The question seems to be asked before:
OpenSSL Verify return code: 20 (unable to get local issuer certificate). However the difference is that it is about a local issuer certificate. Besides, the answers are not for a Windows computer.
Problem description
On a windows computer, I've got a program that tries to contact a secure server. The security is with certificates on both sides.
Problem: I can't contact it, so I tried to find out if the certificates are correctly installed
Searches, a.o. here on stack overflow, indicated that a good method to find problems would be to use OpenSsl for this, even though I'm running a windows computer.
As an example to check if all certificates for a connection are correctly installed, I was advised to check the connection with google.com:
openssl.exe s_client -connect google.com:443
(My browsers have no problems connecting to this server)
The first lines of the response are
CONNECTED(00000184)
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com
i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
...
And further down the same error twice:
Verification error: unable to get local issuer certificate
Verify return code: 20 (unable to get local issuer certificate)
Alas the OpenSSL documentation about s_client isn't very informative about these errors.
So what does it mean? Am I missing some certificates to communicate with google.com, or am I using the incorrect program for this?
Of course google.com is just an example. I chose this, so I could check if reported problems are because of certificate problems, or because of the command I use.
For my actual server that I try to contact, I have the proper certificates (up to the root) as .CER files. The root certificate is in the winstore.
Patrick Mevzek pointed me towards the proper answer (Thanks Patrick!). Because some investigation was needed, I decided to write it down as a complete answer.
I'm working in Windows Server 2012. Newer versions will probably work similarly. To test the certificates and the communication I use:
openssl for windows. Find a compiled version here
curl for window here
Files:
So I am a Client of a Server. There is a two-way secure certification: via very secure methods we have the following files:
A Root certificate that can be trusted: Root.Pem
A chain of untrusted certificates issued by the Root certificate: A.Pem, B.Pem, C.Pem
A private key file MyPrivate.key and a trusted certificate issued by C.Pemto ensure my identity: MyCertificate.pem
If needed, Convert certificate file to PEM format
If the certificates are not in PEM format, we need to convert them first. To check if they are in PEM, open them in a text editor. A PEM file looks like:
-----BEGIN CERTIFICATE-----
MIIFyjCCA7KgAwIBAgIEAJiWjDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJO
...
-----END CERTIFICATE-----
If it is not, we can use openSSL to convert the file:
openssl.exe x509 -inform DER -in myCertificate.cer -out myCertificate.Pem
inform: the format of the input file: DER / NET / PEM (well, if already PEM you won't have to convert)
in / out: the input file, the output file
Verify the certificate chain
For extra security, I verified every certificate separately. It is probably also safe to do this in one step.
Check validity of the root certificate. For instance by checking the fingerprint with a published fingerprint.
Check validity of the untrusted certificates
(1) Is A.pem issued by Root.Pem?
openssl.exe verify -show_chain -CAfile root.pem A.pem
Parameter -CAfile contains the trusted certificate. The last file is the file that contains the certificate to be verified.
Reply should be similar to:
A.pem: OK
Chain:
depth=0: C = NL, ..., CN = <some text describing certificate A> (untrusted)
depth=1: C = NL, ..., CN = <some text describing the trusted root certificate>
(2) Is B.Pem issued by the trusted A.Pem?
Now that A.pem can be trusted, we can check B.Pem. For this we mention the intermediate certificate A.Pem as untrusted as advised in this answer
openssl.exe verify -show_chain -CAfile root.pem -untrusted A.pem B.pem
Reply:
B.pem: OK
Chain:
depth=0: C = NL, ..., CN = <some text describing certificate B> (untrusted)
depth=1: C = NL, ..., CN = <some text describing certificate A> (untrusted)
depth=2: C = NL, ..., CN = <some text describing the trusted root certificate>
(3) Can we trust the rest of the certificate chain?
So now B can be trusted. To continue checking the chain, concatenate the untrusted CA-files into one untrusted.pem file. Do not add MyCertificate.Pem
-----BEGIN CERTIFICATE-----
MIIGNjCCBB6gAwIBA...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
jCCBB6gAwIBA34F..
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
dZBo31cAYsByRL...
