Verifying certificates


I have some doubts on certificates.

I have just installed a fresh Yunohost on a fresh Debian.
So far I have only configured one domain and installed one app (nextcloud) in that domain.

I have not installed any let’s encrypt certificate.

I would like to manually verify I am not suffering a Person In The Middle attack. I would like to compare the certificate received in the client to the one stored in the server.

As I do not know where the certificate is located in the server, now I am just checking everything from a client.

If I visit mydomain.tld on the client’s browser, the browser lets me see the SHA1 fingerprint of the certificate.

From the client’s nextcloud desktop application I can also connect to mydomain.tld. I get a warning on the untrusted certificate and it shows me a different SHA1 fingerprint. Why?

Then someone told me I could get the whole certificate from the client with:

openssl s_client -connect mydomain.tlc:443

So I got some data and also:


If I do a sha1sum of those zillion funny characters, I get a third different SHA1 outcome! Why?

Anyone could please help me understand how certificates and fingerprints work? I do not understand why I get three different results.

And please let me know where the certificate is located in the server so that I can run a sha1sum there and compare it to the tree different results I get from a client.

Thank you!

If you really want to go this way, you should get the CA certificate and load it in your browser as a new certification authority.

The CA file is located in /etc/ssl/certs/ca-yunohost_crt.pem

To get this file, I would naively recommend to use SSH / SCP.

To use SSH / SCP, you will need to check the fingerprint of your server (otherwise the whole discussion is irrelevant if you don’t also do this check)

To check the fingerprint, you should connect to your machine with an actual screen+keyboard and get the fingerprint with ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key (or whichever key you are using)

Thanks Aleks!

I guess that CA certificate is unique for each Yunohost installation. Or does every Yunohost installation share the same CA certificate?

It is unique (generated during postinstall), yes

Thanks Aleks,

I followed @jibecfed suggestions at Onion et yunohost - Some questions in order to avoid leaking some data on the certificate. So I created subdomain.domain.tld, convert the subdomain into the main one, uninstalled the app and install it again.

So now I guess I should not import /etc/ssl/certs/ca-yunohost_crt.pem into the client, but a new certifcate that I guess it has been created because of the new main domain.

Am I right?
If so, where is the new certificate I have to import?


There was this ca.pem CA cert at /etc/yunohost/certs/mydomain.tld-history/…-selfsigned/ which was a symlink to /etc/ssl/certs/ca-yunohost_crt.pem, which was a symlink to /etc/yunohost/certs/

I imported that ca.pem file into the client and problem solved. Thank you Aleks!