I've attempted to setup a certificate authority, and issue a certificate from that authority (with no intermediate inbetween The authority covers *.node.consul, and the certificate is underneath that at: i-0c2e25880dab06f71.node.consul). However when executing openssl verify (passing in the -CAfile option), it seems to still not be able to complete the lookup:
root@i-0c2e25880dab06f71:~# openssl verify -verbose -CAfile /root/ssl-ca.crt /root/ssl-cert.pem /root/ssl-cert.pem: CN = i-0c2e25880dab06f71.node.consul, emailAddress = [email protected], O = Instructure, OU = Ops, C = US, ST = UT, L = SLC error 20 at 0 depth lookup:unable to get local issuer certificate Reading in the certificates with:
openssl x509 -in /root/ssl-cert.pem -text -noout Leads to the following two outputs:
for the ca:
Certificate: Data: Version: 3 (0x2) Serial Number: d3:f3:bc:d7:8f:6c:43:2f:ad:9b:6c:3e:1d:13:8e:c4 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=*.node.consul/[email protected], O=Instructure, OU=Ops, C=US, ST=UT, L=SLC Validity Not Before: Jan 1 16:52:31 2018 GMT Not After : Jan 1 16:52:31 2038 GMT Subject: CN=*.node.consul/[email protected], O=Instructure, OU=Ops, C=US, ST=UT, L=SLC Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:be:15:5d:e3:32:b0:58:bf:01:7b:73:c2:ad:b6: 7c:59:9f:ca:a0:6a:26:64:8b:56:83:6e:43:b6:aa: e9:81:70:39:70:22:bd:10:a4:d8:d1:a1:a1:cb:0d: eb:d2:5c:c3:f8:9c:d2:d9:a5:d0:48:65:bb:d1:a8: 1a:cc:a4:53:27:9a:ca:fc:23:84:e3:f7:59:97:d6: 05:35:f5:94:5e:af:aa:a8:4f:24:25:0a:8e:e1:21: 6a:35:a5:e7:da:ed:f4:50:2c:cc:ef:ac:a6:28:da: c1:a3:ea:53:84:64:9f:2c:a0:6a:73:6a:8d:e6:7e: 03:10:dd:42:cc:89:24:13:d7:5d:14:43:e2:cc:9a: 12:ef:4b:c6:96:fb:20:88:0e:fc:6c:b3:88:ba:ed: 64:d9:f7:8f:97:e1:50:a0:ae:42:5f:4f:8e:8f:7e: 40:fd:e5:a3:f4:1d:fc:88:f0:c3:2e:d1:1d:32:fb: 95:85:00:23:ba:d3:cc:0c:65:8e:be:e0:dd:4f:5f: 22:fe:26:8d:1c:12:94:0a:d1:44:4d:0c:be:72:56: c6:7e:be:cb:81:41:0f:20:d8:31:34:d9:4c:11:ae: c5:12:57:35:bf:15:8c:ea:15:88:29:2d:81:c8:11: fb:a8:13:7a:cb:eb:68:f8:32:47:98:fa:dc:86:a9: 07:4a:cf:96:0d:fd:ce:09:48:df:ac:f7:f4:57:d0: 13:d5:75:cc:3d:63:3c:26:2d:95:88:b7:f9:27:83: 2a:ff:1f:63:fd:b5:f0:e9:d3:cf:85:3b:7a:6e:0e: 