Skip to content

Support of intermediate certificates #287

New issue
New issue
Open
Open
Support of intermediate certificates#287
@Sakirnth-Z

Description

@Sakirnth-Z
Sakirnth-Z
opened on Nov 14, 2025

Hello

I use ovn version 25.03.0 and openvswitch version 3.5.0.

I run the following services:
/bin/sh /usr/share/ovn/scripts/ovn-ctl run_nb_ovsdb --ovn-nb-db-ssl-key=privkey.pem --ovn-nb-db-ssl-cert=fullchain.pem --ovn-nb-db-ssl-ca-cert=root.pem

/bin/sh /usr/share/ovn/scripts/ovn-ctl run_sb_ovsdb --ovn-sb-db-ssl-key=privkey.pem --ovn-sb-db-ssl-cert=fullchain.pem --ovn-sb-db-ssl-ca-cert=root.pem --db-sb-cluster-local-addr=[$MY_IP]

ovn-northd --private-key=privkey.pem --certificate=fullchain.pem --ca-cert=root.pem -vconsole:emer -vsyslog:err -vfile:info --ovnnb-db=ssl:[$MY_IP]:6641 --no-chdir --log-file=/var/log/ovn/ovn-northd.log --pidfile=/var/run/ovn/ovn-northd.pid --detach

The fullchain.pem contains the server certificate and the intermediate certificate which is signed from root.pem and signs the server certificate. When I try to connect to these services from a client with root.pem configured as CA. I get follwing errors:

var/log/ovn/ovn-northd.log:
2025-11-13T15:33:27.953Z|00048|stream_ssl|WARN|SSL_connect: error:0A000086:SSL routines::certificate verify failed

ovsdb-server-nb.log:
2025-11-13T15:31:25.986Z|00041|stream_ssl|WARN|SSL_accept: error:0A000418:SSL routines::tlsv1 alert unknown ca
2025-11-13T15:31:25.986Z|00042|reconnect|WARN|ssl:[2a07:6b42:113:19::1]:53904: connection dropped (Protocol error)

ovsdb-server-sb.log:
2025-11-13T15:40:26.289Z|00054|jsonrpc|WARN|ssl:[2a07:6b42:113:19::1]:35506: receive error: Protocol error
2025-11-13T15:40:26.289Z|00055|reconnect|WARN|ssl:[2a07:6b42:113:19::1]:35506: connection dropped (Protocol error)

When I connect to port 6641 and 6642 I see that it can not verify the local issuer certificate and I only see that the server certificate is sent to the client without the intermediate certifcate.
openssl s_client -connect $MY_HOST:6641 -showcerts
Connecting to $MY_HOST
CONNECTED(00000003)
depth=0 CN=$MY_HOST
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=$MY_HOST
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN=$MY_HOST
verify return:1

We have two intermediate certificates which are changing frequently. That's why we don't want to save them in the cert store and configure it permanently in ca_cert. Therefore it would be nice if nb_ovsdb, sb_ovsdb would support the usage of intermediate certificates.

Cheers
Saki

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions