Bug#752272: Last certificate not self-signed

Jo Drexl jo.drexl at poly-tick.de
Sun Jun 22 18:07:35 UTC 2014 

Hi,
OK, I'm not really understanding why this fails (since I give the
CA-cert as well as the certificate to verify in both cases), but either
way it doesn't matter. My point, all certificates based on a self-signed
CA-certificate cease working with libvirt with the testing package still
is valid, and I'd consider it a bug, whether I'd used the wrong command
to try to give you guys clues or not. 

BR
Jo 

Am Sonntag, den 22.06.2014, 19:54 +0200 schrieb Andreas Metzler:

> On 2014-06-22 Jo Drexl <jo.drexl at poly-tick.de> wrote:
> > Am Sonntag, den 22.06.2014, 08:22 +0200 schrieb Andreas Metzler:
> 
> >> On 2014-06-22 Jo Drexl <jo.drexl at poly-tick.de> wrote:
> >>> After installing the stable package and rerunning 'certtool -e
> >>> --load-ca-certificate cacert.pem --infile servercert.pem', the outcome
> >>> was:
> >> [...]
> >>> It seems the self-sign for snakeoil CAs is broken.
> >>> Good luck, I don't think I'm of much use here, still playing around and
> >>> trying to find out what I'm doing here ;)
>  
> >> You are trying to use -e but you are passing a single certificate
> >> instead of a certificate chain.
> 
> >> |  -e, --verify-chain
> >> |         Verify a PEM encoded certificate chain.
> >> |
> >> |         The last certificate in the chain must be a self signed one.
>  
> >> If you used --verify instead the command would succeed.
> 
> > Sure I do only give him one ca-certificate - because it's the next and
> > last one in the chain and is self-signed (certtool
> > --generate-self-signed --load-privkey cakey.pem --template ca.info
> > --outfile cacert.pem). I did follow the howto step by step.
> 
> Hello,
> 
> I am not sure you are understanding me correctly. -e needs a chain as
> infile. You are passing a single non-self-signed certificate.
> 
> i.e. while either of these succeed
> 
> * certtool --verify --load-ca-certificate cacert.pem --infile \
>          servercert.pem
> * cat servercert.pem cacert.pem > chain.pem && \
>           certtool --verify-chain  --infile  chain.pem
> 
> this one always fails:
> 
> * certtool --verify-chain file-containing-only-a-single-non-self-signed-cert
> 
> cu Andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20140622/cce880eb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20140622/cce880eb/attachment.sig>

More information about the Pkg-gnutls-maint mailing list