Cannot create cert chain: certificate signature failure
Greg Hudson
ghudson at mit.edu
Sat Sep 5 02:21:21 EDT 2015
On 09/05/2015 01:57 AM, Russ Allbery wrote:
> Sep 4 22:48:34 mithrandir krb5kdc[12868]: AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: KDC_RETURN_PADATA: WELLKNOWN/ANONYMOUS at EYRIE.ORG for krbtgt/EYRIE.ORG at EYRIE.ORG, Cannot create cert chain: certificate signature failure
>
> Any idea what's going on? This appears to be some failure inside OpenSSL,
> but it looks like absolutely no information about the error is actually
> logged anywhere?
We're logging what OpenSSL gives us from X509_verify_cert_error_string()
after X509_verify_cert() fails. We could be doing more;
X509_STORE_CTX_get_error_depth() would give us the depth where the error
occured in the cert chain and X509_STORE_CTX_get_current_cert() would
give us the cert that caused the failure. In this case, I think you
would merely find out that the error occurred verifying the leaf
certificate against the CA's public key.
Looking inside OpenSSL, this error (X509_V_ERR_CERT_SIGNATURE_FAILURE)
is generated when X509_verify() fails inside internal_verify(). It does
look like X509_verify() (or rather ASN1_verify()) does something with
the OpenSSL framework to indicate what kind of error happened, but I am
not sure how our PKINIT code is supposed to pull that information out.
The man page for X509_verify_cert() only mentions
X509_STORE_CTX_get_error().
> I was previously successful issuing certs with OpenSSL directly and the
> configuration from the wiki, but I'd really rather use hxtool, which is a
> much nicer interface. And I'm not sure why it wouldn't work, particularly
> since it was previously working just fine (with the same server software
> version, although an older MIT Kerberos client version).
It doesn't seem like the client version should have anything to do with
this failure, so I have no theories as to what changed.
More information about the Kerberos
mailing list