-----END CERTIFICATE-----
And the command:
openssl.exe verify -show_chain -CAfile root.pem -untrusted untrusted.pem myCertificate.pem
Reply:
MyCertificate.pem: OK
Chain:
depth=0: C = NL, ..., CN = <some text describing MyCertificate> (untrusted)
depth=1: C = NL, ..., CN = <some text describing certificate C> (untrusted)
depth=2: C = NL, ..., CN = <some text describing certificate B> (untrusted)
depth=3: C = NL, ..., CN = <some text describing certificate A> (untrusted)
depth=4: C = NL, ..., CN = <some text describing the trusted root certificate>
I guess maybe all those intermediate steps were not necessary to check the validity.
Check Connection
Now that the certificate chain is trusted, we can use OpenSsl to check the connection.
Concatenate all certificates, except MyCertificate.pem in one file AllTrusted.pem, use a text editor, or a command Copy Root.Pem + A.Pem + B.Pem ... Trusted.Pem
Command:
openssl.exe s_client CAfile Trusted.Pem -connect google.nl:443
Replace google.nl:443 with the proper address and port
Reply, something similar to:
CONNECTED(00000124)
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=google.com
i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIhWDCCIECgAwIBAgIQaEMB4EOx3++GhdWADJfgEjANBgkqhkiG9w0BAQsFADBU
...
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=google.com
issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3
The server sent a certificate to identify itself. The client should use this certificate and its trusted CA-chain to check the identity of the server.
To continue communicating, we need a PEM file that contains the mentioned issuer and its issuers until the root. Use the procedure described above to get a complete certificate chain, and add all certificates in the correct order to a file trusted.pem. If you copy-paste the received certificate to a PEM file (text), you should be able to verify this received certificate the same way as I verified MyCertificate.Pem as described above.
Once the CA certificates for the received certificates were installed, my openssl s_client command replied with:
...
SSL handshake has read 8945 by
Verification: OK
---
New, TLSv1.2, Cipher is ...
Server public key is 2048 bit
Start Time: 1551779993
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
So the certificate chain to identify the server is accepted.
Idintify me to the server
The next step will be to check if I can identify myself at the server using MyCertficate.pem.
This is the first time I need my private key file. We'll use curl for this:
Command:
curl.exe -v --cacert trusted.pem --cert MyCertificate.pem --key MyPrivate.key https://...
-v: verbose
--cacert: the text file with the concatenation of the trusted CA chain until the root, as verified using openssl verify
--Cert: the certificate to be used by me to identify myself
--Key: the private key for this certificate
Reply:
...
* successfully set certificate verify locations:
* CAfile: trustall.pem
...
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
...
* Server certificate:
* subject: C=NL; ...
* start date: Apr 19 12:10:31 2016 GMT
* expire date: Apr 19 12:10:31 2019 GMT
...
* issuer: C=NL; O= <description of certificate issuer; should be in trusted.pem>
* SSL certificate verify ok.
> GET /exchange/ciot HTTP/1.1
> Host: ....
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 400 Bad Request
What we see:
TrustAll.Pem contains the trusted certificates
(Out) Client Hello - (In) Server Hello: apparently we are on speaking terms
Server sends certificate and requests one
Client sends its certificate to identify itself
Display of the received certificate, the one with which the server identifies itself. The issuer is expected to be in trusted.pem
The received certificate is verifies and accepted. Data transfer can start
Because I didn't send any data, the response is a 400 Bad Request
So this is enough to know that both client and server use trusted certificates and that communication is possible
Related
I have two extremely similar self signed certificates, generated via two different methods.
