Annual pain of CT600 submission on Linux
Every year or so I am reminded that yet another year has gone by without the HMRC and Companies House fixing their awful electronic CT600 corporation tax return. If you're a company you don't really get a lot of choice about using this form once a year and these days it pretty much has to be done electronically.
I'm going to mostly overlook the fact that this form is awfully designed, forces you to type in blocks of standard text and insists on you entering and re-entering identical information several times throughout the form. Even the use of the horrendous Adobe Acrobat forms technology could be forgiveable, if only it actually worked!
However, it sadly does not. There is (and has been every year that I've been involved with submitting this form) a problem with Adobe's Acrobat reader accepting the SSL certificates of the Companies House submission site.
This year, I thought I'd actually write up the process of fixing this. Let's start with the error message:
SSL Error!!! Please install the CA Certificate(s) for SSL Communication if certificate resides on local disk, try "acroread -installCertificate [-PEM|-DER] [pathname]" on the command line. if certificate resides on the server try "acroread -installCertificate xmlgw.companieshouse.gov.uk 443" on command line.
It helpfully suggests a solution right there in the error message. Further more if you open a terminal and run the second command that is suggested, it will appear to do the right thing. The only trouble is, that it doesn't! What it will actually do is install just the first certificate in the chain and the full verification of the chain will still fail.
So, whistle stop tour of how to actually fix it (using the command line obviously, none of that nonsense web browser, pointing and clicking stuff that other guides out there already suggest!)...
Check that you can actually verify the certificate (you may need a different CApath, this one is suitable for Ubuntu/Debian):
$ openssl s_client -CApath /etc/ssl/certs/ -connect xmlgw.companieshouse.gov.uk:443 ... Verify return code: 0 (ok)
Assuming openssl can verify the chain, you have everything you need. First, check how many certificates are involved. Look at the first few lines of output from the command above and you should see a certificate list, something like:
depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware verify return:1 depth=1 C = IE, ST = Dublin, L = Dublin, O = Digi-Sign Limited, OU = Terms and Conditions of use: http://www.digi-sign.com/repository, CN = Digi-Sign CA Digi-SSL Xp verify return:1 depth=0 C = GB, ST = Wales, L = Cardiff, O = Companies House, OU = IT Infrastructure, OU = Provided by Digi-Sign Limited, OU = Digi-SSL Xp, CN = xmlgw.companieshouse.gov.uk verify return:1
To collect the certificates we can from s_client, add "-showcerts" to the openssl command (and save a copy of the output):
$ openssl s_client -CApath /etc/ssl/certs/ -showcerts -connect xmlgw.companieshouse.gov.uk:443 | tee certs.txt
Within the output, you should see some certificates, I get two during this example. The important bits are wrapped with begin and end lines like:
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
For each certificate, copy the output file to a new file and then edit it to remove everything except the certificate. Leaving just the begin/end lines and all the characters between them. Make sure each file only ends up with one certificate (and that they aren't the same one!). I called my two files cert1.pem and cert2.pem:
$ cp certs.txt cert1.pem $ vi cert1.pem $ cp certs.txt cert2.pem $ vi cert2.pem
Then tell acroread about them:
acroread -installCertificate -PEM cert1.pem acroread -installCertificate -PEM cert2.pem
Each time you should check the issuer displayed and confirm the import.
For me there is one certificate left, which is the top level CA that openssl does not list. To find this file, we'll need the issuer hash of the second certificate from above:
$ openssl x509 -issuer_hash -noout -in /tmp/cert2.pem b13cc6df
We can then use that hash directly to import the CA:
acroread -installCertificate -PEM /etc/ssl/certs/b13cc6df.0
Now, finally, we can get can to filling in the CT600!