UCSB-1 fails to ORC-1, using /var/local/dataone/ca
------------------------------------------------------------------------
(Root and Prod certs in Separate files (DataONEProductionCA.crt DataONERootCA.crt), Reversed order (DataONECAChainReversed.crt), and normal Chain (DataONECAChain.crt)
root@cn-ucsb-1:/var/local/dataone/ca# curl -v --capath /var/local/dataone/ca --cert /etc/dataone/client/certs/cn-ucsb-1.dataone.org.pem --key /etc/dataone/client/private/cn-ucsb-1.dataone.org.key "https://cn-orc-1.dataone.org/knb/servlet/replication?server=cn-ucsb-1.dataone.org/knb/servlet/replication&action=test"
* About to connect() to cn-orc-1.dataone.org port 443 (#0)
* Trying 160.36.13.150... connected
* Connected to cn-orc-1.dataone.org (160.36.13.150) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /var/local/dataone/ca
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
UCSB-1 suceeds to ORC-1, using /etc/ssl/certs
--------------------------------------------------------------
using normal Chain (DataONECAChain.crt)
root@cn-ucsb-1:~# curl -v --capath /etc/ssl/certs --cert /etc/dataone/client/certs/cn-ucsb-1.dataone.org.pem --key /etc/dataone/client/private/cn-ucsb-1.dataone.org.key "https://cn-orc-1.dataone.org/knb/servlet/replication?server=cn-ucsb-1.dataone.org/knb/servlet/replication&action=test"
* About to connect() to cn-orc-1.dataone.org port 443 (#0)
* Trying 160.36.13.150... connected
* Connected to cn-orc-1.dataone.org (160.36.13.150) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: serialNumber=8kbAK7iaZfwhXx6OwLSBf9lUJSUqveDt; OU=GT39025617; OU=See www.rapidssl.com/resources/cps (c)12; OU=Domain Control Validated - RapidSSL(R); CN=*.dataone.org
* start date: 2012-05-16 09:53:15 GMT
* expire date: 2017-05-18 06:38:58 GMT
* subjectAltName: cn-orc-1.dataone.org matched
* issuer: C=US; O=GeoTrust, Inc.; CN=RapidSSL CA
* SSL certificate verify ok.
> GET /knb/servlet/replication?server=cn-ucsb-1.dataone.org/knb/servlet/replication&action=test HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: cn-orc-1.dataone.org
> Accept: */*
>
* SSLv3, TLS handshake, Hello request (0):
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
< HTTP/1.1 200 OK
< Date: Mon, 11 Jun 2012 18:19:46 GMT
< Server: Apache/2.2.14 (Ubuntu)
< Content-Length: 45
< Vary: Accept-Encoding
< Content-Type: text/html
<
<html><body>Test successfully</body></html>
* Connection #0 to host cn-orc-1.dataone.org left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
State of /var/local/dataone/ca on all machines
----------------------------------------------------------------
root@cn-orc-1:/var/local/dataone/ca# ls -l
total 8
lrwxrwxrwx 1 root tomcat6 33 2012-06-11 18:37 10718cba.0 -> /etc/ssl/certs/cilogon-silver.pem
lrwxrwxrwx 1 root tomcat6 32 2012-06-11 18:37 28776852.0 -> /etc/ssl/certs/cilogon-basic.pem
lrwxrwxrwx 1 root tomcat6 33 2012-06-11 18:38 3d863bc5.0 -> /etc/ssl/certs/cilogon-openid.pem
lrwxrwxrwx 1 root tomcat6 17 2012-06-11 18:36 6f77d24b.0 -> DataONERootCA.crt
lrwxrwxrwx 1 root tomcat6 23 2012-06-11 18:36 a0f95ed0.0 -> DataONEProductionCA.crt
-rw-r--r-- 1 root tomcat6 2212 2012-06-11 18:09 DataONEProductionCA.crt
-rw-r--r-- 1 root tomcat6 2204 2012-06-11 18:09 DataONERootCA.crt
State of /etc/ssl/certs on all machines
----------------------------------------------------------------
