On Wed, May 1, 2024 at 6:48 AM Thomas Spear <speeddymon@gmail.com> wrote:
> I dumped out the certificates presented by the server using openssl, and the chain that gets output includes
"MicrosoftAzure RSA TLS Issuing CA 08".
> On https://www.microsoft.com/pkiops/docs/repository.htm the page says that that cert was cross-signed by the DigiCert
RSAG2 root.
It's been a while since I've looked at cross-signing, but that may not
be enough information to prove that it's the "correct" version of the
intermediate. You'd need to know the Issuer, not just the Subject, for
all the intermediates that were given to the client. (It may not match
the one they have linked on their support page.)
> The postgres server appears to send the Microsoft root certificate instead of the DigiCert one, which should be fine.
Theserver sends the "Microsoft RSA Root Certificate Authority 2017" root.
> As far as I understand, a server sending a root certificate along with the intermediate is a big no-no, but that's a
topicfor a different thread and audience most likely. :)
To me, that only makes me more suspicious that the chain the server is
sending you may not be the chain you're expecting. Especially since
you mentioned on the other thread that the MS root is working and the
DigiCert root is not.
> The openssl version in my Windows test system is 3.0.7. It's running Almalinux 9 in WSL2, so openssl is from the
packagemanager. The container image I'm using has an old-as-dirt openssl 1.1.1k.
I'm not aware of any validation issues with 1.1.1k, for what it's
worth. If upgrading helps, great! -- but I wouldn't be surprised if it
didn't.
> I'll have to check one of our public cloud postgres instances to see if I can reproduce the issue there in order to
geta chain that I can share because the system where I'm testing is a locked down jump host to our Azure GovCloud
infrastructure,and I can't copy anything out from it.
Yeah, if at all possible, that'd make it easier to point at any
glaring problems.
Thanks,
--Jacob
