Github certificate not verified in macports - macos

I am trying to install ros-hydro-genmsg, but encountered the following error.
---> Attempting to fetch 0.4.23-0.tar.gz from https://github.com/ros-gbp/genmsg-release/archive/release/hydro/genmsg/
DEBUG: Fetching distfile failed: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
When I manually go to that link in whatever browser, the file is downloaded immediately. When trying to download it through macports, it does not accept the certificate? I have put both "DigiCert High Assurance EV Root CA > SSL" and "GTE CyberTrust Global Root > SSL" to Always trust like suggested elsewhere, but that did not work either.

Related

failed loading cafile stream: `C:\xampp\apache\bin\curl-ca-bundle.crt'

How to solve this error ?
failed loading cafile stream: `C:\xampp\apache\bin\curl-ca-bundle.crt'
You are not providing a valid ca bundle file.
Try downloading this file and save it as C:\xampp\apache\bin\curl-ca-bundle.crt
You can read the explanation on the Certificate Verification section of the curl documentation.
libcurl performs peer SSL certificate verification by default. This is
done by using a CA certificate store that the SSL library can use to
make sure the peer's server certificate is valid.

certificate signed by unknown authority with self-signed certificates

I'm trying to setup a development environment where TLS is enabled for RabbitMQ. So here is what I did:
Use tls-gen script to generate certificates with basic profile.
Configure rabbitmq to use ca-certificate.pem, server-certificate.pem, and server-key.pem.
As I'm using MacOS, I ran sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain testca/ca_certificate.pem to add the CA certificate to the trusted roots
Within a Go program, I load the client_certificate.pem, and client-key.pem into a tls.Config
Call amqp.DialTLS().
I got the following error message:
err: x509: certificate signed by unknown authority
which is unexpected. In step 4 above, if I add the ca-certificate.pem into the root CAs of the tls.Config, it works fine. So I'm suspecting that the addition of the root ca macOS is not right.
Can somebody review the above and point out my mistake?

self-signed SSL certificate error: certificate has invalid digital signature

I have a c# program and part of it creates a self-signed certificate.
The problem is when i try to import the certificate in MMC it says "This certificate has an invalid digital signature."
And when i try to add this certificate through command prompt using netsh http add it says:
SSL Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated.
I've tried all suggestions from other questions similar to this but to no luck.
I've also tried downloading Hotfix from Microsoft but it didnt work.
By the way, my machine is running in Windows7-64bit.
I ran into an answer here The basic issue is that DC authority cert creators get sloppy and create multiple certs for the same DC cert authority. I had my self-signed cert created using latest and grates DC cert authority certificate. I had to export and install both root cert and a self signed cert on my destination machine for it to recognize self signed cert used on the server. But the root cert I exported was a cert with the same name but different dates. Once I located the proper root cert and installed it on my destination computer everything worked flawlessly.
In my case it was due to an old self signed certificate with a small key length.
I found the solution here - https://security.stackexchange.com/a/82606/26742 to reduce the security (only in my dev environment)
certutil -setreg chain\minRSAPubKeyBitLength 512

How can I get cURL to work from Windows command line?

I have downloaded cURL for Windows from here. I selected the Win64 - Generic version without SSL. I try to run curl https://www.google.com from the command line and I get the following error: curl: (1) Protocol https not supported or disabled in libcurl.
Okay! Next, I decide to download the version with SSL and install that. I try to run the same command as above and I get following error:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle" of Certificate
Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you
can specify an alternate file using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
What should I do next?
Here's what I did to solve the problem.
I got the Bundle of CA root certificates that Mozilla uses from here. I copied the data from the page and saved it in a new file called curl-ca-bundle.crt in the folder where the curl.exe file was. That solved the problem.
Of course, these instructions are also found on the cURL documentation page for SSL certificates, precisely instructions 4 and 5.
Hope that helps.

wget, self-signed certs and a custom HTTPS server

For various reasons I have created a simple HTTP server, and added SSL support via OpenSSL. I'm using self-signed certificates. IE, Firefox and Chrome happily load content as long as I add the CA to the trusted root CAs.
However, wget (even when using the --no-check-certificate flag) reports:
OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
If I run the OpenSSL client against my server using:
openssl s_client -connect dnvista:82 -debug
I get back:
verify error:num=19:self signed certificate in certificate chain
verify return:0
and then
5852:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1060:SSL alert number 40
5852:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188:
Do wget and the OpenSSL client simply not work with self-signed certificates?
UPDATE:
For anyone that comes along later, adding this code helped with the OpenSSL client and Firefox:
EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
EC_KEY_free(ecdh);
I checked the man page of wget, and --no-check-certificate only seems to affect the server certificate. You need to specify your self-signed certificate as a valid CA certificate locally.
To do this, specify the certificate as --ca-certificate=... in wget and -CAfile in the s_client case.
You can also install trusted root CA certificates into OpenSSL in one of a number of ways:
Put your CA certificate in /etc/pki/tls/certs or equivalent directory, then create a link based on the certificate hash. See http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl for details.
Append your CA certificate to /etc/pki/tls/certs/ca-bundle.crt, /etc/pki/tls/cert.pem, or equivalent CA bundle.

Categories

Resources