Olá,
Estou usando ubuntu Jaunty e tenho um aplicatindo de Nota Fiscal eletrônica que faz conexão segura. Preciso adicionar os novos certificados da CA. Segue o que fiz:
1. Pequei o novo certificado (Certificado_AC_NFE_RS.P7B), podem baixar neste link para fazer o teste:
http://www.nfe.fazenda.gov.br/portal/docs/Certificado_AC_NFE_RS.P7B2. Converti para o formato PEM:
openssl pkcs7 -inform DER -in Certificado_AC_NFE_RS.P7B -outform PEM -out Certificado_AC_NFE_RS.pem -print_certs
3. Criei o diretório /usr/share/ca-certificates/sefazrs e movi o certificado para dentro deste diretório:
sudo mkdir /usr/share/ca-certificates/sefazrs
sudo mv Certificado_AC_NFE_RS.pem /usr/share/ca-certificates/sefazrs/sefazrs.crt
4. Rodei o seguinte comando para atualizar os certificados e marquei o certificado sefazrs/sefazrs.crt:
sudo dpkg-reconfigure ca-certificates
Porém o certificado instalado não funciona.
Tentei fazer a seguinte verificação:
$ openssl s_client -connect homologacao.nfe.sefaz.rs.gov.br:443
CONNECTED(00000003)
depth=2 /C=BR/O=ICP-Brasil/CN=Autoridade Certificadora SERPRO v2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora SERPROACF/OU=SEFAZ/OU=Equipamento A1/CN=homologacao.nfe.sefaz.rs.gov.br
i:/C=BR/O=ICP-Brasil/OU=Servico Federal de Processamento de Dados - SERPRO/OU=CSPB-1/CN=Autoridade Certificadora do SERPRO Final v2
1 s:/C=BR/O=ICP-Brasil/OU=Servico Federal de Processamento de Dados - SERPRO/OU=CSPB-1/CN=Autoridade Certificadora do SERPRO Final v2
i:/C=BR/O=ICP-Brasil/CN=Autoridade Certificadora SERPRO v2
2 s:/C=BR/O=ICP-Brasil/CN=Autoridade Certificadora SERPRO v2
i:/C=BR/O=ICP-Brasil/OU=Instituto Nacional de Tecnologia da Informacao - ITI/CN=Autoridade Certificadora Raiz Brasileira v1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF5zCCBM+gAwIBAgIQMjAwOTA2MzAxNDU5MDUwMjANBgkqhkiG9w0BAQUFADCB
pjELMAkGA1UEBhMCQlIxEzARBgNVBAoTCklDUC1CcmFzaWwxOzA5BgNVBAsTMlNl
cnZpY28gRmVkZXJhbCBkZSBQcm9jZXNzYW1lbnRvIGRlIERhZG9zIC0gU0VSUFJP
MQ8wDQYDVQQLEwZDU1BCLTExNDAyBgNVBAMTK0F1dG9yaWRhZGUgQ2VydGlmaWNh
ZG9yYSBkbyBTRVJQUk8gRmluYWwgdjIwHhcNMDkwNzAxMTgxOTI5WhcNMTAwNzAx
MTgwOTMxWjCBojELMAkGA1UEBhMCQlIxEzARBgNVBAoTCklDUC1CcmFzaWwxKzAp
BgNVBAsTIkF1dG9yaWRhZGUgQ2VydGlmaWNhZG9yYSBTRVJQUk9BQ0YxDjAMBgNV
BAsTBVNFRkFaMRcwFQYDVQQLEw5FcXVpcGFtZW50byBBMTEoMCYGA1UEAxMfaG9t
