Tuesday, June 16, 2020

NET:ERR_CERT_AUTHORITY_INVALID how to troubleshoot with browser and utilities

When accessing Oracle EBS Login URL got the below page. In this post we will see what tools are available that can help to troubleshoot this NET:ERR_CERT_AUTHORITY_INVALID issue and identify the root cause.

Add caption

The first tool is the browser itself. Click the lock icon on the browser bar and view the certificate. Go to the certificate path to verify the authority.



Here you are seeing the missing root/intermediate certificate. The fix is to load the root/intermediate cert and in this case it is Oracle Cloud LBaaS Instance.

But then I got a reply from the LBaaS admin that the root/intermediate certs are loaded. 😏

The browser did not help much so then there are other tools which can help.

curl -- all looks fine with curl. 😐

[oracle@testserver ~]$ curl -vvv https://ebstest.oracleebs122.com
* About to connect() to ebstest.oracleebs122.com port 443 (#0)
*   Trying xxx.xx.xx.xxx...
* Connected to ebstest.oracleebs122.com (xxx.xx.xx.xxx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=ebstest.oracleebs122.com,O="Test Inc.",L=Test,ST=Test,C=XX
*       start date: May 04 19:35:17 2020 GMT
*       expire date: May 05 19:35:17 2022 GMT
*       common name: ebstest.oracleebs122.com
*       issuer: CN=GlobalSign RSA OV SSL CA 2018,O=GlobalSign nv-sa,C=BE
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: ebstest.oracleebs122.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 16 Jun 2020 05:42:53 GMT
< Content-Type: text/html
< Content-Length: 1253
< Connection: keep-alive
< Last-Modified: Fri, 12 Jun 2020 18:27:42 GMT
< ETag: "4e5-5a7e73b8e0380"
< Accept-Ranges: bytes
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< Content-Language: en

openssl -- unable to verify the first certificate is reported in openssl. The problem here is CA is GlobalSign but root/intermediate are from DigiCert bundle. This breaks the chain. 😀 we found the probem.

[oracle@testserver ~]$ echo | openssl s_client -servername ebstest.oracleebs122.com -connect ebstest.oracleebs122.com:443 2>/dev/null
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=XX/ST=Test/L=Test/O=Test Inc./CN=ebstest.oracleebs122.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxx
pswKJkc4L3JRHyajP6zJw
-----END CERTIFICATE-----
subject=/C=XX/ST=Test/L=Test/O=Test Inc./CN=ebstest.oracleebs122.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4560 bytes and written 458 bytes
---
New, TLSv1/SSLv3, Cipher is xxxxxxxxxxxxxxxxx
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : xxxxxxxxxxxxxxxxxxxx
    Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxx
    Session-ID-ctx:
    Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxx
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    Start Time: 1592288126
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
[oracle@testserver ~]$

to fix it , Oracle Cloud LBaaS Instance was loaded with the correct root/intermediate certificate.

[oracle@testserver ~]$ echo | openssl s_client -servername ebstest.oracleebs122.com -connect ebstest.oracleebs122.com:443 2>/dev/null
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=XX/ST=Test/L=Test/O=Test Inc./CN=ebstest.oracleebs122.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
   i:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
 2 s:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
   i:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxx
pswKJkc4L3JRHyajP6zJw
-----END CERTIFICATE-----
subject=/C=XX/ST=Test/L=Test/O=Test Inc./CN=ebstest.oracleebs122.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4560 bytes and written 458 bytes
---
New, TLSv1/SSLv3, Cipher is xxxxxxxxxxxxxxxxx
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : xxxxxxxxxxxxxxxxxxxx
    Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxx
    Session-ID-ctx:
    Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxx
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    Start Time: 1592288176
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
[oracle@testserver ~]$

I hope this helps 👍


Popular Posts