by default, the builder installs /bin/cert-chain-resolver and /bin/tests

with cert-chain-resolver.nix

$ nix-build . -A cert-chain-resolver
this derivation will be built:
  /nix/store/f3jz7x81nzzv4ifnhk7818cxqshzclk2-cert-chain-resolver-1.0.4.drv
building '/nix/store/f3jz7x81nzzv4ifnhk7818cxqshzclk2-cert-chain-resolver-1.0.4.drv'...
Running phase: unpackPhase
unpacking source archive /nix/store/zfa0dgrv8jsmxqg2vd2wlkb27h6458yf-source
source root is source
Running phase: patchPhase
Running phase: updateAutotoolsGnuConfigScriptsPhase
Running phase: configurePhase
Running phase: buildPhase
Building subPackage .
Building subPackage ./certUtil
Building subPackage ./tests
buildPhase completed in 3 minutes 29 seconds
Running phase: installPhase
Running phase: fixupPhase
shrinking RPATHs of ELF executables and libraries in /nix/store/bxm3l6k2l2cig20lyam5sqg0yyifzb5y-cert-chain-resolver-1.0.4
shrinking /nix/store/bxm3l6k2l2cig20lyam5sqg0yyifzb5y-cert-chain-resolver-1.0.4/bin/tests
shrinking /nix/store/bxm3l6k2l2cig20lyam5sqg0yyifzb5y-cert-chain-resolver-1.0.4/bin/cert-chain-resolver
checking for references to /build/ in /nix/store/bxm3l6k2l2cig20lyam5sqg0yyifzb5y-cert-chain-resolver-1.0.4...
patching script interpreter paths in /nix/store/bxm3l6k2l2cig20lyam5sqg0yyifzb5y-cert-chain-resolver-1.0.4
stripping (with command strip and flags -S -p) in  /nix/store/bxm3l6k2l2cig20lyam5sqg0yyifzb5y-cert-chain-resolver-1.0.4/bin
/nix/store/bxm3l6k2l2cig20lyam5sqg0yyifzb5y-cert-chain-resolver-1.0.4

$ ./result/bin/
cert-chain-resolver  tests

Get http://apps.identrust.com/roots/dstrootcax3.p7c: dial tcp 192.35.177.64:80: i/o timeout

root@server:/certs/cert-chain-resolver# glide install
[WARN] The name listed in the config file (github.com/zakjan/cert-chain-resolver) does not match the current location (.)
[INFO] Downloading dependencies. Please wait...
[INFO] --> Fetching github.com/urfave/cli
[INFO] --> Fetching github.com/stretchr/testify
[INFO] --> Fetching github.com/fullsailor/pkcs7
[INFO] Setting references.
[INFO] --> Setting version for github.com/fullsailor/pkcs7 to 2585af45975b11f1d7502bb6c01556c29efb54ce.
[INFO] --> Setting version for github.com/stretchr/testify to f390dcf405f7b83c997eac1b06768bb9f44dec18.
[INFO] --> Setting version for github.com/urfave/cli to 01a33823596e7cffafa9e037acdd2441dc0eb03f.
[INFO] Exporting resolved dependencies...
[INFO] --> Exporting github.com/fullsailor/pkcs7
[INFO] --> Exporting github.com/stretchr/testify
[INFO] --> Exporting github.com/urfave/cli
[INFO] Replacing existing vendor dependencies

root@server:/certs/cert-chain-resolver# go build
main.go:5:2: cannot find package "github.com/urfave/cli" in any of:
/usr/local/go/src/github.com/urfave/cli (from $GOROOT)
/root/work/src/github.com/urfave/cli (from $GOPATH)
main.go:6:2: cannot find package "github.com/zakjan/cert-chain-resolver/certUtil" in any of:
/usr/local/go/src/github.com/zakjan/cert-chain-resolver/certUtil (from $GOROOT)
/root/work/src/github.com/zakjan/cert-chain-resolver/certUtil (from $GOPATH)

please help..

Hi,

We're having an issue using cert-chain-resolver with a Letsencrypt certificate.

mallmann:cert-chain-resolver> ./cert-chain-resolver cert.crt
Invalid certificate.
mallmann:cert-chain-resolver>

Looking into is, it appears that this certificate points to two parents: http://cert.int-x3.letsencrypt.org/ and http://apps.identrust.com/roots/dstrootcax3.p7c.

The error happens when we try to parse the second one.

In the file ./src/github.com/zakjan/cert-chain-resolver/certUtil/io.go, inside func DecodeCertificate, the call to x509.ParseCertificate(data) returns the following error:

asn1: structure error: tags don't match (16 vs {class:0 tag:6 length:9 isCompound:false}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} tbsCertificate @2

Looks like the certificate from identrust is in DER form. What is the best way to handle this?

If there is anything we can do, we'll be glad to develop and post a PR. We just need a few pointers =)

Thanks!

➜ cert-chain-resolver-master ./resolve.sh ssl.crt ssl1.crt
sed: illegal option -- r
usage: sed script [-Ealn] [-i extension] [file ...]
sed [-Ealn] [-i extension] [-e script] ... [-f script_file] ... [file ...]
Error (empty subject).

I don't think OS X sed supports -r

I tried to use the darwin build for OS X 10.13 (High Sierra), and I saw that it gives a segmentation fault: 11 whenever I try to run it.

However if I manually build the binary on the OS, it seems to work perfectly.

Hi,

I was wondering if would be possible/useful to add the root CA to the chain, in order to configure ssl stapling chains on Nginx and Apache httpd.

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate

If You guys agree with that, We can submit a PR with this feature.

Thanks and Best Regards,

Daniel Biazus

1: OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.domain.io
2: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=PositiveSSL CA 2
unable to load certificate
140525519689544:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
140525519689544:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509_CINF
140525519689544:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:Field=cert_info, Type=X509

Not sure whats causing it.

The script fails if there are multiple "CA Issuers - URI" entries within a certificate. Example: host certificate of www.zedat.fu-berlin.de

cert_get_issuer_url() returns both and wget fails. Either cert_get_issuer_url() should return only the first entry or there should be a loop in main() over all URLs until one succeed.

So I was receiving this error message, but it still persists after using this tool.

"This server's certificate chain is incomplete. Grade capped to B."

sudo ./cert-chain-resolver/src/cert-chain-resolver.sh -o domain.bundle.pem domain.crt

I'm wondering if the problem is that the CA certs contain an anchor as after running this tool I've gone from having a single extra-download with one path, to two paths, one with one extra-download, the other with two extra downloads... I've never encountered this issue before, normally I can just cat the CA files and I get an A+...

CentOS7 Apache2+mod_ssl

TIA

I have rewritten the project to Go, can anyone check the new branch? golang

I am using a certificate interface that requires the certificate file to be separate from the CA bundle. Would you be interested in an option that excludes the input crt from the output bundle file?

This script is freakin awesome. I always encounter these problems when working SSL certs.

However, looking through script, the rm -rf $TMP_DIR phase is a bit scary. Could this be changed to something less dangerous? I'm no bash pro, so I might just be overly cautious. If something goes wrong in the script or $TMP_DIR is accidentally set to / somebody might have a very bad time.

Sorry that I can't provide you with a suggested pull request, just wanted to start a discussion. What do you think?

I'm trying to run this file on ubuntu and nothing happens
ldd says
root@host:/tmp/cert-chain-resolver_linux_amd64$ ldd cert-chain-resolver
linux-vdso.so.1 (0x00007ffc1537f000)
libc.musl-x86_64.so.1 => not found

Those builds intended only for alpine linux (using musl)?