To test them I have:
Added an entry in my hosts file for local.mydomain.com
Set up an nginx server to listen on that domain on port 443 with the certificate under test plus associated private key (I then switch the cert and restart nginx to compare)
Connected to nginx with openssl s_client -connect local.mydomain.com -CAfile /path/to/the/ca/cert.pem
One certificate fails:
CONNECTED(00000003)
depth=0 CN = local.mydomain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = local.mydomain.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=local.mydomain.com
i:/CN=local.mydomain.com
---
One certificate succeeds:
CONNECTED(00000003)
depth=0 CN = local.mydomain.com
verify return:1
---
Certificate chain
0 s:/CN = local.mydomain.com
i:/CN = local.mydomain.com
---
I compare the details of the certificates with openssl x509 -in /path/to/the/ca/cert.pem -text -noout
The failing cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
47:dc:02:c7:11:fc:8e:96:45:22:aa:6b:23:79:32:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=local.mydomain.com
Validity
Not Before: Nov 18 11:55:31 2016 GMT
Not After : Nov 18 12:15:31 2017 GMT
Subject: CN=local.mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<stuff>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:local.mydomain.com
X509v3 Subject Key Identifier:
6D:4F:AF:E4:60:23:72:E5:83:27:91:7D:1D:5F:E9:7C:D9:B6:00:2A
Signature Algorithm: sha256WithRSAEncryption
<stuff>
The working cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9b:6b:3d:a3:b9:a3:a4:b4
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=local.mydomain.com
Validity
Not Before: Nov 19 13:27:30 2016 GMT
Not After : Nov 19 13:27:30 2017 GMT
Subject: CN=local.mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<stuff>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
03:E7:DA:AA:2E:CC:23:ED:C5:07:3D:E1:33:86:F5:22:D4:76:EB:CB
X509v3 Authority Key Identifier:
keyid:03:E7:DA:AA:2E:CC:23:ED:C5:07:3D:E1:33:86:F5:22:D4:76:EB:CB
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
57<stuff>
Looking at this the most obvious difference is that the working cert has CA:TRUE under X509v3 Basic Constraints. However, from reading around the web I was under the impression that self signed certs weren't meant to be CAs, in particular this says they normally won't be:
https://security.stackexchange.com/questions/44340/basic-self-signed-certificate-questions
The answer there says that being self-signed there is no CA involved. But maybe openssl requires self signed certs to have that set anyway?
From my own experiments I can confirm what you see. My explanation of the behavior is that a self signed certificate is still a certificate which is signed by the issuer, even if the issuer's certificate is the certificate itself. But only CA certificates can be used to sign certificates, i.e. that's exactly the constraint CA:true allows. This means that a self-signed certificate needs also to be a CA certificate with the constraint CA:true.
RFC5280 says:
So, if your certificate does not have CA:TRUE flag, this certificate may not be used to verify the signature on any certificate, including itself. OpenSSL correctly follows the RFC.
It is incorrect to think that a certificate belongs to one of two types, either "CA certificate" or "end-entity certificate". A certificate with CA:TRUE can be used for authenticating the entity. This is exactly what you do when you authenticate with a self-signed certificate. It can also be a certificate with CA:TRUE, signed by someone else.
I'm using go http client to connect to iot device which has self-signed cert. I already have
TLSClientConfig: &tls.Config{
RootCAs: certPool,
Certificates: []tls.Certificate{tlsClientCert},
InsecureSkipVerify: true,
},
Nevertheless although InsecureSkipVerify=true go still tries to verify the certificate:
x509: cannot validate certificate for <ip> because it doesn't contain any IP SANs
As I can't change the cert on the device- what part of the TLS client config can I modify to accept it?
UPDATE
The go error can be reproduced running https://github.com/jbardin/gotlsscan/blob/master/main.go against the device:
Testing TLS1.2
...
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [NOT SUPPORTED] x509: cannot validate certificate for 192.168.1.145 because it doesn't contain any IP SANs
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [NOT SUPPORTED]
...
This is what openssl says when running openssl s_client -connect <ip:port>:
CONNECTED(00000003)
depth=0 C = DE, O = Bebro, OU = ULK High GEN 1, CN = ICCPD...
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, O = Bebro, OU = ULK High GEN 1, CN = ICCPD...
verify return:1
4460842604:error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 40
4460842604:error:1401E0E5:SSL routines:CONNECT_CR_FINISHED:ssl handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/ssl/ssl_pkt.c:585:
---
Certificate chain
0 s:/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
i:/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
---
Server certificate
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
subject=/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
issuer=/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 969 bytes and written 178 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-SHA256
Session-ID: 9C7D...
Session-ID-ctx:
Master-Key: AC9E...
Start Time: 1600892515
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
UPDATE I'm running latest go 1.15.2
This might work,
In certificate there is a field called "SANs", we need to add 'hostname' in this SAN list.
once this is added the same name should be added in TLS configuration using "ServerName" filed. after this configuration this will be resolved. In SANS property I've added "test.com" so I configured TLS as follows,
ServerName: "test.com",
RootCAs: pool,
Certificates: []tls.Certificate{clientCert},
MinVersion: tls.VersionTLS12,
Since the certificate you;re using may not contain any SANs, this error is occurred. I'm still exploring on it, If you guys any comments on this ,kindly leave a reply.
