I am trying to use UTL_HTTP package to send requests to a remote web server.
It works well using normal HTTP but when I try to use HTTPS, I always get ORA-29024.
What I did so far:
Create a wallet: mkdir /oracle/admin/mydb/my_wallet orapki wallet create -wallet /oracle/admin/valdb/my_walled -pwd mypwd -auto_login
Used Chrome to browse to the https website and downloaded the certificate to a p7b file
Stored the p7b file on the database machine in /tmp/mycert.p7b
Imported the certificate into the wallet: orapki wallet add -wallet /oracle/admin/mydeb/my_wallet/ -trusted_cert cert "/tmp/mycert.p7b" -pwd mypwd
Checked the wallet status: orapki wallet display -wallet /oracle/admin/mydb/my_wallet =>
Requested Certificates:
User Certificates:
Trusted Certificates:
Subject: CN=*.remote.server.com
Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
Subject: CN=R3,O=Let's Encrypt,C=US
Tried to send a request:
EXEC UTL_HTTP.set_wallet('file:/oracle/admin/mydb/my_wallet', 'mypwd');
select UTL_HTTP.REQUEST('https://mes.customer.remove.server.com',NULL,'file:/oracle/admin/mydb/my_wallet','mypwd') from dual;
But unfortunately the return was:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1530
ORA-29024: Certificate validation failure
ORA-06512: at "SYS.UTL_HTTP", line 380
ORA-06512: at "SYS.UTL_HTTP", line 1470
ORA-06512: at line 1
Any idea what else I could try?
Can it be caused because the certificate is a wildcard (*) certificate?
I have the same exact error, and yes it's because it is a wildcard certificate. What I did on 19c was to delete only the wildcard certificate from the wallet, but let all the others from the certification path and it worked. However the same behaviour doesn't apply on 12.2.0 . Tell me it it worked for you too on 19c.
Related
I'm experiencing a somewhat perplexing issue with a self-signed SSL certificate that Windows recognizes as valid, but which no modern browsers will accept.
The certificate is present in the system certificate store (accessed via the Certificates snap-in in MMC), within both the Personal and Trusted Root Certification Authorities folders, and marked as valid.
Per the utility SSL Certificate Verifier, the certificate and certificate chain are valid.
Here is its output:
**************************************************************************
Processing 'localhost'
**************************************************************************
Scan started: 21-09-2020 13:43:33
Generating connection string...
Connection string is: https://localhost:14006/
Entering certificate validation callback function...
Server returned 1 certificates.
Entering server certificate chain validation function...
Leaf certificate issued to: E=REDACTED, CN=localhost, O=localhost, L=New York, S=NY, C=US
Found Subject Alternative Names extension in the certificate.
Fetching SAN values:
DNS Name=localhost
DNS Name=127.0.0.1
DNS Name=::1
IP Address=0000:0000:0000:0000:0000:0000:0000:0001
IP Address=127.0.0.1
Certificate chain successfully passed all checks.
Finished!
Scan ended: 21-09-2020 13:43:33
If I attempt to access the service using Internet Explorer or curl, I get the expected 200 result from the service.
However, if I try to access the service using Edge, Chrome, Opera, or Firefox, I get ERR_CONNECTION_RESET. Before adding the certificate to Firefox's certificate store, I got PR_CONNECT_RESET_ERROR but now that also throws ERR_CONNECTION_RESET.
There are no proxies or VPNs active on my system or anything else that would interfere with Windows' networking. I'm at a complete loss. What on earth is happening here and how do I go about fixing it?
I had exactly the same symptoms - IE and curl working. Chrome, Edge and Firefox not, all reporting ERR_CONNECTION_RESET.
Ultimately it was pinned down to a corrupt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002\Functions key.
nmap reported a single cipher in use when it was broken:
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
Reloaded the key with a correct value:
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
The absence of the GCM ciphers is the likely cause, given Chromium was reporting them as obsolete five years ago.
I had a similar problem on chrome where it said
NET::ERR_CERT_COMMON_NAME_INVALID
, turns out the error was with the certificate itself.
Try the to create a certificate with the below link:
SSL Certificate
Am trying to send SMS Locally with Nexmo but i configured my Wamp server to use OpenSSL but when i try sending, i get this error.
cURL error 60: SSL certificate problem: unable to get local issuer certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)
Am sending the message in a route from my web.php like this,
Route::get( '/sms/send/{to}', function(\ Nexmo\Client $nexmo, $to){
$message = $nexmo->message()->send([
'to' => $to,
'from' => env('NEXMO_NUMBER'),
'text' => 'Sending SMS from Laravel. Woohoo!'
]);
Log::info('sent message: ' . $message['message-id']);
});
Need help of how i can fix this.
Source: https://github.com/nexmo/nexmo-php#troubleshooting
Some users have issues making requests due to the following error:
Fatal error: Uncaught exception 'GuzzleHttp\Exception\RequestException' with message 'cURL error 60: SSL certificate problem: unable to get local issuer certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)'
This is due to some PHP installations not shipping with a list of trusted CA certificates. This is a system configuration problem, and not specific to either cURL or Nexmo.
