Verify server certificate chain that includes intermediate certificate

README.md

@@ -29,7 +29,7 @@ By configuring `fleet_telemetry_config`, individual owners and fleet operators c
     - From a local computer, create `validate_server.json` with the following fields:
       - `hostname`: The hostname the fleet-telemetry server.
       - `port`: The port the fleet-telemetry server -- Default 443.
-      - `ca`: The full certificate chain used to generate the server's TLS certificate.
+      - `ca`: The certificate authority used to generate the server's TLS certificate.
     - Run `./check_server_cert.sh validate_server.json`
 9. Pair the application's virtual key to the vehicle(s). See documentation here: https://developer.tesla.com/docs/fleet-api/virtual-keys/developer-guide.
 10. Configure and run the [vehicle-command proxy](https://github.com/teslamotors/vehicle-command#installation-and-configuration) with the application private key.
@@ -98,7 +98,7 @@ For ease of installation and operation, run Fleet Telemetry on Kubernetes or a s
     ]
   },
   "tls": {
-    "server_cert": string - server cert location,
+    "server_cert": string - server cert chain location,
     "server_key": string - server key location
   }
 }

tools/check_server_cert.sh

@@ -33,23 +33,28 @@ CA=$(jq -r ".ca" "$CONFIG")
 PORT=$(jq -r '.port // 443' "$CONFIG")
 
 CA_CERT_FILE=$(mktemp)
+INTERMEDIATE_CERT_FILE=$(mktemp)
 SERVER_CERT_FILE=$(mktemp)
 TMP_SERVER_CERT_FILE=$(mktemp)
 echo "$CA" > "$CA_CERT_FILE"
 
 echo | openssl s_client -connect "$HOSTNAME:$PORT" -servername "$HOSTNAME" -showcerts 2>/dev/null > "$TMP_SERVER_CERT_FILE"
 openssl x509 -in "$TMP_SERVER_CERT_FILE" -outform PEM > "$SERVER_CERT_FILE"
+awk '/-----BEGIN CERTIFICATE-----/&&++k==2,/-----END CERTIFICATE-----/' "$TMP_SERVER_CERT_FILE" > "$INTERMEDIATE_CERT_FILE"
 
-if openssl verify -CAfile "$CA_CERT_FILE" "$SERVER_CERT_FILE"; then
+if openssl verify -CAfile "$CA_CERT_FILE" "$SERVER_CERT_FILE" 2>/dev/null; then
     success "The server certificate is valid."
 else
-  if openssl verify -partial_chain -CAfile "$CA_CERT_FILE" "$SERVER_CERT_FILE"; then
+  if [ -s "$INTERMEDIATE_CERT_FILE" ] && openssl verify -CAfile "$CA_CERT_FILE" -untrusted "$INTERMEDIATE_CERT_FILE" "$SERVER_CERT_FILE" 2>/dev/null; then
+      success "The server certificate chain is valid."
+  elif openssl verify -partial_chain -CAfile "$CA_CERT_FILE" "$SERVER_CERT_FILE" 2>/dev/null; then
       warning "The server certificate has a valid partial chain, and may work with the root chain."
   else
       error "The server certificate is invalid."
   fi
 fi
 
 rm "$CA_CERT_FILE"
+rm "$INTERMEDIATE_CERT_FILE"
 rm "$SERVER_CERT_FILE"
 rm "$TMP_SERVER_CERT_FILE"