I am using the latest Docker on Mac (native) and just try to do this:
docker run -d -p 8888:8888 jupyter/all-spark-notebook
But I got below error:
Unable to find image 'jupyter/all-spark-notebook:latest' locally
latest: Pulling from jupyter/all-spark-notebook
fdd5d7827f33: Pull complete
a3ed95caeb02: Pull complete
f08e494cf5cc: Pull complete
6548f4aff175: Downloading
d762b5abb43e: Download complete
c841d1ad6a8e: Download complete
78ff99539390: Download complete
99dfa5547e73: Download complete
408ccccf138d: Download complete
0f7e4eccd74d: Download complete
9177afc586c3: Download complete
b474b13b1b14: Download complete
f204d6cd4f55: Downloading
a8a42c20abb9: Download complete
9ac0b73ff157: Downloading
0553d92e0f21: Downloading
dfaa7db17378: Download complete
262fc767b542: Download complete
a21800239eaa: Download complete
afe6294b97d7: Download complete
3d4589d060ea: Download complete
b81971b6c8e4: Download complete
9daebe0247b8: Downloading
ce63d084a226: Downloading
73eb272114bc: Download complete
b2c0c287ae3a: Download complete
f306272598a0: Downloading
04882c9afb9d: Downloading
docker: x509: certificate signed by unknown authority.
See 'docker run --help'.
I am doing this inside company VPN so it's behind firewall / proxy. If I get out of VPN to pull image and then get back in VPN to run, it's fine.
However, I do need to fix this problem because I do work inside the company a lot and cannot disconnect VPN at work. I have tried Google and found many Github issues like this https://github.com/docker/docker/issues/6474 but none solved the problem. I have tried docker run -d -p 8888:8888 jupyter/all-spark-notebook --insecure-registry https://index.docker.io:8888 and it didn't work either.
Below are some outputs based on what people were checking:
openssl s_client -connect index.docker.io:443 output this:
CONNECTED(00000003)
depth=1 /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEpDCCA4ygAwIBAgIDAyF3MA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
...
YMYqJP5MkuAKzDL5u0b8mD/EHtoPkfWOIsA5i9YrAAoWRVOJHwfFfgSY+EpXpFc4
AZUPmdZGh6q1YNavRoOL/1D5aP/VBBtofj54uMbKOK8q6vxIXSyzaw==
-----END CERTIFICATE-----
subject=/OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 2429 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: F2A7D08F3628FFC3334DBFF7698E05CC5027A61F4F88914E541F466FD6004702
Session-ID-ctx:
Master-Key: 1EF9EB10A666597135CA6D5F14F10C717483C4C3873288281D0156410FE93C232E494A0935AA416EA736AE8CBDFBD925
Key-Arg : None
Start Time: 1462855143
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed
And openssl s_client -showcerts -verify 32 -CApath . -connect index.docker.io:443 output this:
verify depth is 32
CONNECTED(00000003)
depth=1 /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io
verify return:1
---
Certificate chain
0 s:/OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
-----BEGIN CERTIFICATE-----
MIIEpDCCA4ygAwIBAgIDAyF3MA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
...
YMYqJP5MkuAKzDL5u0b8mD/EHtoPkfWOIsA5i9YrAAoWRVOJHwfFfgSY+EpXpFc4
AZUPmdZGh6q1YNavRoOL/1D5aP/VBBtofj54uMbKOK8q6vxIXSyzaw==
-----END CERTIFICATE-----
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
...
ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh
gP8L8mJMcCaY
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=GT98568428/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=*.docker.io
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 2429 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 04E8384F625F401B53C8ACA4D1F68A4EC300C0039ABE6C4117DE97C721B58DB2
Session-ID-ctx:
Master-Key: F08AD33B9D234A31DB7A9940A1CA6C4EC1FD780871F117780108E7F39909487B647FEBC5643BF1F2ADC5377407968D8C
Key-Arg : None
Start Time: 1462857210
Timeout : 300 (sec)
Verify return code: 27 (certificate not trusted)
---
^C
Could someone help me figure out a solution without disconnect from VPN to pull image and get back in to run each time?
I know there are lots of discussion regarding this error but sorry to say that I'm unable to find any working solution over there.
I'm developing a ecommerce site using ShareTribe.I'm trying to implement Paypal as payment gateway.So I'm using Activemerchant.
