Pither.com / Simon
Development, systems administration, parenting and business

Annual pain of CT600 submission on Linux

Every year or so I am reminded that yet another year has gone by without the HMRC and Companies House fixing their awful electronic CT600 corporation tax return. If you're a company you don't really get a lot of choice about using this form once a year and these days it pretty much has to be done electronically.

I'm going to mostly overlook the fact that this form is awfully designed, forces you to type in blocks of standard text and insists on you entering and re-entering identical information several times throughout the form. Even the use of the horrendous Adobe Acrobat forms technology could be forgiveable, if only it actually worked!

However, it sadly does not. There is (and has been every year that I've been involved with submitting this form) a problem with Adobe's Acrobat reader accepting the SSL certificates of the Companies House submission site.

This year, I thought I'd actually write up the process of fixing this. Let's start with the error message:

SSL Error!!! Please install the CA Certificate(s) for SSL
Communication if certificate resides on local disk, try
"acroread -installCertificate [-PEM|-DER] [pathname]" on
the command line. if certificate resides on the server try
"acroread -installCertificate xmlgw.companieshouse.gov.uk 443"
on command line.

It helpfully suggests a solution right there in the error message. Further more if you open a terminal and run the second command that is suggested, it will appear to do the right thing. The only trouble is, that it doesn't! What it will actually do is install just the first certificate in the chain and the full verification of the chain will still fail.

So, whistle stop tour of how to actually fix it (using the command line obviously, none of that nonsense web browser, pointing and clicking stuff that other guides out there already suggest!)...

Check that you can actually verify the certificate (you may need a different CApath, this one is suitable for Ubuntu/Debian):

$ openssl s_client -CApath /etc/ssl/certs/ -connect xmlgw.companieshouse.gov.uk:443
...
    Verify return code: 0 (ok)

Assuming openssl can verify the chain, you have everything you need. First, check how many certificates are involved. Look at the first few lines of output from the command above and you should see a certificate list, something like:

depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware
verify return:1
depth=1 C = IE, ST = Dublin, L = Dublin, O = Digi-Sign Limited, OU = Terms and Conditions of use: http://www.digi-sign.com/repository, CN = Digi-Sign CA Digi-SSL Xp
verify return:1
depth=0 C = GB, ST = Wales, L = Cardiff, O = Companies House, OU = IT Infrastructure, OU = Provided by Digi-Sign Limited, OU = Digi-SSL Xp, CN = xmlgw.companieshouse.gov.uk
verify return:1

To collect the certificates we can from s_client, add "-showcerts" to the openssl command (and save a copy of the output):

$ openssl s_client -CApath /etc/ssl/certs/ -showcerts -connect xmlgw.companieshouse.gov.uk:443 | tee certs.txt

Within the output, you should see some certificates, I get two during this example. The important bits are wrapped with begin and end lines like:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

For each certificate, copy the output file to a new file and then edit it to remove everything except the certificate. Leaving just the begin/end lines and all the characters between them. Make sure each file only ends up with one certificate (and that they aren't the same one!). I called my two files cert1.pem and cert2.pem:

$ cp certs.txt cert1.pem
$ vi cert1.pem
$ cp certs.txt cert2.pem
$ vi cert2.pem

Then tell acroread about them:

acroread -installCertificate -PEM cert1.pem
acroread -installCertificate -PEM cert2.pem

Each time you should check the issuer displayed and confirm the import.

For me there is one certificate left, which is the top level CA that openssl does not list. To find this file, we'll need the issuer hash of the second certificate from above:

$ openssl x509 -issuer_hash -noout -in /tmp/cert2.pem 
b13cc6df

We can then use that hash directly to import the CA:

acroread -installCertificate -PEM /etc/ssl/certs/b13cc6df.0

Now, finally, we can get can to filling in the CT600!

Tags:

Comments

On Jan. 5, 2012, 7:39 p.m. Roy Trubshaw said...

Excellent and mostly helpful.

In my case, however, I was running Fedora and the final step didn't work for me.

I did find that Firefox (or Chrome I believe) will allow one to download the Certificate chain one at a time into PEM files which one can then import manually. (Just stick "xmlgw.companieshouse.gov.uk:443" as the URL and browse to it.)

Ultimately this didn't work for me either, so I was forced to create a Virtual Machine and install a version of Windows I had lying around... grr!

Still, this will teach me to leave things 'til almost the last second!

On Jan. 14, 2012, 5:26 p.m. Tim Jackson said...

Running Ubuntu 10.04 on AMD64

That worked for me just fine, except CT600 was asking for secure.gateway.gov.uk rather than xmlgw. Thanks.

On Feb. 1, 2012, 2:10 p.m. Alex Whiting said...

Respect!! Thanks so much for this. It is the only method I could make work. With quite a lot of CT600 returns to make in the year, to be rescued from a Windows VM is a big relief.
I too used secure.gateway.gov.uk:443 since Companies House filings are not essential to be done online. This method gets the correct 3 files stored in Debian stable in ~/.adobe/Acrobat/9.0/Cert/ and in the correct form.

On March 15, 2012, 5:08 p.m. Daniel James said...

Thanks for the tips! The certificate chain I had to install to get the final submission to HMRC working was:

secure.gateway.gov.uk
VeriSignClass3PublicPrimaryCertificationAuthority-G5
VeriSignClass3SecureServerCA-G3

On April 19, 2012, 12:25 p.m. Jay said...

I have been experiencing the same problem and have been advised to install an updated version of Adobe:

ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.5.1/enu/

as per the adobe forum thread -

http://forums.adobe.com/thread/990975

On June 30, 2012, 1:06 p.m. Ralph Corderoy said...

Thanks, worked for me, with the proviso that I needed secure.gateway.gov.uk as the error suggested and that acroread(1) needs restarting before the newly installed certificates seem to have effect.

Other sufferers may like to give feedback to HMRC to this effect, perhaps linking to this webpage. Visit http://www.hmrc.gov.uk/comment/online-sevices-feedback-1.htm and enter the complaint in a comment box; I used the last one. The rest of the form is optional.

On Aug. 18, 2012, 7:19 p.m. TMIT Limited said...

We have engaged HMRC over their failure to make the online ct600 system work naturally with any commercial grade OS without disabling secure protocols from the command line. In April 2012 they "referred" this to their techies - we are still (19 Aug) waiting. Please write to your MP to cite the astonishing incompetence of HMRC in deploying untested, proprietary software that fails almost all standards criteria.

On Aug. 8, 2013, 12:14 a.m. Richard said...

I found that upgrading to the latest Acrobat (9.5.5) worked better than 9.4.7 here: the 9.4.7 version kept throwing the SSL error even so. Thank you very much for a really helpful post!

Add a comment