PostgreSQL Stack Builder Installation Certificate verification problem on Windows - windows

I have downloaded and installed PostgreSQL 12 (64 bit) on a developer machine running Windows 10 Pro Education (64 bit).
When the installation came to the Stack Builder download application list step, an error occurred as follows:
A certification verification problem was encountered whilst accessing https://www.postgresql.org/applications-v2.xml schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) - The revocation function was unable to check revocation because the revocation server was offline. This means that the source download cannot be verified. It is recommended that you do not continue with the download as it may be coming from a site that is pretending to be the intended download site and may contain viruses or malware.
Do you wish to continue?
I have tried to use Proxy servers referring to this answer. https://serverfault.com/questions/555125/postgresql-stack-builder-installation-proxy-setting-on-windows
I have also tried both solutions from that question. Still, I can not get the application list downloaded.
I want to install PostGIS. It seems the stack builder is safe and easy to use. What should I do to get the PostGIS installed?

Looks like https://www.postgresql.org/applications-v2.html link has some strong security. And it blocks some traffic. As #ay__ya has mentioned, in his case he made it work though VPN access. And in my case I was already behind the VPN and it was not working. So disabling VPN worked for me.

Go to https://www.postgresql.org/applications-v2.html and save as a *.CER file the certificate of the the webpage.
Using "certmgr.msc" import the *.CER file into your local certificates repository to the Trusted People store or/and Enterprise Trust store.
Rerun Stack builder and retry download application list step.
Should works now.

Related

GitLab - Secure Connection Failed error on firefox

Recently i have re-installed my GitLab application on my Linux system. When i tried to access my GitLab application link (https://gitlab.domain.com) on Windows system's Firefox browser i am getting below error.
Since the certificate generated freshly it was conflicting with existing/previous certificate, So i have followed this Link workaround. However even after system reboot also same error occurring, I can't access my GitLab application on Firefox browser.
I'm able to access it on Chrome browser without any problem.
Please let me know still where i need to clear the old certificate to make it work on firefox?
That seems to be the same error as in issue 435013 reported 13 years ago (and still open), where Firefox has an issue with routers and NSS (Network Security Services) (error -8054)
As I understand it, and from the discussion on #312732 which is the underlying issue, the problem is that the crypto uses the cert ID as a unique key in a database.
When a dupe is encountered, you can't have two primary keys in a database, so it just dies with a fatal error, hence FireFox gives up connecting to the site and passes on the fatal error to be presented.
This is not a "fundamental NSS design issue", it's a political issue, Firefox is ACTIVELY refusing to let people access their network equipment.
Check also the firmware of your router:
It seems to me that it is VERY EASY for the server-side products that
generate these certificates to more-or-less fix the problem in updated
firmware with very little effort. Even simply randomizing the serial numbers
in the certs, they would nearly completely eliminate the problem, AFAICT. In
fact, it is worth making sure that the affected server-side hardware has
up-to-date firmware, because some vendors might have already fixed it on
their end already.
Possible workaround (which would work even after FF restart)
This is hardly any fix, but I installed a new Mozilla from scratch on a VM under Virtualbox.
I than browsed to all my local systems I was getting this error. On connecting from the new Window3s sytem running on VM to each local IP, I received the warning, and created the exception.
I than went in to Preferences>Advanced, and Exported all the certificates to a share on one of my NAS units.
I proceeded back to the broken Mozilla running on my Mac OS X 10.11.1, and I Imported all the certificates.
I then restarted FF, and connected to each device I was getting the error on, and I received the "This is an untrusted connection, Get me out of here, or would you like to create an exception." YES!!
I created the exception, and finally I could get to my firewalls, and all other local devices.
Other workaround:
Run: firefox --no-remote --ProfileManager
Create a new profile there.
Open a new instance of Firefox using the new profile. To run Firefox with the profile you can use the command from 1. or: firefox --no-remote -P profile_name
Do the actions there as if it was a separate installation of Firefox

Certificate error when loading an url to an image source

I got an image, and I assign the source property like this:
image.source = "https://www.company.com/imageName.jpg";
This works ok in some PC's, but in others I got an error, I debuggde the error with Fiddler Web Debugger and it says something like this:
"The remote server presented a certificate that did not validate due to RemoteCertificateNameMismatch, RemoteCertificateChainErrors".
Do you know what could it be?, and why it works from some computers but not from others?.
The image is located on a secure website, I believe this because you used https in your example. The error is about that certificate provided by the website you're trying to get the image from. Clearly it's not a trusted certificate.
Are you using the same pdf reader software on all the pc's? Some pdf reader might be more strict then others in regards to certificates.
You did not specify what PC are working fine so it will be hard to answer correctly. It might be important to know what OS is installed on the PCs (working and not working), what version of PDF reader is installed and if all PCs are in same network environment.
I have no experience with actionscript or swf, but the questions I would be asking are:
who does certificate validation in this case? Is it windows or PDF reader?
And where are certificates of trusted root authorities kept? Does all the PCs have this in common?
I believe that if you find answers to these questions, you will solve your problem easily.