Everything works fine on development machine but when I deploy my rails app to production It throws
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed)
I'm initializing my Activemerchant as
config.after_initialize do
ActiveMerchant::Billing::Base.mode = :test
paypal_options = {
login: "bla bla",
password: "bla bla",
signature: "bla bla",
appid: "APP-80W284485P519543T"
}
::EXPRESS_GATEWAY = ActiveMerchant::Billing::PaypalExpressGateway.new(paypal_options)
end
Added HTTPS and Disabled SSLV3
After lots of googling I found that
SSLv3 was proven to be insecure with the POODLE vulnerability. You
should make sure that your system has the latest version of OpenSSL so
that you can use TLSv1.2.
So I disabled SSLV3 as shown below
openssl s_client -connect kickmarket.eu:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=www.kickmarket.eu
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...........................................
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=www.kickmarket.eu
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2038 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 4D23F4A942AAD4264BE96EB5F1E62204269D882A64ACFBD2D139CD2F10A449A0
Session-ID-ctx:
Master-Key: 1E381DAA3BA90FE3609606716E7E9A2EB2E2F671E9F3C4005D8EBAE009103A7AB771FB2AC8B45F169F43CBD0AD352E06
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
..................................
Start Time: 1446132175
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
But after restarting nginx I got the same problem.Is there Any way to fix this issue.
Any suggestion will be appreciated.
This is most likely due to the upgrade to SHA256 certification. Please review the following documentation:
https://devblog.paypal.com/paypal-ssl-certificate-changes/
The primary cause for this is the rvm installed ruby does look into the wrong directory for certificates whereas the OSX-ruby will look into the correct one.
What you wanna do is NOT TO USE any of the precompiled rubies and rather have ruby compiled on your local machine, like so:
rvm install 2.2.0 --disable-binary
You can read detailed explanation https://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html
I'm on Windows attempting to use cURL using SSL, but running into certificate issues that I absolutely cannot figure out.
For example, here is an example of what I'm trying to run.
$ curl "https://google.com" --ntlm -v --negotiate -u USERNAME:PASSWORD --proxy "PROXY" --cert "c:\temp\curl-ca-bundle.crt"
* Adding handle: conn: 0x147ce88
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x147ce88) send_pipe: 1, recv_pipe: 0
* About to connect() to proxy PROXY port 8080 (#0)
* Trying 192.168.134.80...
* Connected to PROXY (PROXY_IP) port 8080 (#0)
* Establish HTTP proxy tunnel to google.com:443
> CONNECT google.com:443 HTTP/1.1
> Host: google.com:443
> User-Agent: curl/7.30.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* unable to use client certificate (no key found or wrong pass phrase?)
* Closing connection 0
curl: (58) unable to use client certificate (no key found or wrong pass phrase?)
Attempting to use --cacert instead of --cert yields the following message -
* Adding handle: conn: 0x130cdf8
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x130cdf8) send_pipe: 1, recv_pipe: 0
* About to connect() to proxy PROXY port 8080 (#0)
* Trying 192.168.135.80...
* Connected to PROXY (PROXY_IP) port 8080 (#0)
* Establish HTTP proxy tunnel to google.com:443
> CONNECT google.com:443 HTTP/1.1
> Host: google.com:443
> User-Agent: curl/7.30.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
* CAfile: c:\temp\curl-ca-bundle.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use the
-k (or --insecure) option.
The curl-ca-bundle.crt I have is from here, which was update a few minutes ago. I ensured the file is not blocked by Windows.
For what it's worth, I'm behind a corporate proxy and firewall. I have read everything I could find on this issue and don't know what to do next. I do realize I can ignore SSL, but would like to avoid this at all costs.
For what it's worth, I'm behind a corporate proxy and firewall. I have read everything I could find on this issue and don't know what to do next. I do realize I can ignore SSL, but would like to avoid this at all costs.
I would suggest the firewall does SSL interception, i.e. it works as a man-in-the-middle. To inspect encrypted connections it will split it into two encrypted connections, but of course it will not be able to sign the connection between browser and proxy with the original certificate. Thus it will create a new certificate, signed by a CA specific to the firewall. You need to add this CA to your CA bundle or the verification will fail.
For more details you might try to access the target site with a web browser and check the CA which signed the servers certificate or ask your system administrator for details of the SSL interception.