CODEWITHSUNDEEP
sslopensslssl-certificatepemmatrix-synapse
curious_21
curious_21

Reputation: 59

Confusion between signed certificate and error:- x509: certificate signed by unknown authority

So I am working on matrix.org synapse homeserver and trying to federate.

I got the certificate for my homeserver.It had 3 files inside it chain.crt(binary),server.crt(non-binary) and server.key(non-binary).

server.crt had begin certificate and server.key has the private key. I am reverse proxying my homeserver with Nginx webserver and in the config of Nginx I have pointed SSl certificate to server.crt and SSl key to server.key.

The problem I am getting in https://federationtester.matrix.org/ is it shows x509: certificate signed by unknown authority.

Do i need to include chain.crt(binary file) some where as well?

Upvotes: 1

Views: 3549

Answers (2)

dave_thompson_085
dave_thompson_085

Reputation: 38821

nginx wants the server (leaf) cert and the chain (intermediate) cert(s), both in PEM format (what you call non-binary) in the same file but what you call binary is almost certainly what a lot of software calls DER (which is a specific binary encoding of ASN.1, which X.509 uses). If you have OpenSSL available (or get it), use

openssl x509 -in chain.binary -inform der -out chain.pem

then append chain.pem to the end of server.crt; or you can do this in one step by

openssl x509 -in chain.binary -inform der >>server.crt

If this doesn't work it is possible your chain.crt is something odder, like a PKCS7/CMS in binary/DER. Post a hex dump, or make the exact file available someplace like pastebin.

If you don't have/get OpenSSL there are other tools that can be used depending on your environment. Specify your operating system(s) and any major tools that are present like Java.

Upvotes: 0

lub
lub

Reputation: 136

It is generally good practise to include intermediate certificates in your TLS configuration. But the certificate should normally validate correctly anyway, because clienta normally also have various intermediate certificates in their store and can build the chain that way.

Is your certificate signed by a public CA? Synapse requires such a certificate since a couple of versions. The default certificate is probably self-signed, except you configured the built-in ACME client to retrieve one fron Let's Encrypt.

One way to check it is opening the federation URL in your browser and see if it is throwing a validation error.

Upvotes: 1

Related Questions