root@cn-orc-1:/etc/ssl/certs# ls -l /etc/ssl/certs | grep 'DataONE'
lrwxrwxrwx 1 root root 18 2012-06-11 17:36 6f77d24b.0 -> DataONECAChain.crt
-rw-r--r-- 1 openldap lpadmin 4416 2012-06-08 05:25 DataONECAChain.crt
-rw-r--r-- 1 openldap lpadmin 1931 2012-06-08 05:25 DataONETestCA.pem
lrwxrwxrwx 1 root root 17 2012-06-11 17:36 f9c792f6.0 -> DataONETestCA.pem
Tests to run
----------------
from orc-1
curl -v --capath /etc/ssl/certs --cert /etc/dataone/client/certs/cn-orc-1.dataone.org.pem --key /etc/dataone/client/private/cn-orc-1.dataone.org.key "https://cn-ucsb-1.dataone.org/knb/servlet/replication?server=cn-orc-1.dataone.org/knb/servlet/replication&action=test"
RESULT: success
curl -v --capath /etc/ssl/certs --cert /etc/dataone/client/certs/cn-orc-1.dataone.org.pem --key /etc/dataone/client/private/cn-orc-1.dataone.org.key "https://cn-unm-1.dataone.org/knb/servlet/replication?server=cn-orc-1.dataone.org/knb/servlet/replication&action=test"
RESULT: success
from ucsb-1
curl -v --capath /etc/ssl/certs --cert /etc/dataone/client/certs/cn-ucsb-1.dataone.org.pem --key /etc/dataone/client/private/cn-ucsb-1.dataone.org.key "https://cn-orc-1.dataone.org/knb/servlet/replication?server=cn-ucsb-1.dataone.org/knb/servlet/replication&action=test"
RESULT: success
curl -v --capath /etc/ssl/certs --cert /etc/dataone/client/certs/cn-ucsb-1.dataone.org.pem --key /etc/dataone/client/private/cn-ucsb-1.dataone.org.key "https://cn-unm-1.dataone.org/knb/servlet/replication?server=cn-ucsb-1.dataone.org/knb/servlet/replication&action=test"
RESULT: success
from unm-1
curl -v --capath /etc/ssl/certs --cert /etc/dataone/client/certs/cn-unm-1.dataone.org.pem --key /etc/dataone/client/private/cn-unm-1.dataone.org.key "https://cn-orc-1.dataone.org/knb/servlet/replication?server=cn-unm-1.dataone.org/knb/servlet/replication&action=test"
RESULT: success
curl -v --capath /etc/ssl/certs --cert /etc/dataone/client/certs/cn-unm-1.dataone.org.pem --key /etc/dataone/client/private/cn-unm-1.dataone.org.key "https://cn-ucsb-1.dataone.org/knb/servlet/replication?server=cn-unm-1.dataone.org/knb/servlet/replication&action=test"
RESULT: success
Apache config from ORC1
--------------------------------------
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www
ServerName cn-orc-1.dataone.org
DirectoryIndex listObjects.xml
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
RewriteEngine On
SSLProxyEngine On
RewriteOptions Inherit
<Location /knb/metacat>
Order allow,deny
Allow from 127.0.0.0/8 ::1
</Location>
<Location /knb/servlet/metacat>
Order allow,deny
Allow from 127.0.0.0/8 ::1
</Location>
<Location /knb/d1/mn>
Order allow,deny
Allow from 127.0.0.0/8 ::1
</Location>
Include /etc/apache2/jk_mount
AllowEncodedSlashes On
AcceptPathInfo On
<Location /knb/servlet/replication>
SSLVerifyClient require
SSLVerifyDepth 10
</Location>
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLOptions +StrictRequire +StdEnvVars +ExportCertData
SSLVerifyClient optional
SSLVerifyDepth 10
SSLCertificateFile /etc/ssl/certs/_.dataone.org.crt
SSLCertificateKeyFile /etc/ssl/private/dataone_org.key
SSLCertificateChainFile /etc/ssl/certs/geotrust_intermediate.crt
SSLCACertificatePath /var/local/dataone/ca
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www
ServerName cn-orc-1.dataone.org
Redirect permanent / https://cn-orc-1.dataone.org/
</VirtualHost>