Certificate Chain Incomplete

KB ID 0001570

Problem

The certificate here at PNL expired over the weekend, I got a new one and installed it. All appeared to be fine until I did an online check to make sure it was OK. 

The server’s certificate chain is incomplete

Solution

I had this problem once before, back then I was using Apache and CentOS7, and things were a little different, (now I’m using NGINX and Ubuntu 18.04). Essentially you see this error because you have bought a ‘cheap‘ SSL certificate. There’s nothing wrong with that per se, but they tend to be issued from an ‘Intermediate CA‘. Again there’s nothing wrong with that either, but to improve your score you need to ‘Embed‘ the intermediate certificate, into your SSL certificate, (or all the intermediates back to a Root CA Server, if you have multiple intermediate certificates!) 

Here I have ONE intermediate, (which is pretty normal.)

There a no special tools you require to be able to do this, other than a simple text editor, you open your SSL certificate and ‘Paste” the intermediate certificate on the bottom. (DO NOT ADD ANY EXTRA SPACES). Like so;

Note: As you can see, you DON’T put the Root CA certificate at the bottom, (clients should already have them!) I made this mistake then got the following error;

[box]

Jun 23 14:12:29 localhost nginx[1197]: nginx: [emerg] PEM_read_bio_X509("/etc/nginx/ssl/www_petenetlive_com.crt") failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line)
Jun 23 14:12:29 localhost nginx[1197]: nginx: configuration file /etc/nginx/nginx.conf test failed

[/box]

Retry your test.

Related Articles, References, Credits, or External Links

NA

Event ID 4107

KB ID 0000304 

Problem

Event ID 4107

Failed extract of third-party root list from auto update cab at: <Microsoft URL>with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

There’s a lot of info on this error out there in forums, and 99% of it had nothing to do with my problem.

Its basically a certificate error, to get to the bottom if it you need to dig a bit deeper.

Solution

If you have been hunting for a fix, and got here, you may of already tried some or all of these which DID NOT WORK, downloading and installing the certs from the link in the error,or deleting all your expired root certs.

1. First you need to get some detailed logging on what’s failing, Click Start > Control Panel > Administrative tools > Event Viewer > Expand Applications and Services > Microsoft > Windows > CAPI2 > Right click “Operations” > Select “Enable Log” >Then reboot.

2. Return to the same place in Event Viewer > And open the errors listed there, as you can see “In My Case” the problem is McAfee, after I removed McAfee and installed the latest version (8.7i with patch 3 at time of writing), the error ceased.

Note: Your problem may not be McAfee, but at least you now have a better idea of what it is 🙂

Related Articles, References, Credits, or External Links

NA

Securing Cisco SSL VPN’s with Certificates

KB ID 0000335

Problem

It’s been a while since I wrote a walk though on the Cisco AnyConnect/SSL VPN solution, and usually I secure these with Active Directory or simply using the local user database on the firewall. But what if you wanted to use certificates instead? Perhaps your users are too “technically challenged” to remember their passwords. Or you want to enable two factor authentication with usernames/passwords AND certificates (something you know and something you have).

Solution

Step 1: Setup the ASA as a Certificate Authority

After version 8 Cisco included a complete CA solution in the firewall with a web front end. to use it we need to a) turn it on, b) give it an email address, c) provide a subject name, and finally d) create a unique pass phrase to generate the root certificate from.

Connect to the firewall and carry out the following,

[box]

PetesASA>
PetesASA> en
Password: ********
PetesASA# conf t
PetesASA(config)# crypto ca server
PetesASA(config-ca-server)# smtp from-address pnlCA@petenetlive.com
PetesASA(config-ca-server)# subject-name-default cn=pnlCA, o=petenetlive, c=GB
PetesASA(config-ca-server)# no shutdown

% Some server settings cannot be changed after CA certificate generation.
% Please enter a passphrase to protect the private key
% or press return to exit
Passphrase: ********

Re-enter passphrase: ********

Keypair generation process begin. Please wait...

