This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Filr does not use certificate chain

I am trying to configure Filr 5 with a certificate with chain:

Whatever I try Filr does not use the chain:

I also applied steps 7 to 9 for "Filr 1.2 and later" from https://support.microfocus.com/kb/doc.php?id=7016002

Because of the missing chain Content Editor refuses connection to this Filr.

  • Verified Answer

    +1  

    Suspect you need to start from step 3 of below article.

    Something is wrong while trying to update SSL certificate

    When Filr server will start to present chained certificate it still might not work.

    Then import all public certs from the chain into CE JVM Certificates (Trusted Certificates).

  • 0  

    cat my_ca_bundle.ca_bundle >> myserver.crt

    “You can't teach a person anything, you can only help them to discover it within themselves.” Galileo Galilei

  • 0  

    I had an problem with a certificate issued by Sectigo.  The issued lay in that the root certificate of the chain used SHA1, which is nowadays considered insecure and not supported by Filr.  I rebuilt the cert without that certificate (the Sectigo root is a standard trusted certificate).  However I was under the impression that it was resolved in in an update, Have you patched the environment?

  • 0 in reply to   

    These are the certs in the chain:

    openssl x509 -text -noout -in fullchain1.pem | grep -i "issuer:\|subject:\|Signature Algorithm"
           Signature Algorithm: sha256WithRSAEncryption
           Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
           Subject: C = DE, ST = Baden-W\C3\BCrttemberg, O = Hochschule Offenburg, CN = filr-test.rz.hs-offenburg.de
       Signature Algorithm: sha256WithRSAEncryption

    openssl x509 -text -noout -in fullchain2.pem | grep -i "issuer:\|subject:\|Signature Algorithm"
           Signature Algorithm: sha384WithRSAEncryption
           Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
           Subject: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
       Signature Algorithm: sha384WithRSAEncryption

    openssl x509 -text -noout -in fullchain3.pem | grep -i "issuer:\|subject:\|Signature Algorithm"
           Signature Algorithm: sha384WithRSAEncryption
           Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
           Subject: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
       Signature Algorithm: sha384WithRSAEncryption

    So there is none with SHA1. But the the strange thing with Sectigo is that it's not clear what is the root CA. On the one hand AAA Certificate Services seems to be the root. On the other hand USERTrust RSA Certification Authority is the one that is brought in browsers and also in Filr appliance:

  • 0 in reply to   

    Thanks, that helped to solve the problem. According step 3.1 I see these hashes:

    # openssl x509 -hash -noout -in cert.pem
    1e35e49c
    # openssl x509 -hash -noout -in fullchain1.pem
    1e35e49c
    # openssl x509 -issuer_hash -noout -in cert.pem
    40f874cc
    # openssl x509 -issuer_hash -noout -in fullchain1.pem
    40f874cc
    # openssl x509 -hash -noout -in fullchain2.pem
    40f874cc
    # openssl x509 -issuer_hash -noout -in fullchain2.pem
    fc5a8f99
    # openssl x509 -hash -noout -in fullchain3.pem
    fc5a8f99
    # openssl x509 -issuer_hash -noout -in fullchain3.pem
    ee64a828
    # openssl x509 -hash -noout -in usertrustrsacertifcateauthority.txt
    fc5a8f99
    # openssl x509 -issuer_hash -noout -in usertrustrsacertifcateauthority.txt
    fc5a8f99

    usertrustrsacertifcateauthority is an export from Keystore "JVM Certificates" in AAC. The hashes show that the third cert (fullchain3.pem) in the chain file (fullchain.pem) as provided from Sectigo is extraneous. The second cert (fullchain2.pem) is the one that is signed by usertrustrsacertifcateauthority.

    There is an alternative chain file (chain.pem) provided by Sectigo. This only contains 2 certs instead of 3 - but the extraneous one is still in there. The difference is that fullchain.pem also contains the signed server certificate.

    The bottom line: chain files from Sectigo are unusable, they need to be stripped.