b2xvZ2FjYW8ubmZlLnNlZmF6LnJzLmdvdi5icjCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAsz3EOTmbqHd7SDTLx3v2CcbiUrjmPBEh5DGm8Z45N595ACUhw1VU
NXFipqZ9GsCxwdhHaT10SVbFxNpIldG18XNsDlKDr1K6Q1tdS8TKE2YO6QG9Bs0b
YP0IH8oUwkaWJrOb0fzmbcO4OeyMGTb8oTtaWn9lBfkjAMB7s7SEvZkCAwEAAaOC
ApUwggKRMA8GA1UdEwEB/wQFMAMBAQAwHwYDVR0jBBgwFoAUwwchTPYA/YRPaKnm
sAX937ClqTwwDgYDVR0PAQH/BAQDAgXgMFwGA1UdIARVMFMwUQYGYEwBAgEQMEcw
RQYIKwYBBQUHAgEWOWh0dHBzOi8vY2NkLnNlcnByby5nb3YuYnIvc2VycHJvYWNm
L2RvY3MvZHBjc2VycHJvYWNmLnBkZjCB0wYDVR0RBIHLMIHIoD0GBWBMAQMEoDQE
MjI3MDcxOTUzMTk4OTE1NzEwNjgwMDAwMDAwMDAwMDAwMDAwMTAyOTM0OTI5NVNT
UFJToBoGBWBMAQMCoBEED1JJQ0FSRE8gRU5HTEVSVKAZBgVgTAEDA6AQBA44Nzk1
ODY3NDAwMDE4MaAyBgVgTAEDCKApBCdSSU8gR1JBTkRFIERPIFNVTCBTRUNSRVRB
UklBIERBIEZBWkVOREGBHHNlZmF6dmlydHVhbEBzZWZhei5ycy5nb3YuYnIwIAYD
VR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGoBgNVHR8EgaAwgZ0wMqAw
oC6GLGh0dHA6Ly9jY2Quc2VycHJvLmdvdi5ici9sY3Ivc2VycHJvYWNmdjIuY3Js
MDOgMaAvhi1odHRwOi8vY2NkMi5zZXJwcm8uZ292LmJyL2xjci9zZXJwcm9hY2Z2
Mi5jcmwwMqAwoC6GLGh0dHA6Ly93d3cuaXRpLmdvdi5ici9zZXJwcm8vc2VycHJv
YWNmdjIuY3JsMEwGCCsGAQUFBwEBBEAwPjA8BggrBgEFBQcwAoYwaHR0cDovL2Nj
ZC5zZXJwcm8uZ292LmJyL2NhZGVpYXMvc2VycHJvYWNmdjIucDdiMA0GCSqGSIb3
DQEBBQUAA4IBAQCUTG6w/CdqAnD3M1ZlOGFOXY/7COKNt77nwu+Qtjj7UgBZT/Rv
B1sB1VDgQHFuT4SJO1fG2kC1pgD2NL6EKvoRewoes9Nqb1zYaK3+jUcCpD1GW7wB
kYXVeto5bht9HRdQXfQplDqKY+NfLkhnENStFHSTYRVfFRdn0tRM+1JWg3vxnxFl
Y7x8uwhc69MB/gmbXT7EQ6mPOuStaDNPVSeitC5lzblu7Xet28ffIT+5pjFJ+h1t
pUXfwj8fB4C5Xi/MuW9/zXetvdq8Xz5grDL8Gm2DKT2FymgU1YfYv2Xs84pbaWbK
QeKkB8U/RenfjxD8U52wlX/DSJ8K8Ped9MJS
-----END CERTIFICATE-----
subject=/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora SERPROACF/OU=SEFAZ/OU=Equipamento A1/CN=homologacao.nfe.sefaz.rs.gov.br
issuer=/C=BR/O=ICP-Brasil/OU=Servico Federal de Processamento de Dados - SERPRO/OU=CSPB-1/CN=Autoridade Certificadora do SERPRO Final v2
---
No client certificate CA names sent
---
SSL handshake has read 4025 bytes and written 300 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 2B1A000018E9AB01417ACA144589BC9FD2E3C1B363713CF0C182B9A53FE154A8
Session-ID-ctx:
Master-Key: C09CE077EE24D50136F72E31E71E57F57EF16B12FFEF3E955E5B36952FDD80461C3491FC0F916F0D5A546F68CD2CFB93
Key-Arg : None
Start Time: 1247431586
