Checking server certificate with openssl versus a web request

0
votes

Working with a standard MediaTemple server setup with an installed GeoTrust domain certificate I am getting different responses from openssl and web requests.

Visiting the site from a site checker site I get a good response and see my domain certificate and the full Geotrust certificate chain.

When using 

openssl s_client -connect subdomain.domain.com:443 -showcerts -ssl3

from my local machine I see 

Server certificate
subject=/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels 
Panel/CN=Parallels Panel/[email protected]
issuer=/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels 
Panel/[email protected]

and Verify return code: 18 (self signed certificate)

openssl version -d = OPENSSLDIR: "/etc/pki/tls"

It's a Centos 6.x box.

The apache httpd.conf file points to a certificate and CA list in a completely different location: /usr/local/psa/var/certificates/ which would seem fine to me.

Where is the openssl s_client finding the Parallels certificate? It is not located in /etc/pki/tls. Is there a way to configure the box so that the openssl requests and apache use the same server certificate?

Thanks in advance!

2
apachesslopensslcentos6

2 Answers

1
votes

openssl s_client gets the certificate from the server during the SSL handshake. OPENSSLDIR is only the place where any (optional) configurations for the openssl tool gets stored.

Note that you might get a different certificate with openssl than you have configured on your server because you need to use SNI (Server Name Indication) like the browser do. This feature is used if you have multiple certificates behind the same IP. To use this feature with openssl add the -servername hostname parameter and provide the name you expect. You must also remove the -ssl3 option since this restricts the connection to SSL 3.0 which is not only insecure but also does not support SNI.

0
votes

Turns out that on MediaTemple servers they maintain certs in two locations. The apache server has a location for the CA file in its conf files that is different from where openssl maintains its CA files.

You can find the apache location in the conf files and the openssl location with 

openssl version -d

Within MediaTemple's web administration pages you can use plesk to install the domain cert into the openssl location as the "server's" cert. The apache server should already have the cert and CA files in the right location. The MediaTemple custom apache configuration overrides the standard apache setup which sets apache's cert locations to be the same as openssl's.