Force CRL refresh in OSX & Vista

I've installed a wildcard SSL certificate for two subdomains that I'm working on for an organization. This is the first time I've worked with wildcard certificates, and I missed installing the intermediate certificate when I first set this up, which resulted in certificate revocation messages when I first tried to load them. I've reloaded the certificates correctly, and both subdomains check out now using http://www.sslshopper.com/ssl-checker.html.
The sites appear to load fine everywhere except on the two machines (Mac Laptop & Vista Desktop) that I use to develop on, where they're still showing revoked. I've tried to refresh my local CRLs using the following commands:
certutil -setreg chain\ChainCacheResyncFiletime #now (Vista)
and
crlrefresh r p (mac)
I've restarted both computers and cleared browser caches but am still not able to access. How can I get my local machines to forget that the certificate was initially revoked?
I needed to ask the organization I'm working with to regenerate the certificate. I installed that one and everything's good to go now.

Install/update driver from Windows service

To install a driver, you typically send the command:
DefaultInstall 128 {inf path}
to the InstallHinfSection via direct call or RunDLL.
This works wonderfully. I can install my driver anywhere (including 64-bit Win 2008 R2, which means I've got all the code signing right too).
HOWEVER, the above fails when launched from a Windows service. I've read about service vs client installs, and hoped I had met all the requirements for a silent service install (built a .CAT file, it is signed along with the driver, etc).
But no dice - it just fails. Comparing the errors in SetupAPI.log between an interactive install and the install from the service doesn't show any differences (other than the interactive takes the steps of copying the driver file and succeeds, where the other doesn't).
The driver itself is not in use (my service is the only one that uses it). Is there ANY way for a service to silently update a driver without requiring user interaction?
I called Microsoft and discussed this with a support engineer.
Turns out that using DefaultInstall with InstallHinfSection is somewhat obsolete, but still works. And it just happens to work without prompting the user if the driver is signed by a certificate that they recognize because DefaultInstall is 'dumb'. Yet the driver itself is still allowed to launch because it's cross-signed with the Microsoft cert. A nice little loop-hole I guess. The trick is it has to be installed by a service that is set to Interact with Desktop (a requirement). Using something like PsExec or RemCom is a way to do this if your service isn't currently running in that way.
In the future, this might not continue to work. At that point, get the driver's .cat file into the Windows\System32\Catroot{F7... folder but it can't just be copied directly in -- there is an API.
If the .cat was put in first, then the driver theoretically shouldn't need to prompt to ask if the certificate for the driver is acceptable to the user, because catroot is the 'acceptable to the user' list of certs and drivers.
Also, having the catalog file installed before attempting the driver install might help since the catalog contains the security certificate that the driver will present (though not necessarily in this case -- but it might help in the future (and possibly with Win 2003)
Basically the support engineer was surprised this worked at all and we went around and around on how it might be working... Hopefully this helps someone else.

Does Mercurial access the Windows certificate store?

I'm working to upgrade our source control from hg 1.6.0 to 1.8.2 and I'm looking to set up and use SSL certs. This is on a Windows Server 2008 Enterprise system running IIS 6.0, not my server so I need to use those versions of software right now. All my users are running Windows too.
To ease installation/configuration for my users I'd prefer to modify the Windows Cert Store instead of the cacert.pem file. Does Mercurial have access to the Windows Certificate Store? It doesn't seem to. I am using internally created certificates and I can get things to work without SSL warnings by adding my root cert to the cacert.pem file in Mercurial but I can't seem to get it to work by adding the certs to the Windows Cert Store. Am I missing something?
Thanks,
Scott
No, Mercurial does not access the Windows certificate store.
It includes in its distribution a cacert.pm (as you know, even though before 1.7.3, the story was a bit different)
The article "X.509 certificates and Mercurial" has more information.
A principal thing to remember here is that Mercurial will not work as a complete server out of the box, requesting authentication information, in the form of basic, digest, or certificates, at all.
This means that in order to use X.509 certificates with Mercurial, one needs to place a web server that knows of these authentication mechanisms in front of it.
This article includes makecert.exe, which actually knows about the Windows certificates store (contrary to Mercurial itself)
makecert.exe is a bit of a different beast from openssl as it interfaces directly with the machine’s or user’s certificate store (the special place where certificates live a happy life in Windows).

Resources