Cannot create cert chain: certificate signature failure

[Greg Hudson]

On 09/05/2015 01:57 AM, Russ Allbery wrote:
> Sep  4 22:48:34 mithrandir krb5kdc[12868]: AS_REQ (6 etypes {18 17 16 23 25 26}) 127.0.0.1: KDC_RETURN_PADATA: WELLKNOWN/ANONYMOUS at EYRIE.ORG for krbtgt/EYRIE.ORG at EYRIE.ORG, Cannot create cert chain: certificate signature failure
>
> Any idea what's going on?  This appears to be some failure inside OpenSSL,
> but it looks like absolutely no information about the error is actually
> logged anywhere?

We're logging what OpenSSL gives us from X509_verify_cert_error_string()
after X509_verify_cert() fails.  We could be doing more;
X509_STORE_CTX_get_error_depth() would give us the depth where the error
occured in the cert chain and X509_STORE_CTX_get_current_cert() would
give us the cert that caused the failure.  In this case, I think you
would merely find out that the error occurred verifying the leaf
certificate against the CA's public key.

Looking inside OpenSSL, this error (X509_V_ERR_CERT_SIGNATURE_FAILURE)
is generated when X509_verify() fails inside internal_verify().  It does
look like X509_verify() (or rather ASN1_verify()) does something with
the OpenSSL framework to indicate what kind of error happened, but I am
not sure how our PKINIT code is supposed to pull that information out.
The man page for X509_verify_cert() only mentions
X509_STORE_CTX_get_error().

> I was previously successful issuing certs with OpenSSL directly and the
> configuration from the wiki, but I'd really rather use hxtool, which is a
> much nicer interface.  And I'm not sure why it wouldn't work, particularly
> since it was previously working just fine (with the same server software
> version, although an older MIT Kerberos client version).

It doesn't seem like the client version should have anything to do with
this failure, so I have no theories as to what changed.