Verifying certificates

peer · August 29, 2018, 2:33pm

Hello!

I have some doubts on certificates.

I have just installed a fresh Yunohost on a fresh Debian.
So far I have only configured one domain and installed one app (nextcloud) in that domain.

I have not installed any let’s encrypt certificate.

I would like to manually verify I am not suffering a Person In The Middle attack. I would like to compare the certificate received in the client to the one stored in the server.

As I do not know where the certificate is located in the server, now I am just checking everything from a client.

If I visit mydomain.tld on the client’s browser, the browser lets me see the SHA1 fingerprint of the certificate.

From the client’s nextcloud desktop application I can also connect to mydomain.tld. I get a warning on the untrusted certificate and it shows me a different SHA1 fingerprint. Why?

Then someone told me I could get the whole certificate from the client with:

openssl s_client -connect mydomain.tlc:443

So I got some data and also:

If I do a sha1sum of those zillion funny characters, I get a third different SHA1 outcome! Why?

Anyone could please help me understand how certificates and fingerprints work? I do not understand why I get three different results.

And please let me know where the certificate is located in the server so that I can run a sha1sum there and compare it to the tree different results I get from a client.

Thank you!

Aleks · August 29, 2018, 2:48pm

If you really want to go this way, you should get the CA certificate and load it in your browser as a new certification authority.

The CA file is located in /etc/ssl/certs/ca-yunohost_crt.pem

To get this file, I would naively recommend to use SSH / SCP.

To use SSH / SCP, you will need to check the fingerprint of your server (otherwise the whole discussion is irrelevant if you don’t also do this check)

To check the fingerprint, you should connect to your machine with an actual screen+keyboard and get the fingerprint with ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key (or whichever key you are using)

peer · August 29, 2018, 5:27pm

Thanks Aleks!

I guess that CA certificate is unique for each Yunohost installation. Or does every Yunohost installation share the same CA certificate?

Aleks · August 29, 2018, 6:05pm

It is unique (generated during postinstall), yes

peer · August 30, 2018, 8:16am

Thanks Aleks,

I followed @jibecfed suggestions at Onion et yunohost - Some questions in order to avoid leaking some data on the certificate. So I created subdomain.domain.tld, convert the subdomain into the main one, uninstalled the app and install it again.

So now I guess I should not import /etc/ssl/certs/ca-yunohost_crt.pem into the client, but a new certifcate that I guess it has been created because of the new main domain.

Am I right?
If so, where is the new certificate I have to import?

peer · September 24, 2018, 2:19pm

Solved.

There was this ca.pem CA cert at /etc/yunohost/certs/mydomain.tld-history/…-selfsigned/ which was a symlink to /etc/ssl/certs/ca-yunohost_crt.pem, which was a symlink to /etc/yunohost/certs/yunohost.org/ca.pem

I imported that ca.pem file into the client and problem solved. Thank you Aleks!