MacOS keychain trust not as expected
crdant opened this issue · comments
I had some issue with certificates on my home DNS today, and thought I'd use dog to debug. I'm using version 0.1.0.
$ dog --version
dog ● command-line DNS client
v0.1.0
https://dns.lookup.dog/
My scenario was that the TLS certificates had expired, and I caught that fairly quickly. Renewed the certs and got them in place. Then tried to validate with dog and it helped me identify the next issue, which was that I only updated one of the pair of servers. After updating that, I hoped for dog to confirm I had the fix, but still wasn't quite there.
Trying to verify the fix, I turned again to dog and was disappointed:
$ dog www.google.com --tls
Error [tls]: The certificate was not trusted.
Dug in a bit to see what might be up, and thought maybe it was because Mac didn't trust the roots. That wasn't the case, they're all set.
Tried to present the intermediate with the cert…CoreDNS doesn't let me do that so I was out of luck. So I made sure my Mac trusted the intermediate
Tried again and still no luck
$ dog www.google.com --tls
Error [tls]: The certificate was not trusted.
Error [tls]: The certificate was not trusted.
I switched over to kdig for a sanity check, and it seems to be reading my trust settings correctly.
$ kdig www.google.com +tls
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP384R1-SHA384)-(CHACHA20-POLY1305)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5743
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR
;; PADDING: 81 B
;; QUESTION SECTION:
;; www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 30 IN A 142.250.64.100
;; Received 158 B
;; Time 2022-05-09 13:21:14 EDT
;; From 10.13.6.253@853(TCP) in 37.0 ms
I'm running on MacOS Monterrey, v 12.3.1, and here's the details from uname.
$ uname -a
Darwin OS-C02F22SVML85 21.4.0 Darwin Kernel Version 21.4.0: Fri Mar 18 00:45:05 PDT 2022; root:xnu-8020.101.4~15/RELEASE_X86_64 x86_64
For completeness, here's the certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:0f:d7:70:6e:2b:12:90:96:b9:ec:49:8a:e2:f5:07:b1:79
Signature Algorithm: ecdsa-with-SHA384
Issuer: C=US, O=Let's Encrypt, CN=E1
Validity
Not Before: May 9 15:15:57 2022 GMT
Not After : Aug 7 15:15:56 2022 GMT
Subject: CN=dns.crdant.net
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:c4:e4:0b:d5:3f:6f:5d:68:11:4d:c0:a0:93:be:
27:a0:db:b4:57:fd:8c:32:9b:c7:3b:23:a3:a1:20:
3c:e2:20:4c:1e:30:60:14:a7:46:c5:da:74:ef:c3:
a9:21:ab:20:b1:4b:1d:25:84:cf:b7:70:76:6f:60:
be:b4:e5:5d:88:f7:e7:27:c0:f9:5c:c0:a3:0c:ca:
3f:56:3d:4a:b3:0d:dc:6f:6e:76:12:b4:7d:2d:99:
9a:c7:29:ec:ae:88:58
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
50:64:30:94:3D:FE:96:98:61:E7:46:19:DB:2A:E3:8B:CD:DF:26:FF
X509v3 Authority Key Identifier:
keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC
Authority Information Access:
OCSP - URI:http://e1.o.lencr.org
CA Issuers - URI:http://e1.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:dns.crdant.net
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
1.3.6.1.4.1.11129.2.4.2:
......v...^.h.O.l..._N>Z.....j^.;.. D\*s.......0.....G0E.
f...y%.'.j.rb...)TN..,..W.[J....!..W...-.k......v...J..\pS.\...@.0.v.F.U.u.. 0...i..}.,At..I.....p.mG.......:.....G0E.!..)
.@..Y....|1..J..\..uF......v
. -X.Q<...#.u.
[.4`..9.VGC.%......
Signature Algorithm: ecdsa-with-SHA384
30:65:02:30:1f:7e:cc:2d:19:5f:12:af:c6:1d:cc:f8:62:f7:
72:49:76:40:5f:a0:3b:59:76:83:35:a4:05:27:c5:73:11:b3:
11:50:56:ec:27:64:90:dc:f2:6e:e7:4b:3e:02:95:73:02:31:
00:f4:c9:f5:ca:b4:b4:61:89:8c:8f:c1:8b:5e:57:a2:c2:08:
99:a3:85:08:4f:24:c8:80:1c:f4:c0:8a:f5:7b:3a:a9:6f:27:
a3:b9:2b:03:23:51:90:9a:fa:c7:14:11:18
First, install openssl (v3), then create any folder that be contains your certificates. Open shell and enter: "mkdir CA && mkdir Localhost".
Generate CA:
openssl genrsa -aes256 -out "CA/CRDANT CA Private Key.key" 4096openssl req -x509 -sha512 -new -nodes -key "CA/CRDANT CA Private Key.key" -days 3650 -out "CA/CRDANT CA Self Signed Root CA.pem"
Generate for Localhost usage (macOS):
echo "authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:false\nkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\nsubjectAltName = @alt_names\nextendedKeyUsage = clientAuth, serverAuth\n\n[alt_names]\nIP.1 = 127.0.0.1\nDNS.1 = localhost" > Localhost/localhost.extopenssl genrsa -aes256 -out "Localhost/localhost.psw.key" 4096openssl req -new -key "Localhost/localhost.psw.key" -out "Localhost/localhost.csr"openssl x509 -req -in Localhost/localhost.csr -CA "CA/CRDANT CA Self Signed Root CA.pem" -CAkey "CA/CRDANT CA Private Key.key" -CAcreateserial -out "Localhost/localhost.pem" -days 365 -sha512 -extfile "Localhost/localhost.ext"
Install CA and use Localhost certificate on your localhost server. The problem is long period.