IMPORTANT: In the next paragraph we provide a link to a CA certificate bundle. Nexmo do not guarantee the safety of this bundle, and you should review it yourself before installing any CA bundle on your machine.
To resolve this issue, download a list of trusted CA certificates (e.g. the curl bundle) and copy it on to your machine. Once this is done, edit php.ini and set the curl.cainfo parameter:
Linux/MacOS
curl.cainfo = "/etc/pki/tls/cacert.pem"
Windows
curl.cainfo = "C:\php\extras\ssl\cacert.pem"
When I am running this, i am getting error:
begin
UTL_MAIL.SEND(SENDER =>'admin#dbaclass.com',
RECIPIENTS=> 'support#dbaclass.com',
SUBJECT=> 'MAIL FROM dbaclasss SENDER',
MESSAGE => 'Welcome to dbaclass'
);
end;
Error:
Error report -
ORA-29278: SMTP transient error: 421 Service not available
ORA-06512: at "SYS.UTL_MAIL", line 654
ORA-06512: at "SYS.UTL_MAIL", line 671
ORA-06512: at line 2
29278. 00000 - "SMTP transient error: %s"
I checked the telnet command to check the stmp.gmail.com its working fine.
but when i tried this from oracle it is giving the above error.
Can someone please help me.
That will not work out of the box.
If your server is not ssl/tls you need at least set (maybe create local smtp first for test) and set acl:
ALTER SYSTEM SET smtp_out_server = 'mailserver.domain.com'
If server is secure (and gmail is) and you have no local smtp server to work with. You need to do more to set secure connection.
Look at this to get idea for start(you need walled or own secure ssl/tls implementation):
Give credentials to UTL_MAIL.SEND to bypass ORA-29278
Probably at this too:
http://oracle.ninja/sending-secure-e-mails-out-of-the-database-ssltls-utl_smtp-openssl-acl-wallet/
I try to reach a WebService provide by a secured site with a TLS 1.2 certificate encrypted that i exported and add in a wallet.
First i try to reach the site with the package UTL_HTTP.request on a 11.2.0.1.0 ORACLE Database but i have the ORA-28857 SSL error unknown message.
I try the same on a 12.1.0.1.0 ORACLE Database but i have the ORA-29024 message.
So, i searched on the web and find everything and nothing about the subject.....
Here is what i did:
First: I exported the certificate from Internet Explorer with the PKCS #7 (.p7b) format (Chains included)
then, i create a wallet with the orapki utility
orapki wallet create -wallet e:\wallet -pwd <pwd>
then i add my certificate
orapki wallet add -wallet e:\wallet -trusted_cert -cert e:\certificats\<cert file> -pwd <pwd>
and i try to reach the secured site
SELECT UTL_HTTP.REQUEST('https://<secured site>.com',null,'file:E:\wallet','<pwd>')
FROM dual;
and i have the message:
ORA-29273: échec de demande HTTP ORA-06512: à "SYS.UTL_HTTP",
ligne 1722 ORA-28857: Erreur SSL inconnue ORA-06512: à ligne 1
29273. 00000 - "HTTP request failed"
*Cause: The UTL_HTTP package failed to execute the HTTP request.
*Action: Use get_detailed_sqlerrm to check the detailed error message.
Fix the error and retry the HTTP request.
I tried to create ACLs:
BEGIN
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(
acl => 'utl_http.xml',
description => 'Test ACL',
principal => '<user>',
is_grant => TRUE,
privilege => 'connect',
start_date => null,
end_date => null
);
END;
/
BEGIN
DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(
acl => 'utl_http.xml',
principal => '<user>',
is_grant => TRUE,
privilege => 'use-client-certificates',
start_date => null,
end_date => null);
END;
/
BEGIN
DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL (
acl => 'utl_http.xml',
host => '<secured site>',
lower_port => 1,
upper_port => 9999);
END;
/
BEGIN
DBMS_NETWORK_ACL_ADMIN.ASSIGN_WALLET_ACL(
acl => 'utl_http.xml',
wallet_path => 'file:E:\wallet');
END;
/
(I m not sure about usefulness of all but I'm ready to do everything to make that work ^^)
and i try to reach the secured site
SELECT UTL_HTTP.REQUEST('https://<secured site>.com',null,'file:E:\wallet','<pwd>')
FROM dual;
and i have the message:
Rapport d’erreur : ORA-29273: échec de demande HTTP ORA-06512: à
"SYS.UTL_HTTP", ligne 1130 ORA-29024: Echec de validation de
certificat ORA-06512: à ligne 10
29273. 00000 - "HTTP request failed"
*Cause: The UTL_HTTP package failed to execute the HTTP request.
*Action: Use get_detailed_sqlerrm to check the detailed error message.