56:46:70:29:1e:be:3f:02:81:81:0c:0b:d4:88:da: 7f:93:46:03:d1:0c:73:97:44:33:a3:0b:1a:a0:a6: b5:4d:f1:95:ea:37:7f:ac:e2:71:e1:90:94:97:99: 5f:d8:84:f5:29:9e:9a:86:ff:cd:6e:7d:b0:64:2e: a1:21:a8:4a:84:e3:6c:a9:ac:cf:62:3e:8f:fd:71: 14:c9:c1:dc:99:13:84:9a:47:9a:42:53:52:e0:72: 32:48:9d:1b:ab:ea:c4:97:24:20:a3:86:e3:d5:d5: 79:c6:bf:e1:b0:31:a7:8f:8d:bc:0b:f3:b4:ab:03: f1:e2:68:08:e0:3a:c3:50:3e:c1:40:8b:42:ae:71: 7d:7b:24:24:34:75:df:9f:b2:75:16:63:af:7b:58: fb:eb:0c:8e:44:a7:1b:bb:59:c9:b4:db:c1:b4:9a: c1:b1:42:a5:4b:62:b4:84:ab:c9:b0:6e:fe:db:20: 9e:32:24:0c:3c:dd:8b:82:9a:f6:75:76:73:6f:73: f6:34:d8:02:b7:01:7c:e2:f7:90:43:5e:d0:00:dc: 0f:4d:e1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 X509v3 Subject Alternative Name: critical DNS:*.node.consul Signature Algorithm: sha256WithRSAEncryption 53:52:50:d2:25:01:8f:7a:fb:03:18:2f:3c:cd:d2:85:4f:d2: 4d:39:8e:e4:06:bb:fa:8d:9a:9a:ab:e0:8f:ce:bb:6f:74:49: 1d:72:fb:27:e8:0f:bb:62:40:d7:06:69:71:4f:21:39:ac:ba: 78:b5:a8:43:8c:2d:6c:87:45:8e:75:9e:a4:79:65:cb:b0:bf: 47:0c:86:7a:a8:9b:40:80:71:30:a5:fe:db:1f:f2:2e:41:85: f2:1d:8a:31:bd:ec:6d:94:58:a5:b5:93:25:6f:b8:bd:4e:13: 7a:40:d2:e2:bc:41:e6:33:fe:22:55:bb:01:5d:7e:af:8d:62: 9b:9f:9d:c9:e8:63:4d:7a:b5:f9:13:8f:f3:45:68:a8:1f:e7: d5:5b:cc:77:49:eb:c9:26:3d:19:50:b6:34:e8:e4:21:14:37: aa:76:d0:e0:77:69:77:ab:6a:da:0d:e7:22:6d:23:61:5c:8b: da:64:da:48:5a:6f:01:42:0f:c1:24:06:5c:f6:06:3c:45:3a: 37:c0:3e:0a:ee:cb:44:aa:d3:a9:74:d0:e2:77:30:d4:0a:8b: 13:73:ba:a6:a2:3b:02:f0:60:fa:6e:27:20:d1:3d:23:64:38: 4d:54:36:c5:20:04:d1:2e:68:6d:5c:30:af:ef:5a:a5:7f:a5: 06:c2:f7:51:40:ec:14:c7:1d:bc:45:7f:fe:77:02:50:aa:37: 19:9d:2c:02:74:a3:56:e5:d4:36:e9:c0:33:bc:c8:52:e2:c8: 1e:21:26:83:cb:e3:b6:72:55:df:1e:dc:48:7b:d8:1a:ca:2a: 21:4f:eb:94:9f:de:82:f8:5b:82:0d:ef:d5:e9:89:99:b4:48: ce:d5:9e:a4:ca:3b:c9:e1:19:a5:60:ec:04:36:31:11:b0:31: 7a:22:64:9c:6e:dd:82:e4:65:96:a2:e3:aa:9c:99:ec:f5:e1: 48:84:7c:f5:38:00:cb:24:cf:5d:ed:e5:87:a9:86:c5:cb:4f: 65:6a:35:21:2e:30:cd:e6:85:84:13:e3:ff:9c:72:4d:a8:9c: fb:63:01:eb:a8:ae:6f:84:66:b8:bd:fe:0f:c9:17:96:8d:42: 9d:8c:0c:bc:90:ab:17:19:df:6f:6a:28:fc:8c:50:6d:88:69: 31:75:6e:d7:6d:f2:f4:70:f0:64:14:c2:fc:57:dc:f3:68:57: 9d:4c:fe:94:e5:13:d7:9f:ad:ee:68:1b:df:9c:af:bb:f4:73: 83:d6:0a:54:fa:73:ec:02:f2:f2:87:35:7c:2a:58:df:20:32: 1a:c2:c2:ba:1d:4f:5f:8c:fe:3c:7e:e7:0c:80:0e:27:57:c2: 01:48:1f:58:f7:2c:f3:b7 And for the certificate itself:
