[37217] in Kerberos
Re: Cannot create cert chain: certificate signature failure
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sat Sep 5 02:21:42 2015
Message-ID: <55EA89E1.9090805@mit.edu>
Date: Sat, 05 Sep 2015 02:21:21 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Russ Allbery <eagle@eyrie.org>, kerberos@mit.edu
In-Reply-To: <877fo54dd6.fsf@hope.eyrie.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 09/05/2015 01:57 AM, Russ Allbery wrote:
> Sep 4 22:48:34 mithrandir krb5kdc[12868]: AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: KDC_RETURN_PADATA: WELLKNOWN/ANONYMOUS@EYRIE.ORG for krbtgt/EYRIE.ORG@EYRIE.ORG, Cannot create cert chain: certificate signature failure
>
> Any idea what's going on? This appears to be some failure inside OpenSSL,
> but it looks like absolutely no information about the error is actually
> logged anywhere?
We're logging what OpenSSL gives us from X509_verify_cert_error_string()
after X509_verify_cert() fails. We could be doing more;
X509_STORE_CTX_get_error_depth() would give us the depth where the error
occured in the cert chain and X509_STORE_CTX_get_current_cert() would
give us the cert that caused the failure. In this case, I think you
would merely find out that the error occurred verifying the leaf
certificate against the CA's public key.
Looking inside OpenSSL, this error (X509_V_ERR_CERT_SIGNATURE_FAILURE)
is generated when X509_verify() fails inside internal_verify(). It does
look like X509_verify() (or rather ASN1_verify()) does something with
the OpenSSL framework to indicate what kind of error happened, but I am
not sure how our PKINIT code is supposed to pull that information out.
The man page for X509_verify_cert() only mentions
X509_STORE_CTX_get_error().
> I was previously successful issuing certs with OpenSSL directly and the
> configuration from the wiki, but I'd really rather use hxtool, which is a
> much nicer interface. And I'm not sure why it wouldn't work, particularly
> since it was previously working just fine (with the same server software
> version, although an older MIT Kerberos client version).
It doesn't seem like the client version should have anything to do with
this failure, so I have no theories as to what changed.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
