SSL certificate Chain is not imported correctly

[LoeschMaximilian]

Currently the Chainfile that gets imported, only imports the first certificate in the file and uses it as the local root certificate.
There is no way to import a chain of certificates correctly, if the chain is longer than 3 (leaf -> intermediate -> root).

[t-mon]

If I understand you correctly, you are using a pem containing the entire chain.
You need to use the separate files for each certificate type, Let's encrypt provides you the individual files too.
https://github.com/nymea/nymea-remoteproxy/blob/master/nymea-remoteproxy.conf#L20

[LoeschMaximilian]

Yes i am, it would be very convenient, if it worked that way.

The bigger Problem is, that the certificate found in the chain file overrides the pool of root CA certificates for QSsl with setCAcertificate() an is therefore not used properly in the authentication. It is only a intermediate Cert, not a root cert.
And QSsLconfiguration expects the leaf cert in setLocalChain(), which is never set.

[LoeschMaximilian]

So, i looked into this a bit more.
We import the cert files seperately, but we still have Problems.
When trying a TLS-handshake with the WebSocketTunnelProxy the server only sends his leaf cert, not the full chain, which the client then can not verify and the connection fails.

[t-mon]

Any update on this? Have you solved the issue?

[LoeschMaximilian]

Hi Simon,

yes and no, we got our deployment working but it was in our case easier to work around the issue. We now have a script running, that dissasembles the certificate-chain. This still will add the intermediate certifiacte as a Root cerificate in Qt, but at least it works for now.

I tried to fix it in the code, but it basically broke every test and I do not have the resources to get them working as well.