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Tenho um Fedora 11 em outra máquina o qual fiz um teste desta mesma saída, o qual funciona corretamente, vejam:
openssl s_client -connect homologacao.nfe.sefaz.rs.gov.br:443
CONNECTED(00000003)
depth=3 /C=BR/O=ICP-Brasil/OU=Instituto Nacional de Tecnologia da Informacao - ITI/CN=Autoridade Certificadora Raiz Brasileira v1
verify return:1
depth=2 /C=BR/O=ICP-Brasil/CN=Autoridade Certificadora SERPRO v2
verify return:1
depth=1 /C=BR/O=ICP-Brasil/OU=Servico Federal de Processamento de Dados - SERPRO/OU=CSPB-1/CN=Autoridade Certificadora do SERPRO Final v2
verify return:1
depth=0 /C=BR/O=ICP-Brasil/OU=Autoridade Certificadora SERPROACF/OU=SEFAZ/OU=Equipamento A1/CN=homologacao.nfe.sefaz.rs.gov.br
verify return:1
---
Certificate chain
0 s:/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora SERPROACF/OU=SEFAZ/OU=Equipamento A1/CN=homologacao.nfe.sefaz.rs.gov.br
i:/C=BR/O=ICP-Brasil/OU=Servico Federal de Processamento de Dados - SERPRO/OU=CSPB-1/CN=Autoridade Certificadora do SERPRO Final v2
1 s:/C=BR/O=ICP-Brasil/OU=Servico Federal de Processamento de Dados - SERPRO/OU=CSPB-1/CN=Autoridade Certificadora do SERPRO Final v2
i:/C=BR/O=ICP-Brasil/CN=Autoridade Certificadora SERPRO v2
2 s:/C=BR/O=ICP-Brasil/CN=Autoridade Certificadora SERPRO v2
i:/C=BR/O=ICP-Brasil/OU=Instituto Nacional de Tecnologia da Informacao - ITI/CN=Autoridade Certificadora Raiz Brasileira v1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF5zCCBM+gAwIBAgIQMjAwOTA2MzAxNDU5MDUwMjANBgkqhkiG9w0BAQUFADCB
pjELMAkGA1UEBhMCQlIxEzARBgNVBAoTCklDUC1CcmFzaWwxOzA5BgNVBAsTMlNl
cnZpY28gRmVkZXJhbCBkZSBQcm9jZXNzYW1lbnRvIGRlIERhZG9zIC0gU0VSUFJP
MQ8wDQYDVQQLEwZDU1BCLTExNDAyBgNVBAMTK0F1dG9yaWRhZGUgQ2VydGlmaWNh
ZG9yYSBkbyBTRVJQUk8gRmluYWwgdjIwHhcNMDkwNzAxMTgxOTI5WhcNMTAwNzAx
MTgwOTMxWjCBojELMAkGA1UEBhMCQlIxEzARBgNVBAoTCklDUC1CcmFzaWwxKzAp
BgNVBAsTIkF1dG9yaWRhZGUgQ2VydGlmaWNhZG9yYSBTRVJQUk9BQ0YxDjAMBgNV
BAsTBVNFRkFaMRcwFQYDVQQLEw5FcXVpcGFtZW50byBBMTEoMCYGA1UEAxMfaG9t
b2xvZ2FjYW8ubmZlLnNlZmF6LnJzLmdvdi5icjCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAsz3EOTmbqHd7SDTLx3v2CcbiUrjmPBEh5DGm8Z45N595ACUhw1VU
NXFipqZ9GsCxwdhHaT10SVbFxNpIldG18XNsDlKDr1K6Q1tdS8TKE2YO6QG9Bs0b
YP0IH8oUwkaWJrOb0fzmbcO4OeyMGTb8oTtaWn9lBfkjAMB7s7SEvZkCAwEAAaOC
ApUwggKRMA8GA1UdEwEB/wQFMAMBAQAwHwYDVR0jBBgwFoAUwwchTPYA/YRPaKnm
