[zorp] Help with intermediate certificate

22 Aug 2008

      Doing a transparent http-to-https proxy:

I have client_ca_directory defined, with my CA's intermediate and root
certs in there, but client devices without the intermediate cert can't
connect, for example:

$ openssl s_client -connect owa.<deleted>.com:443 -showcerts < /dev/null
CONNECTED(00000003)
depth=0 /O=owa.<deleted>.com/OU=Domain Control
Validated/CN=owa.<deleted>.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=owa.<deleted>.com/OU=Domain Control
Validated/CN=owa.<deleted>.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=owa.<deleted>.com/OU=Domain Control
Validated/CN=owa.<deleted>.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/O=owa.<deleted>.com/OU=Domain Control
Validated/CN=owa.<deleted>.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certificates.go
daddy.com/repository/CN=Go Daddy Secure Certification
Authority/serialNumber=079
69287
-----BEGIN CERTIFICATE-----
MIIE8zCCA9ugAwIBAgIDRqHrMA0GCSqGSIb3DQEBBQUAMIHKMQswCQYDVQQGEwJV
UzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UE
ChMRR29EYWRkeS5jb20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0aWZpY2F0

<snip>

3PGHYxjmpBFZKtaSFoI4QyAWywn0CXefB/hOPkc0IP7fiRlsFZj/JrknfpKo6qps
uy+Df1AdPf+OXBSqwWWlDdSbFrx9wZc1i0oafe837YNiixVtJ9Sr955It7RL0FpD
+iv15z3HwJ+U0Fuundwp8n/P1j18rtM=
-----END CERTIFICATE-----
---
Server certificate
subject=/O=owa.<deleted>.com/OU=Domain Control
Validated/CN=owa.<deleted>.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certificates.
godaddy.com/repository/CN=Go Daddy Secure Certification
Authority/serialNumber=0
7969287
---
No client certificate CA names sent
---
SSL handshake has read 1433 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID:
4F0D7577C6C97C7D0E66C73C82896637E4866CFCF9CE371B0CD4DA34E4FD1777
$
    Session-ID-ctx:
    Master-Key:
463D578F6593F1B7C634388F7A1FA90D3C832AEC9C68FF4598F921D9E6E84D2A
E1EB996564D802FA159B46D10EF14785
    Key-Arg   : None
    Start Time: 1219420426
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
DONE

It appears that it's not picking up the intermediate cert, any way
around this?  Apache has a SSLCertificateChainFile directive, is
something similar needed?

Thanks in advance

David Yerger