MacOS keychain trust not as expected

[crdant]

I had some issue with certificates on my home DNS today, and thought I'd use dog to debug. I'm using version 0.1.0.

$  dog --version                                                                                    
dog ● command-line DNS client
v0.1.0
https://dns.lookup.dog/

My scenario was that the TLS certificates had expired, and I caught that fairly quickly. Renewed the certs and got them in place. Then tried to validate with dog and it helped me identify the next issue, which was that I only updated one of the pair of servers. After updating that, I hoped for dog to confirm I had the fix, but still wasn't quite there.

Trying to verify the fix, I turned again to dog and was disappointed:

$ dog www.google.com --tls                 
Error [tls]: The certificate was not trusted.

Dug in a bit to see what might be up, and thought maybe it was because Mac didn't trust the roots. That wasn't the case, they're all set.

Tried to present the intermediate with the cert…CoreDNS doesn't let me do that so I was out of luck. So I made sure my Mac trusted the intermediate

Tried again and still no luck

$  dog www.google.com --tls
Error [tls]: The certificate was not trusted.
Error [tls]: The certificate was not trusted.

I switched over to kdig for a sanity check, and it seems to be reading my trust settings correctly.

$  kdig www.google.com +tls                                                                         
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP384R1-SHA384)-(CHACHA20-POLY1305)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5743
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR
;; PADDING: 81 B

;; QUESTION SECTION:
;; www.google.com.     		IN	A

;; ANSWER SECTION:
www.google.com.     	30	IN	A	142.250.64.100

;; Received 158 B
;; Time 2022-05-09 13:21:14 EDT
;; From 10.13.6.253@853(TCP) in 37.0 ms

I'm running on MacOS Monterrey, v 12.3.1, and here's the details from uname.

$  uname -a                                                                                         
Darwin OS-C02F22SVML85 21.4.0 Darwin Kernel Version 21.4.0: Fri Mar 18 00:45:05 PDT 2022; root:xnu-8020.101.4~15/RELEASE_X86_64 x86_64

[crdant]

For completeness, here's the certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:0f:d7:70:6e:2b:12:90:96:b9:ec:49:8a:e2:f5:07:b1:79
    Signature Algorithm: ecdsa-with-SHA384
        Issuer: C=US, O=Let's Encrypt, CN=E1
        Validity
            Not Before: May  9 15:15:57 2022 GMT
            Not After : Aug  7 15:15:56 2022 GMT
        Subject: CN=dns.crdant.net
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub: 
                    04:c4:e4:0b:d5:3f:6f:5d:68:11:4d:c0:a0:93:be:
                    27:a0:db:b4:57:fd:8c:32:9b:c7:3b:23:a3:a1:20:
                    3c:e2:20:4c:1e:30:60:14:a7:46:c5:da:74:ef:c3:
                    a9:21:ab:20:b1:4b:1d:25:84:cf:b7:70:76:6f:60:
                    be:b4:e5:5d:88:f7:e7:27:c0:f9:5c:c0:a3:0c:ca:
                    3f:56:3d:4a:b3:0d:dc:6f:6e:76:12:b4:7d:2d:99:
                    9a:c7:29:ec:ae:88:58
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                50:64:30:94:3D:FE:96:98:61:E7:46:19:DB:2A:E3:8B:CD:DF:26:FF
            X509v3 Authority Key Identifier: 
                keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC

            Authority Information Access: 
                OCSP - URI:http://e1.o.lencr.org
                CA Issuers - URI:http://e1.i.lencr.org/

            X509v3 Subject Alternative Name: 
                DNS:dns.crdant.net
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            1.3.6.1.4.1.11129.2.4.2: 
                ......v...^.h.O.l..._N>Z.....j^.;.. D\*s.......0.....G0E. 
f...y%.'.j.rb...)TN..,..W.[J....!..W...-.k......v...J..\pS.\...@.0.v.F.U.u.. 0...i..}.,At..I.....p.mG.......:.....G0E.!..)
.@..Y....|1..J..\..uF......v
. -X.Q<...#.u.
[.4`..9.VGC.%......
    Signature Algorithm: ecdsa-with-SHA384
         30:65:02:30:1f:7e:cc:2d:19:5f:12:af:c6:1d:cc:f8:62:f7:
         72:49:76:40:5f:a0:3b:59:76:83:35:a4:05:27:c5:73:11:b3:
         11:50:56:ec:27:64:90:dc:f2:6e:e7:4b:3e:02:95:73:02:31:
         00:f4:c9:f5:ca:b4:b4:61:89:8c:8f:c1:8b:5e:57:a2:c2:08:
         99:a3:85:08:4f:24:c8:80:1c:f4:c0:8a:f5:7b:3a:a9:6f:27:
         a3:b9:2b:03:23:51:90:9a:fa:c7:14:11:18

[xavetar]

First, install openssl (v3), then create any folder that be contains your certificates. Open shell and enter: "mkdir CA && mkdir Localhost".

Generate CA:

1. openssl genrsa -aes256 -out "CA/CRDANT CA Private Key.key" 4096
2. openssl req -x509 -sha512 -new -nodes -key "CA/CRDANT CA Private Key.key" -days 3650 -out "CA/CRDANT CA Self Signed Root CA.pem"

Generate for Localhost usage (macOS):

3. echo "authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:false\nkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\nsubjectAltName = @alt_names\nextendedKeyUsage = clientAuth, serverAuth\n\n[alt_names]\nIP.1 = 127.0.0.1\nDNS.1 = localhost" > Localhost/localhost.ext
4. openssl genrsa -aes256 -out "Localhost/localhost.psw.key" 4096
5. openssl req -new -key "Localhost/localhost.psw.key" -out "Localhost/localhost.csr"
6. openssl x509 -req -in Localhost/localhost.csr -CA "CA/CRDANT CA Self Signed Root CA.pem" -CAkey "CA/CRDANT CA Private Key.key" -CAcreateserial -out "Localhost/localhost.pem" -days 365 -sha512 -extfile "Localhost/localhost.ext"

Install CA and use Localhost certificate on your localhost server. The problem is long period.