sAX937ClqTwwDgYDVR0PAQH/BAQDAgXgMFwGA1UdIARVMFMwUQYGYEwBAgEQMEcw
RQYIKwYBBQUHAgEWOWh0dHBzOi8vY2NkLnNlcnByby5nb3YuYnIvc2VycHJvYWNm
L2RvY3MvZHBjc2VycHJvYWNmLnBkZjCB0wYDVR0RBIHLMIHIoD0GBWBMAQMEoDQE
MjI3MDcxOTUzMTk4OTE1NzEwNjgwMDAwMDAwMDAwMDAwMDAwMTAyOTM0OTI5NVNT
UFJToBoGBWBMAQMCoBEED1JJQ0FSRE8gRU5HTEVSVKAZBgVgTAEDA6AQBA44Nzk1
ODY3NDAwMDE4MaAyBgVgTAEDCKApBCdSSU8gR1JBTkRFIERPIFNVTCBTRUNSRVRB
UklBIERBIEZBWkVOREGBHHNlZmF6dmlydHVhbEBzZWZhei5ycy5nb3YuYnIwIAYD
VR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGoBgNVHR8EgaAwgZ0wMqAw
oC6GLGh0dHA6Ly9jY2Quc2VycHJvLmdvdi5ici9sY3Ivc2VycHJvYWNmdjIuY3Js
MDOgMaAvhi1odHRwOi8vY2NkMi5zZXJwcm8uZ292LmJyL2xjci9zZXJwcm9hY2Z2
Mi5jcmwwMqAwoC6GLGh0dHA6Ly93d3cuaXRpLmdvdi5ici9zZXJwcm8vc2VycHJv
YWNmdjIuY3JsMEwGCCsGAQUFBwEBBEAwPjA8BggrBgEFBQcwAoYwaHR0cDovL2Nj
ZC5zZXJwcm8uZ292LmJyL2NhZGVpYXMvc2VycHJvYWNmdjIucDdiMA0GCSqGSIb3
DQEBBQUAA4IBAQCUTG6w/CdqAnD3M1ZlOGFOXY/7COKNt77nwu+Qtjj7UgBZT/Rv
B1sB1VDgQHFuT4SJO1fG2kC1pgD2NL6EKvoRewoes9Nqb1zYaK3+jUcCpD1GW7wB
kYXVeto5bht9HRdQXfQplDqKY+NfLkhnENStFHSTYRVfFRdn0tRM+1JWg3vxnxFl
Y7x8uwhc69MB/gmbXT7EQ6mPOuStaDNPVSeitC5lzblu7Xet28ffIT+5pjFJ+h1t
pUXfwj8fB4C5Xi/MuW9/zXetvdq8Xz5grDL8Gm2DKT2FymgU1YfYv2Xs84pbaWbK
QeKkB8U/RenfjxD8U52wlX/DSJ8K8Ped9MJS
-----END CERTIFICATE-----
subject=/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora SERPROACF/OU=SEFAZ/OU=Equipamento A1/CN=homologacao.nfe.sefaz.rs.gov.br
issuer=/C=BR/O=ICP-Brasil/OU=Servico Federal de Processamento de Dados - SERPRO/OU=CSPB-1/CN=Autoridade Certificadora do SERPRO Final v2
---
No client certificate CA names sent
---
SSL handshake has read 4025 bytes and written 327 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 8D0300004E220F3113894330A68E9E3E15FF163ED238EAFBAA579657C78780F3
Session-ID-ctx:
Master-Key: D3B48D43FE4EAE00A36084314ED1206AAFA4BEB74C34907EFA6919887A24F392B6DCDB0CED7346652833E2DECD6C4D74
Key-Arg : None
Krb5 Principal: None
Start Time: 1247431665
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
A diferença no fedora é que adicionei o certificado dentro do arquivo /etc/pki/tls/cert.pem (é um único arquivo) e funcionou corretamente. Tentei fazer isso no ubuntu, adicionando diretamente no arquivo /etc/ssl/certs/ca-certificates.crt, mas também não funcionou.
Como posso resolver isso?
Obrigado, abraços.
Marcelo Estanislau Geyer