Certificate: Data: Version: 3 (0x2) Serial Number: d7:9b:09:48:1f:62:44:95:80:ef:b7:e4:5c:e1:c7:4b Signature Algorithm: sha256WithRSAEncryption Issuer: CN=*.node.consul/[email protected], O=Instructure, OU=Ops, C=US, ST=UT, L=SLC Validity Not Before: Jan 1 18:41:57 2018 GMT Not After : Jan 1 18:41:57 2021 GMT Subject: CN=i-02da590eb53768ddc.node.consul/[email protected], O=Instructure, OU=Ops, C=US, ST=UT, L=SLC Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:aa:77:6d:61:52:be:92:78:b6:b2:82:41:93:08: 86:ba:00:e3:fc:d4:43:2e:3a:e6:49:f8:9d:dc:e5: 40:f3:18:18:ac:56:ae:a1:96:b6:ff:35:63:97:8b: 9b:a7:cc:c0:f3:7b:99:82:8e:4c:cf:d4:25:56:c2: 32:2f:35:08:5f:79:ee:ea:52:02:2b:2f:11:ac:10: ea:18:e7:00:b6:52:ee:df:c7:01:7a:68:7e:32:1c: 63:73:77:43:99:a0:a6:13:05:26:39:e2:4d:b9:e6: c1:58:99:02:dc:0c:99:90:1f:d4:79:9e:fe:77:99: 58:a7:a7:26:42:9e:13:34:f3:e9:c2:f2:3a:6f:72: 33:55:ad:66:89:4a:39:4b:c9:67:a8:d2:8e:80:75: 42:c9:01:9e:e7:d0:b1:7a:63:f5:6b:f1:a4:66:be: d9:e5:e9:87:4c:2e:99:87:0f:26:1f:2c:19:25:78: 82:fe:31:e2:26:6f:de:0d:93:75:65:7f:cc:c9:a3: 24:69:db:7b:57:57:fa:49:ec:39:8c:ac:92:2f:1c: cc:3d:e4:e2:6c:48:4b:bb:35:20:74:77:91:80:ad: 7d:9d:9f:7b:53:7c:bf:98:bb:a6:27:15:de:aa:27: e3:8b:87:3b:35:50:ac:6d:36:ba:2b:95:b5:4b:2b: ce:6b:84:91:e0:4d:e0:21:fd:d3:80:43:17:98:ff: 66:b8:7f:32:f9:ed:d3:25:a3:6f:b4:e9:26:56:4c: c3:d8:2f:2f:6e:f8:9a:85:4d:a9:05:d2:f5:60:1d: 42:df:29:75:1b:2c:66:b1:a4:56:8a:0b:43:14:b8: 7d:62:4d:5a:1b:a6:a1:da:98:64:4e:e2:e2:8b:8d: c9:57:f9:7d:58:91:12:d7:dd:7b:52:7c:00:91:bc: ab:25:a0:63:91:8c:02:c8:8f:7e:23:80:33:95:b2: 4a:ea:f9:ee:87:1a:17:f1:85:60:ae:db:f1:d3:63: ab:0b:d8:ab:7c:56:90:8f:f5:9a:60:25:2b:81:b5: df:bc:f7:0d:9c:47:8a:b6:4d:2b:88:21:cf:bd:d5: fe:1a:d7:76:19:03:06:d1:9b:67:42:f9:8f:be:27: 61:9f:a8:9c:2a:57:96:e1:a2:d8:84:7f:9f:15:bb: b2:ae:21:92:7a:4c:42:69:10:63:da:bf:b6:eb:74: 57:13:6f:d9:c2:a9:99:09:09:b5:d6:ff:e0:c4:eb: 91:bf:4d:9e:98:3e:e3:8c:69:7a:06:01:f7:d0:75: df:d2:6e:78:b2:39:6a:73:70:41:dd:30:f5:00:c0: