One site not showing as trusted

[chuckf]

So the situation i'm currently in is I've set up a step-ca instance on my home network/lab and am trying things out as time allows. I've generated a few certs for devices and most of them are working as expected. However I have one Apache server that is being quirky. When I configure it with a step generated cert and key file I get a message that the certificate authority is untrusted when using Chrome or wget on Fedora or MacOS. One the same systems using Firefox the certificate is shown as trusted. 

The puzzling part comes in that the same Chrome and wget commands do not show this error on other servers I've applied step certificates on. The other sites show as trusted, as expected.

I've used the following command to generate the certificates. The $1 is the server name and the $2 is its IP address. I have one embedded device that I had to create an RSA key using a different command for and that works as trusted as well. 

step ca certificate --san $1 --san $1.local.lan --san $2 --not-after=2021-12-31T23:23:23-05:00 $1 $1.crt $1.key

Any guidance would be appreciated.

[maraino]

Have you installed your internal root certificate in your keychain? You can do it with:

step certificate install $(step path)/certs/root_ca.crt

Firefox doesn't uses the system keychain, so you need to install it using the same command as above with the flag --firefox, or just use --all if you want to install it in the system truststore, Firefox, and Java.

[maraino]

I've just tested on macOS and the Homebrew version of wget doesn't uses the system truststore, I guess you need to install the root in Homebrew's one. Or run wget with:

wget --ca-certificate $(step path)/certs/root_ca.crt https://name.local.lan

[maraino]

This will install your root certificate in Homebrew's openssl truststore:

cat $(step path)/certs/root_ca.crt >> /usr/local/etc/[email protected]/cert.pem

And Homebrew's wget will work without complaining about the root cert.

[chuckf]

Have you installed your internal root certificate in your keychain?

Yes. The root cert is installed and as mentioned in the original post, multiple other sites generated from the same step_ca verify their certificates correctly. It is just this one server that won't play nice and mark it as trusted.

[maraino]

I'll try to test with an apache server and see what's going on.

[tashian]

@chuckf were you able to work this out? I wonder if for some reason Apache is serving the leaf cert without the intermediate. Or, if the SAN that isn't a FQDN is somehow tripping up these clients (seems unlikely).