Completed generation of the certificate and keypair...

Archiving certificate and keypair to storage... Complete
INFO:
Certificate Server enabled.
PetesASA(config-ca-server

[/box]

To do the same via ASDM connect to the ASDM > Navigate to Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority > CA Server > Fill in the details > Apply.

To check that the CA Server is up and running issue a “show crypto ca server” command.

[box]


PetesASA# show crypto ca server

Certificate Server LOCAL-CA-SERVER:
Status: enabled <--Good!
State: enabled <--Good!
Server's configuration is locked (enter "shutdown" to unlock it)
Issuer name: CN=PetesASA.petenetlive.com
CA certificate fingerprint/thumbprint: (MD5)
774e1fe0 27495b35 019a9874 7507d8a9
CA certificate fingerprint/thumbprint: (SHA1)
93414d52 5f23e510 0f7f8fc2 857e3c86 d5687286
Last certificate issued serial number: 0x1
CA certificate expiration timer: 12:33:29 UTC Sep 30 2013
CRL NextUpdate timer: 18:33:29 UTC Oct 1 2010
Current primary storage dir: flash:/LOCAL-CA-SERVER/

Auto-Rollover configured, overlap period 30 days
Autorollover timer: 12:33:29 UTC Aug 31 2013
PetesASA#

[/box]

Step 2: Obtain a Client Certificate

If you have a LOT of these you can set them up and send them by email directly, I’m just going to do this one manually, By default your webvpn probably isn’t enabled on the “inside” so lets turn that on.

[box]

PetesASA#
PetesASA# conf t
PetesASA(config)# webvpn
PetesASA(config-webvpn)# enable inside
INFO: WebVPN and DTLS are enabled on 'inside'.
PetesASA(config-webvpn)# exit
PetesASA(config)#

[/box]

To do the same via ASDM connect to the ASDM > Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Tick both the inside options > Apply.

Now I’m going to create a user, and a “One Time Password”.

[box]


PetesASA(config)#
PetesASA(config)# crypto ca server user-db add petelong
INFO: User added as 'petelong'
PetesASA(config)# crypto ca server user-db allow petelong display-otp
Username: petelong
OTP: 010B3B9F500F7142 <--your user will need this!
Enrollment Allowed Until: 12:43:23 UTC Mon Oct 4 2010

PetesASA(config)#

[/box]

Via ADSM it’s a little more convoluted, you need to add the user then view/re-generate the OTP.

Open a web browser and got to https://{ip or name of firewall}/+CSCOCA+/enroll log in with the details you created above.

When prompted download the certificate and put it on the machine that requires secure access. Simply double click it and import it (it should import into the “Personal Certificates” folder.) – if you are prompted for a password you enter the OTP from above.

Step 3: Change the VPN authentication to Certificate.

First lets check that enrolment was successfully with a “show ca server user-db” command.

[box]


PetesASA(config)# show crypto ca server user-db
username: petelong
email: <None>
dn: <None>
allowed: 12:43:23 UTC Mon Oct 4 2010
notified: 1 times
enrollment status: Enrolled, Certificate valid until 12:47:25 UTC Sat Oct 1 2011,<--Good!
Renewal: Allowed

PetesASA(config)#

[/box]

Change the webvpn authenticate to certificate. Note your SSL tunnel group WILL have different name.

[box]

PetesASA# conf t
PetesASA(config)# tunnel-group SSL-VPN-POLICY webvpn-attributes
PetesASA(config-tunnel-webvpn)# authentication certificate
PetesASA(config-tunnel-webvpn)# exit
PetesASA(config)#

[/box]

To use usernames AND certificates use “both” instead of “cert”, to Revert back to usernames enter “aaa”

Via ASDM

Step 4: Test

Connect to the VPN portal and you should now be prompted for certificate authentication.

 

Related Articles, References, Credits, or External Links

AnyConnect VPN

Cisco ASA 5500 – Using a Third Party Digital Certificate (For Identification, AnyConnect, and SSL VPN)