0q07DVsnAMMCxhNmegltCG1JZhazCG
g7elPm2pIQLAQvKlFSJwkQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBADO7XJbOASZM
Bm/XElq1AuVU1dR6/wkowLOxCn8+KWsUmyIdZj1yL8+83nhhG/yekzOr25n/I0SQ
zN1aUi3oX5vXlx8vp2xQsnug2BM/InfQxOn+90JjhZYPbCokH9ifzYsNj7fvGg57
KZ4et2jSfchxFMRqqoPutdOp/gNKw3me
-----END CERTIFICATE-----
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=*localhost.com
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=My Name\Surname
---
No client certificate CA names sent
---
SSL handshake has read 1944 bytes and written 409 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 63BE474E62950D542BCBE30F72F80C28851EE23EA15BA34AE3E3E46AB5615505
    Session-ID-ctx: 
    Master-Key: 9E8A8F7F4E824A2B251D5A28E3A133AC761BA8EDB237073973D2B1AE0AE0A31ADDADA2315F33B443B3F29D382070FC6C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - 10 b0 f3 4d 96 90 d3 65-22 d4 bf 09 27 8c a0 af   ...M...e"...'...
    0010 - d3 79 5c 9a cf d9 5b e1-3f aa 46 56 55 9b 55 50   .y\...[.?.FVU.UP
    0020 - 8b 49 99 07 bc 35 e0 bc-e1 1d 4e 61 f0 aa 33 57   .I...5....Na..3W
    0030 - 1d 37 0b dd 51 ae 81 ea-df 8e 6e 25 ff f7 2b ff   .7..Q.....n%..+.
    0040 - e9 88 79 e4 57 2a b2 f2-61 22 df 86 f0 24 57 a7   ..y.W*..a"...$W.
    0050 - 06 13 b5 71 47 dc d5 ac-c2 61 89 75 6e 03 45 cc   ...qG....a.un.E.
    0060 - 14 69 0c 72 3a 4a 00 b3-4f d8 8d 44 2d 66 cb 40   .i.r:J..O..D-f.@
    0070 - 80 c8 9b e2 12 9f 0d b4-58 6e a1 c7 bb fe 92 6d   ........Xn.....m
    0080 - b8 b7 b7 f0 dc 1c ab fd-44 a4 25 96 c6 09 09 a1   ........D.%.....
    0090 - aa ff c0 dc 53 6b 30 13-30 f3 44 f6 78 b1 43 c7   ....Sk0.0.D.x.C.
    00a0 - ca 88 9d 63 41 d3 c1 a1-af fa 36 e2 9c fd 0e 62   ...cA.....6....b
    00b0 - c4 44 6b 5c 74 da ff be-a8 98 3f 54 f9 fa 59 15   .Dk\t.....?T..Y.

    Compression: 1 (zlib compression)
    Start Time: 1298072476
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)

The issue, maybe, is on line 3: verify error:num=19:self signed certificate in certificate chain. What that means? Is my certificate working for localhost.com?

UPDATE

In browser I accepted my sel-signed certificate (I explicitly added my certificate to the list of private certificates in the system), so, even I get verify error:num=19:self signed certificate in certificate chain and in my application I use the following code to make HTTP requests over SSL

require 'uri'
require 'net/https'

host = "https://<subdomain>.localhost.com"
path = "/users/1.json"

uri = URI.parse("#{host}#{path}")

http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true

http.verify_mode = OpenSSL::SSL::VERIFY_NONE
# I think here is necessary to verify connections using 'http.verify_mode = OpenSSL::SSL::VERIFY_PEER':
# in localhost using that the connection will fault, but in production mode 
# (when I will deploy the application) I think I MUST use 'VERIFY_PEER'

http.ca_file = File.join(File.dirname("<certificate_folder>/wildcard.certificate/ca.db.certs/"), "01.pem")

http.start do
  response = http.get("#{host}#{path}")
  @test_response = JSON(response.body)["profile"]
end

the connection is actually going over SSL? 'VERIFY_PEER' means something?