How to resolve the “certificate chain issued by an untrusted authority”?

227    Asked by ConnorPeake in SQL Server , Asked on May 29, 2024

 I am a network administrator at a particular company. Recently some users have reported that they are facing issues when they are trying to access a critical internal application hosted on a company server. When I investigated I found that the browser was showing an error message which was stating that “ the certificate chain was issued by an authority that is not trusted”. How can I troubleshoot and resolve this particular issue? 

Answered by Ranjana Admin

 In the context of SQL, here are the Troubleshooting steps given:-

Initial assessment

First, you would need to perform an initial assessment by using the “openssl” command. This would help in connecting to the server on port 443 and then retrieving the certificate chains.

Analysis the output

Now you would need to look for the certificate chain which is provided by the server. It should display the end entity certification, and any intermediate certification and also show the root certification.

Checking the issuer details

Now you are recommended to check the details of the issuer who issued these above certificates.

Verify the CA

You should consult a trusted CA database for verification if the “untrusted CA” is recognized. If the CA is not listed then it means that it is not trusted by major browsers and operating systems.

Resolution plan

If the CA is untrusted, then you can generate a new CSR to obtain a new certificate from a trusted CA.

Obtaining and installing the new certificate

Now you can submit the CSR to a trusted CA and then obtain a new certificate. You can install the new certificate on your server.

For apache

# Edit the SSL configuration file, typically located at /etc/apache2/sites-available/default-ssl.conf

SSLCertificateFile /path/to/yourserver.crt
SSLCertificateKeyFile /path/to/yourserver.key
SSLCertificateChainFile /path/to/intermediate.crt
# Restart Apache to apply changes
Sudo systemctl restart apache2

For Nginx

# Edit the server block configuration, typically located in /etc/nginx/sites-available/yourserver.conf
Server {
    Listen 443 ssl;
    Server_name yourserver.com;
    Ssl_certificate /path/to/yourserver.crt;
    Ssl_certificate_key /path/to/yourserver.key;
    Ssl_trusted_certificate /path/to/fullchain.pem;
    # Other server settings
}
# Test and reload Nginx configuration
Sudo nginx -t
Sudo systemctl reload nginx

Here is the java coding given which would Demonstrate w scenario where a certificate chain us nit trusted and how you can handle such situations programmatically:-

Import javax.net.ssl.*;
Import java.io.*;
Import java.net.URL;
Import java.security.KeyStore;
Import java.security.cert.CertificateException;
Import java.security.cert.X509Certificate;
Public class SSLCertificateValidation {
    Public static void main(String[] args) throws Exception {
        // Create a trust manager that trusts all certificates
        TrustManager[] trustAllCertificates = new TrustManager[]{
                New X509TrustManager() {
                    Public X509Certificate[] getAcceptedIssuers() {
                        Return null;
                    }
                    Public void checkClientTrusted(X509Certificate[] certs, String authType) {
                    }
                    Public void checkServerTrusted(X509Certificate[] certs, String authType) {
                    }
                }
        };

        // Install the all-trusting trust manager

        SSLContext sslContext = SSLContext.getInstance(“TLS”);
        sslContext.init(null, trustAllCertificates, new java.security.SecureRandom());
        HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
        // Set up a dummy hostname verifier to trust all hostnames
        HostnameVerifier allHostsValid = (hostname, session) -> true;
        HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
        // URL to access
        URL url = new URL(https://yourserver.com/api/resource);
        // Open a connection
        HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
        // Set request properties if needed (e.g., headers)
        Connection.setRequestMethod(“GET”);
        Connection.setRequestProperty(“Content-Type”, “application/json”);
        Connection.setConnectTimeout(5000); // 5 seconds timeout
        // Connect and read response
        Try (BufferedReader in = new BufferedReader(new InputStreamReader(connection.getInputStream()))) {
            String inputLine;
            StringBuilder response = new StringBuilder();
            While ((inputLine = in.readLine()) != null) {
                Response.append(inputLine);
            }
            System.out.println(“Response from server: “ + response.toString());
        } catch (IOException e) {
            // Handle connection or read errors
            System.err.println(“Error reading response: “ + e.getMessage());
        } finally {
            Connection.disconnect();
        }
    }
}


Your Answer

Interviews

Parent Categories