| Root CA let's encrypt and SSL inspection [message #150362] |
Tue, 12 October 2021 08:07  |
kimiko1086
Messages: 9
Registered: March 2018
|
|
|
|
Good morning,
For about 2 weeks, many Kerio Control customers with ssl inspection have complained that many websites they use are detected as unsafe, I'll give you an example
https://www.mio-ip.it/
the problem seems to be created by the expired let's encrypt root certificate present in Kerio Control, I tried to upload the new certificate but the problem persists, do you have any ideas?
Thank you
|
|
|
|
 Re: Root CA let's encrypt and SSL inspection [message #150389 is a reply to message #150362] |
Tue, 19 October 2021 18:13  |
Pavel Sevcik
Messages: 3
Registered: September 2015
|
|
|
|
Hello,
having exactly the same problem. I suceed via SSH to upload Root CAs (By renaming the PEM to CRT, because the folder /opt/kerio/winroute/sslcert/builtin/ does accept only CET files in PEM format) = suceed to add certificates (both R3 and ISRG Root X1) ... but still there is some problem which seems to be blocking it working ... see DEBUG log below ... please let me know if you have any ideas ... when I manually checked the certificate from root.cz it match the SHA-1 8e0e08eb703dd7e05772a3decb671adacb5d48d6, but which the debug log below is saying it is not valid. For me this is not about mising CA certificate (as I do have them), but about a way how Kerio Control is verifing the SHA-1 in the certficiate chain? ... may be LetsEncrypt changed something? For other comercial SSL certificates this works fine (DigiCert and all others) ... having problem just with recently introduced new certificates from LetsEncrypt ...
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Going to verify identity of peer's server root.cz.
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Issuer '/C=US/O=Internet Security Research Group/CN=ISRG Root X1' found in between user/builtin certificates.
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Peer's certificate chain is complete.
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Checking certificate chain root.cz | R3 | ISRG Root X1
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Building own X509 store context ...
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Failed to verify SSL certificate: (19) self signed certificate in certificate chain
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Searching for alternative issuer
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Issuer '/C=US/O=Let's Encrypt/CN=R3' found in between user/builtin certificates.
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Issuer '/C=US/O=Internet Security Research Group/CN=ISRG Root X1' found in between user/builtin certificates.
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Peer's certificate chain is complete.
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] No new issuer found, skipping...
[18/Oct/2021 20:35:23] {http_handler} DownloadCertCache: 2 certificates on disk.
[18/Oct/2021 20:35:23] {http_handler} DownloadCertCache: serialized. Cache size: 2
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] SSL certificate with 8e0e08eb703dd7e05772a3decb671adacb5d48d6 SHA-1 fingerprint from server is not valid.
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Created certificate with CN and SubjAltNames, but without other requisites.
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] SSL handshake state changed from ServerHandshakeStarted to ServerError
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Error in SSL communication (5).
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] SSL handshake with server root.cz failed.
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] SSL handshake state changed from ServerError to ClientHandshakeContinueError
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] SSL context swapped successfully
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Cipher selected by server: ECDHE-RSA-AES128-GCM-SHA256.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Going to verify identity of peer's server root.cz.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Issuer '/C=US/O=Internet Security Research Group/CN=ISRG Root X1' found in between user/builtin certificates.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Peer's certificate chain is complete.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Checking certificate chain root.cz | R3 | ISRG Root X1
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Building own X509 store context ...
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Failed to verify SSL certificate: (19) self signed certificate in certificate chain
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Searching for alternative issuer
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Issuer '/C=US/O=Let's Encrypt/CN=R3' found in between user/builtin certificates.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Issuer '/C=US/O=Internet Security Research Group/CN=ISRG Root X1' found in between user/builtin certificates.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Peer's certificate chain is complete.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] No new issuer found, skipping...
[18/Oct/2021 20:35:23] {http_handler} DownloadCertCache: 2 certificates on disk.
[18/Oct/2021 20:35:23] {http_handler} DownloadCertCache: serialized. Cache size: 2
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] SSL certificate with 8e0e08eb703dd7e05772a3decb671adacb5d48d6 SHA-1 fingerprint from server is not valid.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Created certificate with CN and SubjAltNames, but without other requisites.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] SSL handshake state changed from ServerHandshakeStarted to ServerError
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Error in SSL communication (5).
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] SSL handshake with server root.cz failed.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] SSL handshake state changed from ServerError to ClientHandshakeContinueError
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] SSL context swapped successfully
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Cipher selected by server: ECDHE-RSA-AES128-GCM-SHA256.
|
|
|
|
|
|
| Re: Root CA let's encrypt and SSL inspection [message #150833 is a reply to message #150828] |
Thu, 13 January 2022 13:39 |
kimiko1086
Messages: 9
Registered: March 2018
|
|
|
|
To resolve the issue, kindly update the CA certificates on the Kerio Control side by following the below steps:
Download the attached ca_bundle.tgz file (or from this link). You can extract the content and verify that's just PEM .crt files in the Mozilla folder and symbolic links in the hashed folder.
Access Kerio Control's Shell Using SSH and execute ​mount -o rw,remount / via SSH.
Then upload the ca_bundle.tgz file via SFTP (FTP over SSH) to the /tmp folder.
Execute the following lines by copy-pasting the following to an SSH terminal:
cd /tmp
rm /var/winroute/sslcert/hashed/*
rm /usr/share/ca-certificates/mozilla/*.crt
mount -o rw,remount /
tar -xvf ca_bundle.tgz
mv mozilla/*.crt /usr/share/ca-certificates/mozilla/
mv hashed/*.0 /var/winroute/sslcert/hashed/
rm -rf mozilla hashed
rm ca_bundle.tgz
/etc/boxinit.d/60winroute restart
|
|
|
|
|
|
|
|
Members
Search
Help
Register
Login
Home