Fix the error and retry the HTTP request.
i read that Oracle 11 have problems withe TLS 1.2 encrypted certificate so i tried with an Oracle 12 (Same ways to create Wallet and ACL)
I have the message:
Rapport d’erreur : ORA-29273: échec de demande HTTP ORA-06512: à
"SYS.UTL_HTTP", ligne 1130 ORA-29024: Echec de validation de
certificat ORA-06512: à ligne 10
29273. 00000 - "HTTP request failed"
*Cause: The UTL_HTTP package failed to execute the HTTP request.
*Action: Use get_detailed_sqlerrm to check the detailed error message.
Fix the error and retry the HTTP request.
Hope I was clear in my explanations
I try to know what to do to reach a secure site by a certificate based on the certificate
Thank you for your much needed support
Best regards
May be I am too late, but I caught same issues and found some answers.
Oracle Database earlier than 11.2.0.3 does not support SHA2 SSL-standard, for example we cannot connect google from 11.2.0.1.
When use 12c - try to remove end certificate of chain from wallet. (I found this answer here: Using utl_http & wallets on 12c: certificate validation failure )
An Oracle wallet is in PKCS12 format. You can't use a PKCS7 formatted certificate inside an Oracle wallet. You want to use the "Base-64 encoded X.509 (.CER)" option instead. You must also get each certificate in the chain for the certificate of the site to which you want to connect. Those will be loaded into the Trusted Certificates section of the wallet.
There are good detailed instructions at this page:
UTL_HTTP and SSL(HTTPS) Using Oracle Wallets
Hope someone can spot what I'm doing wrong as I'm going bald from this.
I have used utl_http & wallets to call https on 11gR1 without much trouble, but our new 12c installation is causing me a lot of grief.
I have tried importing the trusted certificate using both oracle wallet manager, and command line, without any success.
I know that oracle can be picky as to caching the wallet, so I have tried multiple new sessions without any luck.
I have downloaded the three neccessary certificates for *.presstogo.com, Geotrust SSL CA & Geotrust Global CA.
The command-line version of my building the wallet is as follows:
orapki wallet create -wallet /oracle/product/12.0.1/owm/wallets/test1237 -pwd test=1237 -auto_login
orapki wallet add -wallet /oracle/product/12.0.1/owm/wallets/test1237 -trusted_cert -cert "*.presstogo.com" -pwd test=1237
orapki wallet add -wallet /oracle/product/12.0.1/owm/wallets/test1237 -trusted_cert -cert "GeoTrust SSL CA" -pwd test=1237
orapki wallet add -wallet /oracle/product/12.0.1/owm/wallets/test1237 -trusted_cert -cert "Geotrust Global CA" -pwd test=1237
orapki wallet display -wallet /oracle/product/12.0.1/owm/wallets/test1237
Oracle PKI Tool : Version 12.1.0.1
Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.
Requested Certificates:
User Certificates:
Trusted Certificates:
Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
Subject: CN=GeoTrust SSL CA,O=GeoTrust\, Inc.,C=US
Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
Subject: CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
Subject: CN=*.presstogo.com,OU=IT,O=Press to go AS,L=Oslo,ST=Norway,C=NO,SERIAL_NUM=SJYpOHrRdCDHE8KZ6dRFGMJthOjs7-v3
Ok, lets test this. Login to sqlplus and run the following:
declare
lo_req utl_http.req;
lo_resp utl_http.resp;
begin
utl_http.set_detailed_excp_support ( true );
utl_http.set_wallet ( 'file:/oracle/product/12.0.1/owm/wallets/test1237', 'test=1237');
lo_req := utl_http.begin_request ( 'https://production.presstogo.com/mars/hello' );
lo_resp := utl_http.get_response ( lo_req );
-- A successfull request would have the status code "200".
dbms_output.put_line ( lo_resp.status_code );
utl_http.end_response ( lo_resp );
exception
when others then
utl_http.end_response ( lo_resp );
raise;
end;
DECLARE
*
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-29024: Certificate validation failure
ORA-06512: at line 6
For the record, It is worth noting that the following does work:
declare
lo_req utl_http.req;
lo_resp utl_http.resp;
begin
utl_http.set_wallet ( 'file:/oracle/product/12.0.1/owm/wallets/test1237', 'test=1237');
lo_req := utl_http.begin_request ( 'https://www.google.be' );
lo_resp := utl_http.get_response ( lo_req );
dbms_output.put_line ( lo_resp.status_code );
utl_http.end_response ( lo_resp );
end;
/
Help me Obi-Wan, you're my only hope.
Answering my own question for the benefit of others.
According to Oracle Support only the certificate chain should be imported, not the end site certificate.
In the example I used above, only import the following certificates into the wallet:
Geotrust SSL CA & Geotrust Global CA
Do not import the *.presstogo.com certificate
To quote Oracle support:
The reason that the select is failing in 12c is that 12c does not want
to see the user cert in the wallet as a trusted cert.
This was apparently not an issue in previous versions but removing
that cert from the wallet fixed the issue here.
This contradicts all information I have found online regarding the use of utl_http to connect to Https sites, and confused the hell out of me.
Hopefully this will help others in my situation.