f6:70:d3:63:76:98:01:ee:52:4a:92:77:39:c5:ab: 99:33:97 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Key Identifier: AA:C7:CB:B6:22:D2:EF:05:72:89:92:DF:2E:44:6B:D5:33:00:D8:06 X509v3 Subject Alternative Name: critical DNS:i-02da590eb53768ddc.node.consul Signature Algorithm: sha256WithRSAEncryption ab:dc:ad:f4:55:af:a6:ca:27:d2:7a:f6:77:b3:4f:1d:14:41: 7c:56:3a:a0:75:de:1f:0a:3c:7f:50:d0:4d:b0:1b:01:75:4c: d0:19:c7:5d:86:c5:ac:85:10:9e:58:22:87:23:70:27:a5:75: 11:73:6f:2f:8e:f3:90:ca:51:c7:cb:75:46:59:91:3f:d3:f3: dd:d4:60:4d:60:e1:82:a9:c6:e8:ac:3e:01:9d:4d:b8:cb:70: 90:2a:f6:58:ba:dd:44:67:e7:7e:71:70:cc:fc:5a:7e:1e:e4: 32:e4:2c:43:64:79:69:32:a4:d2:12:5a:fe:3e:e3:47:b9:3d: 8d:41:16:b5:5e:d8:bd:dd:39:e8:0a:8a:ee:7d:44:fd:98:bc: 02:79:57:d5:2d:dd:f7:14:87:f5:19:29:80:27:f4:3d:6e:0d: 0a:ce:78:fd:e1:1e:b3:7e:4b:cd:07:d7:e3:4e:50:35:56:a6: 8d:ea:3d:b3:ab:99:55:54:27:22:9d:3d:7d:93:37:b6:9d:51: 5d:f1:64:69:d9:72:de:58:e2:ec:4e:c0:0e:62:77:68:13:5e: 2d:01:7b:06:ec:8a:23:bc:6f:e5:ee:b5:1d:0b:4d:08:35:6c: 49:a4:43:24:32:99:ad:fd:34:44:24:ba:49:f7:79:28:0e:88: cb:72:9b:ce:c4:9d:fc:e1:5f:3c:d9:f5:18:ae:e9:f4:4a:52: 72:03:cb:77:23:0d:9b:63:9a:1f:66:fe:6e:f1:78:87:85:80: 93:39:d7:59:dd:7b:4b:c5:b2:13:7b:f5:ab:78:ac:32:cf:b1: b6:2b:08:5f:ba:46:fd:50:82:48:62:81:e6:9d:77:05:25:53: 40:c1:6d:8b:b2:89:5f:fb:6e:f9:d3:69:e7:d6:f8:7c:5e:72: 0a:19:d5:bc:ec:4f:f3:91:38:cc:88:58:f1:19:0b:08:8a:76: 45:c8:3f:30:52:ff:8c:83:01:5e:c8:f7:41:ee:38:13:db:ce: 9b:86:a3:0b:a3:3d:48:d1:03:2c:ab:6f:1c:b1:46:67:70:13: 64:99:c3:37:21:af:4d:ce:0a:28:9c:94:67:89:d4:04:5d:a2: 56:fa:e0:bb:82:5f:75:d4:a5:22:a7:57:53:dc:cb:f1:65:e3: df:b6:66:a2:88:39:25:09:b5:84:a8:5b:a7:76:89:a1:46:7b: 16:d3:df:7f:ab:a2:41:c1:cb:0b:75:98:8c:d6:67:fd:5b:4a: ad:50:a9:e0:af:5c:f3:28:a0:aa:80:62:f5:77:4d:17:d4:6a: 3f:2a:6a:59:47:c4:b1:88:36:f6:55:f2:32:84:6b:70:78:3a: d2:b4:13:53:e2:1c:e8:ef I assume this is probably due to something in the way I've generated the certificates, but I'm not really sure where to check. As it's my understanding error 20 unable to lookup local issuer certificate happens when it can't find a particular cert in the chain. However, I'm not sure why it can't find the full info it needs.