Error 60 in Landscape: a failing certificate chain

Jurjen Bokma

February


Table of Contents

The problem

We have a Landscape server to keep our Ubuntu PC's wellbehaved. When they boot for the first time, they are supposed to apply for a Landscape membership with:

landscape-config --import=https://landscapehost.rug.nl/config/bootstrap.conf -t $(hostname -f) --script-users=me,you,everybody --silent --registration-password=verysecretofcourse

But this fails with:

Fetching configuration from https://landscapehost.rug.nl/config/bootstrap.conf...
Couldn't download configuration from https://landscapehost.rug.nl/config/bootstrap.conf: Error 60: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Now, when we fetch the bootstrap.conf with a browser, it doesn't complain. Wget complains about the certificate on some machines, but not on all, most notably not on the client we are trying to connect to Landscape. But ssl reports a self-signed certificate in the chain:

openssl s_client -host landscapehost.rug.nl -port 443
CONNECTED(00000003)
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=NL/O=Rijksuniversiteit Groningen/OU=CITNWD/CN=landscapehost.rug.nl
  i:/C=NL/O=TERENA/CN=TERENA SSL CA
1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 1
  i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
  i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
3 s:/C=NL/O=TERENA/CN=TERENA SSL CA
  i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
---
<snip>

1

The issuer of this certificate is the same as the signee. We'd expect that only at the top of the chain.