Unable to import CA

adam2222

Hello,

I generated a CA certificate, then keys and so on. Made it work without any issues on one PC with Linux Mint 19.1.
Works on all browsers - Vivaldi, Firefox, Chrome, Chromium. Chrome is version 77.0.3865.78

On the other laptop, it only works in Firefox. I can't import the CA to any chrome-based browser. The GUI itself only says "Unknown error", there is however, a little error in the log:

[11312:11312:1014/134704.139969:ERROR:nsNSSCertificateDB.cpp(89)] PK11_ImportCert failed with error -8168

Taken from vivaldi-snapshot

Vivaldi	2.9.1675.11 (Official Build) snapshot (64-bit)
Revision	802bcf2c17d188383d36e2aa44b3ed61c82ec66c
OS	Linux
JavaScript	V8 7.7.299.11
Flash	32.0.0.270 /home/xx/.config/google-chrome/PepperFlash/32.0.0.270/libpepflashplayer.so
User Agent	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.93 Safari/537.36 Vivaldi/2.9.1675.11
Command Line	/usr/bin/vivaldi-snapshot --flag-switches-begin --flag-switches-end --save-page-as-mhtml
Executable Path	/opt/vivaldi-snapshot/vivaldi-snapshot
Profile Path	/home/xx/.config/vivaldi-snapshot/Default

The error is the same throughout the browsers I tried - vivaldi, chrome, vivaldi-snapshot.
Chrome is Version 71.0.3578.98 (Official Build) (64-bit)
Linux Mint 19.

Any idea what could be wrong? How can I troubleshoot further/workaround?

Thanks,
Adam

adam2222

Hi,
I used the same steps for importing the CA. I did exactly how you are describing it.
I tried also using the 'wrong' way of importing. I tried to import CA as a certificate and a server cert. In both of those, there was an error message saying that it is not possible to import CA as a certificate- so that's correct and the error message is correct and very precise.

If the format was incorrect- would it import on the other computer? It's the same file and the same browser. Just maybe not the very same build.

I created CA by following this guide: https://fabianlee.org/2018/02/17/ubuntu-creating-a-trusted-ca-and-san-certificate-using-openssl-on-ubuntu/

openssl req -new -x509 -subj "/CN=myca" -extensions v3_ca -days 3650 -key ca.key.pem -sha256 -out ca.pem -config $prefix.cnf

Resulting in a file named 'ca.pem'

Just for the sake of it, I just checked md5sum of the file on both computers- it is the same.

adam2222

Hi,

Can you advise what software I am looking for? What libs etc.?

adam2222

Hi,

validation is done without errors

openssl x509 -in ca.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b4:8e:f9:8f:9d:4f:0d:46
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = REDACTED.com.pl
        Validity
            Not Before: Oct 11 18:24:15 2019 GMT
            Not After : Oct  8 18:24:15 2029 GMT
        Subject: CN = REDACTED.com.pl
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
(...)

I tried using the command line utility
That's before

certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

That's after

certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

REDACTED.com.pl                                                 P,,  

I checked on the other machine and the attributes were different so I changed that also to look like:

certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

REDACTED.com.pl                                                 CT,C,C

In both scenarios, no errors from certutil but neither browser has the CA on the list, and CA is still not recognized.

The system that it works on has

root@naven-GV72-8RC:/home/naven# dpkg -l openssl*  |grep ii
ii  openssl           1.1.1-1ubuntu2.1~18.04.4 amd64        Secure Sockets Layer toolkit - cryptographic utility
root@naven-GV72-8RC:/home/naven# uname -a
Linux naven-GV72-8RC 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
root@naven-GV72-8RC:/home/naven#  cat /etc/os-release
NAME="Linux Mint"
VERSION="19.1 (Tessa)"
ID=linuxmint
ID_LIKE=ubuntu
PRETTY_NAME="Linux Mint 19.1"
VERSION_ID="19.1"
HOME_URL="https://www.linuxmint.com/"
SUPPORT_URL="https://forums.ubuntu.com/"
BUG_REPORT_URL="http://linuxmint-troubleshooting-guide.readthedocs.io/en/latest/"
PRIVACY_POLICY_URL="https://www.linuxmint.com/"
VERSION_CODENAME=tessa
UBUNTU_CODENAME=bionic

Problematic system:

# dpkg -l openssl*  |grep ii
ii  openssl           1.1.1-1ubuntu2.1~18.04.4 amd64        Secure Sockets Layer toolkit - cryptographic utility

# uname -a
Linux ul001613 4.15.0-48-generic #51-Ubuntu SMP Wed Apr 3 08:28:49 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/os-release
NAME="Linux Mint"
VERSION="19 (Tara)"
ID=linuxmint
ID_LIKE=ubuntu
PRETTY_NAME="Linux Mint 19"
VERSION_ID="19"
HOME_URL="https://www.linuxmint.com/"
SUPPORT_URL="https://forums.ubuntu.com/"
BUG_REPORT_URL="http://linuxmint-troubleshooting-guide.readthedocs.io/en/latest/"
PRIVACY_POLICY_URL="https://www.linuxmint.com/"
VERSION_CODENAME=tara
UBUNTU_CODENAME=bionic

Perhaps this is some permissions problem? Where are those CAs stored?

adam2222

The problem is that even though the cert was imported using certutil, it still is not visible in the authorities list in the browser and needless to say the CA is not recognized by Vivaldi.

adam2222

I cut the output, used (...)
I don't fully understand how SSL works so I cut out the 'random' parts for safety.

Below is full output without any modifications.
Keep in mind that this website from external POV is using letsencrypt.

openssl x509 -in ca.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b4:8e:f9:8f:9d:4f:0d:46
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = naven.com.pl
        Validity
            Not Before: Oct 11 18:24:15 2019 GMT
            Not After : Oct  8 18:24:15 2029 GMT
        Subject: CN = naven.com.pl
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                   x
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
               C8:D9:CA:2E:66:8B:21:13:40:15:BB:D2:C8:84:A0:BD:AD:CF:20:CA
            X509v3 Authority Key Identifier: 
                keyid:A8:D9:CD:2E:66:1B:87:63:40:15:BB:D2:C8:84:C0:BD:AC:CF:20:CB

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:3
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            Netscape Cert Type: 
                SSL CA, S/MIME CA
    Signature Algorithm: sha256WithRSAEncryption
x

adam2222

Hi,

Good news.

I actually didn't notice you giving me location of the certs earlier. I compared it now and found the fault.

The issue was in permissions. I had

ls -lah /home/username/ | grep pki
drw-r--r--  3 username username 4.0K Apr 27  2017 .pki

I did

chmod -R 700 /home/username/.pki/
ls -lah /home/username/ | grep pki
drwx------  3 username username 4.0K Apr 27  2017 .pki

Which fixed the issue.

Thank you for thorough investigation.