I have a series of intranet self signed certs. I've been able to download most with Firefox but there's one in particular that's giving me trouble. There's no option in Firefox to 'view' the cert and export it. I just get this message:
An error occurred during a connection to URL:PORT. SSL peer cannot
verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
I also tried this command:
echo -n | openssl s_client -connect URL:HOST | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./$SERVERNAME.cert
And I get this error:
verify error:num=19:self signed certificate in certificate chain
verify return:0
I'm well aware of what im trying to connect to and the risks involved - how do I get the certs?
Related
I am working on integrating elasticsearch with gitlab. So, i have created one elasticsearch server and enabled https for it by using self signed certificates. when i tried to integrate with gitlab its giving me 500 error and below is the log i got.
Faraday::SSL::SSLError SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
From this i think gitlab is unable to verify the certificate of elastic search. Is there a way to disable this verification or any other way to make sure that my elasticsearch gets integrated.
Any help would me much appreciated, Thank you.
You need to add into trusted path /etc/gitlab/trusted-certs.
once you will put the crt, der or pem files you can validate with next steps.
Please, validate the symlinks: sudo ls -al /opt/gitlab/embedded/ssl/certs
1.1. Check certs:
echo | /opt/gitlab/embedded/bin/openssl s_client -connect HOSTNAME:port
View a certificate’s details in text form using x509. Be sure to replace /path/to/certificate.crt with the certificate’s path:
/opt/gitlab/embedded/bin/openssl x509 -in /path/to/certificate.crt -text -noout
Fetch a certificate from a server and decode it. This combines both of the above commands to fetch the server’s SSL certificate and decode it to text:
echo | /opt/gitlab/embedded/bin/openssl s_client -connect HOSTNAME:port | /opt/gitlab/embedded/bin/openssl x509 -text -noout
Links:
https://docs.gitlab.com/omnibus/settings/ssl/index.html#install-custom-public-certificates
https://docs.gitlab.com/omnibus/settings/ssl/ssl_troubleshooting.html
I'm trying to setup a development environment where TLS is enabled for RabbitMQ. So here is what I did:
Use tls-gen script to generate certificates with basic profile.
Configure rabbitmq to use ca-certificate.pem, server-certificate.pem, and server-key.pem.
As I'm using MacOS, I ran sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain testca/ca_certificate.pem to add the CA certificate to the trusted roots
Within a Go program, I load the client_certificate.pem, and client-key.pem into a tls.Config
Call amqp.DialTLS().
I got the following error message:
err: x509: certificate signed by unknown authority
which is unexpected. In step 4 above, if I add the ca-certificate.pem into the root CAs of the tls.Config, it works fine. So I'm suspecting that the addition of the root ca macOS is not right.
Can somebody review the above and point out my mistake?
Users are reporting that they can't view https://blog.za3k.com on OS X.
Chrome and Safari (which use OS X's root certificates fail).
All tests of Linux and Windows have shown no problems. Qualys SSL Labs reports no problems except SHA1 signatures.
Chrome reports NET::ERR_CERT_INVALID and if I click the certificate icon -> View certificate, I see The data does not appear to be a valid certificate
Firefox loads the page correctly.
Safari hangs on visiting the page.
OS X version has no effect that I can tell, but I'm on 10.10.1 personally.
curl https://blog.za3k.com fails with:
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
openssl s_client -connect blog.za3k.com:443 reports success
The root certificate is 'StartCom', which should be trusted on mac.
Ideas on how to debug?
What are you seeing in the certificate data which you're returned? Here things are a bit curious -- from a desktop system I see a certificate returned for 'nanowrimo.za3k.com' or 'za3k.com' (but not blog.za3k.com), while obviously SSLLabs sees a certificate which is valid for blog.za3k.com and za3k.com. Could be a DNS aliasing issue, but really the cert should contain a SAN for whatever you mean it to appear as.
openssl s_client -connect blog.za3k.com:443 | openssl x509 -text
I have a questions about using SSL with self-signed certificate.
I was using this example here http://people.apache.org/~gmazza/restexamples/https-clientserver-grizzly
The unit test works perfectly. However, if I started grizzly server, and try to use curl to get the resources, I got errors like:
curl -v https://localhost:8443/api/v1/hello
* Adding handle: conn: 0x7ff69b004400
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7ff69b004400) send_pipe: 1, recv_pipe: 0
* About to connect() to localhost port 8443 (#0)
* Trying ::1...
* Trying fe80::1...
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake
I already add the certificate to the system key chains with always trusted for all categories. Still, no browser can get the resource. Here is the error message I got from Chrome.
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error code: ERR_SSL_PROTOCOL_ERROR
Has anyone else encountered the same problem?
ADD:
For curl, I was generating java keystore and cert using key tool
keytool -genkey -keystore ./keystore_server -alias serverKey -dname "CN=localhost, OU=Jersey, O=Sun Microsystem, L=Prague, ST=Czech Republic, C=CZ"
keytool -export -alias serverKey -rfc -keystore ./keystore_server > ./server.cert
openssl x509 -in server.cert -inform PEM -text -out server.pem
I then ran
curl -E server.pem -v https://localhost:8443/api/v1/hello -u "username:password"
However, I got same error as before.
For browsers, I have now gotten it worked for Firefox and Chrome. However, I am still having trouble with Safari. I got error message saying that Safari cannot open the page because safari cannot establish a secure connection to the server.Anyone has any idea how can I make safari happy?
However, if I started grizzly server, and try to use curl to get the resources, I got errors like...
cURL does not use the operating system's keychain. The exception to the rule is if cURL is built against SecureTransport for iOS or OS X. See curl.1 the man page and the -E or --cert option. And even in that case, its not for trusted anchors.
If you have a particular CA you would like to use to certify the server, then you should specify it with the --cacert option. You can also specify the cacert.pem bundle with this option. See curl.1 the man page.
Chrome ... Error code: ERR_SSL_PROTOCOL_ERROR
This is a different issue. Chrome uses the operating system's keystore. See the Chromium Projects' Root Certificate Policy.
To fix it, you might want to look at Getting Chrome to accept self-signed localhost certificate.
It might be a good idea to post the certificate with your question. Use the following to generate it (assuming its PEM encoded):
openssl x509 -in <cert> -inform PEM -text -noout
Has anyone else encountered the same problem?
Others have probably experienced the issue, too.
For various reasons I have created a simple HTTP server, and added SSL support via OpenSSL. I'm using self-signed certificates. IE, Firefox and Chrome happily load content as long as I add the CA to the trusted root CAs.
However, wget (even when using the --no-check-certificate flag) reports:
OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
If I run the OpenSSL client against my server using:
openssl s_client -connect dnvista:82 -debug
I get back:
verify error:num=19:self signed certificate in certificate chain
verify return:0
and then
5852:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1060:SSL alert number 40
5852:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188:
Do wget and the OpenSSL client simply not work with self-signed certificates?
UPDATE:
For anyone that comes along later, adding this code helped with the OpenSSL client and Firefox:
EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
EC_KEY_free(ecdh);
I checked the man page of wget, and --no-check-certificate only seems to affect the server certificate. You need to specify your self-signed certificate as a valid CA certificate locally.
To do this, specify the certificate as --ca-certificate=... in wget and -CAfile in the s_client case.
You can also install trusted root CA certificates into OpenSSL in one of a number of ways:
Put your CA certificate in /etc/pki/tls/certs or equivalent directory, then create a link based on the certificate hash. See http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl for details.
Append your CA certificate to /etc/pki/tls/certs/ca-bundle.crt, /etc/pki/tls/cert.pem, or equivalent CA bundle.