I have some legacy Android 6 devices in an industrial setting which must access a website via https. However, the list of trusted root certificates is out of date. Trying to connect to such a site results in errors like:
07-30 09:27:00.979 4273 4481 E chromium: [ERROR:ssl_client_socket_impl.cc(960)] handshake failed; returned -1, SSL error code 1, net_error -201
07-30 09:27:00.990 4273 4273 I myapp: Err onReceivedSslError / primary error: 4 certificate: Issued to: CN=example.com;
07-30 09:27:00.990 4273 4273 I myapp: Issued by: CN=R3,O=Let's Encrypt,C=US;
07-30 09:27:00.990 4273 4273 I myapp: on URL: https://example.com/
07-30 09:27:01.390 5985 6721 I NativeSslSession: Error inflating SSL session: {0}
How do I update the root certificate list as used by chromium / webview? I have the AOSP sources for the system.
The root CA are located in the path: system/ca-certificates/files/
Try getting new ones from the master branch of AOSP:
https://android.googlesource.com/platform/system/ca-certificates/+/refs/heads/master/files/
Related
I am getting below certification error while i am trying to call any API https://:8243/ from a react based frontend application. I have defined my rest API in wso2 EI 6.3. I am not using wso2 APIM.
What i did to resolve this issue:
1. I created a new self signed certificate and created a new key store. Updated carbon.xml, axis2.xml file. Restart the server. I am able to see my certificate in wso2 Ei GUI.
2. I accepted the certificate in browser.
But still i am not able to get rid of this error.
Is this error coming due to self signed certificate? If i will be using any CA signed certificate then this issue will not be there?
Any help or pointer is highly appreciated.
[2020-04-07 08:54:48,841] [-1] [] [HTTPS-Listener I/O dispatcher-2] ERROR {org.apache.synapse.transport.passthru.SourceHandler} - I/O error: Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1615)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1781)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1070)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:896)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:245)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:280)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:410)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:159)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:338)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:316)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:277)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
at java.lang.Thread.run(Thread.java:748)
BR//
Vipin Nirwal
I was able to resolve this issue. I followed the below steps.
I created a self CA first. Then created a certificate signed by my own CA. Import the root certificate of my CA into the browser As this CA needs to be trusted by browser.
After this update carbon.xml, files inside axis2 directory and catalina-server.xml file with proper jks file and password for keystores.
Restarted the server.
You can try to debug it yourself by enabling SSL debug logs in the EI server. In the SSL logs, you can check whether the client certificate and the server certificate is matching. Have a look at the following blog.
https://medium.com/#nipunadilhara/enabling-ssl-debug-logs-for-wso2-products-30833d5de88e
I am trying to setup inter-broker SSL (not client) authentication and keep seeing the following errors:
[2019-05-17 06:33:47,151] INFO [Controller id=1004, targetBrokerId=1004] Failed authentication with /$IP (SSL handshake failed) (org.apache.kafka.common.network.Selector)
[2019-05-17 06:33:47,151] INFO [SocketServer brokerId=1004] Failed authentication with /$IP (SSL handshake failed) (org.apache.kafka.common.network.Selector)
[2019-05-17 06:33:47,151] ERROR [Controller id=1004, targetBrokerId=1004] Connection to node 1004 (/$IP:9093) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient)
My server.properties is:
listeners=PLAINTEXT://$IP:9092,SSL://$IP:9093
security.inter.broker.protocol=SSL
ssl.truststore.password=$PASS
ssl.keystore.password=$PASS
ssl.key.password=$PASS
ssl.endpoint.identification.algorithm=""
ssl.keystore.location=/etc/kafka/kafka.server.keystore.jks
ssl.truststore.location=/etc/kafka/kafka.server.truststore.jks
``
When I run `openssl s_client -debug -connect $IP:9093 -tls1` I get back a list of certificates and `Secure Renegotiation IS supported`
Despite adding `-Djavax.net.debug=all` there's not anything in the logs which points to the problem.
Kafka version 2.2
Any ideas?
I had incorrectly set the value of ssl.endpoint.identification.algorithm="" instead of ssl.endpoint.identification.algorithm", this fixed it.
This value was changed in 2.2 to default to https so setting it to nothing worked.
Have RabbitMQ configured to enable TLS with certificates. Key, Cert, and CA defined in .conf file. Upon service startup, error is thrown. Cannot find the cause for this to be thrown and logging isn't giving any more information at the debug level.
Get a client alert failure and am not certain of cause.
2019-03-22 10:04:18.690 [info] <0.7.0> Server startup complete; 4 plugins started.
* rabbitmq_amqp1_0
* rabbitmq_management
* rabbitmq_management_agent
* rabbitmq_web_dispatch
2019-03-22 10:04:24.831 [debug] <0.689.0> Supervisor {<0.689.0>,rabbit_connection_sup} started rabbit_connection_helper_sup:start_link() at pid <0.690.0>
2019-03-22 10:04:24.831 [debug] <0.689.0> Supervisor {<0.689.0>,rabbit_connection_sup} started rabbit_reader:start_link(<0.690.0>, {acceptor,{0,0,0,0},5671}) at pid <0.691.0>
2019-03-22 10:04:24.909 [info] <0.688.0> TLS server: In state certify received CLIENT ALERT: Fatal - Certificate Unknown
Our certs didn't have the correct type of X509v3 Extended Key Usage on the cert.
For x509 Auth, you'll need to assign client web auth when creating the certificate.
X509v3 Extended Key Usage:
TLS Web Client Authentication
This won't fix the issue if your certificate CA is broken and can't be verified, but for my issue, this was the resolution.
I am trying to call a WSO2 API through https port 8243. However, when I make a call, the client app (web app) gets a 502 bad gateway error (which is logged inside WSO2 apim server carbon log file).
I see the exception below.
Please Note that, I have received a CA signed cert inside a jks from my networking team... I imported It through management console into keystore... I can view the company certs as well from the console:
TID: [-1] [] [2018-12-19 16:51:12,890] ERROR {org.apache.synapse.transport.passthru.SourceHandler} -
I/O error: Received fatal alert: unknown_ca {org.apache.synapse.transport.passthru.SourceHandler}
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
If you are trying to update the certificate of API Manager, importing the certificate to existing keystore will not work.
Please have a look at the documentation[1] on creating a keystore with a CA signed certificate when you create the new keystore with updated certificate.
The main keystore of WSO2 products is wso2carbon.jks file which holds private certificate entry. When you update the certificate with keystore you have to update all the configuration files listed in documentation[2] to refer to new keystore file and also you will have to update related properties(i.e: keystore password, key password, alias).
[1] https://docs.wso2.com/display/Carbon443/Creating+New+Keystores
[2] https://docs.wso2.com/display/Carbon443/Configuring+Keystores+in+WSO2+Products
In mandrill webhook, I added https://xxxx/mandrills/email_bounced_back
The error I got is:
Error: POST to https://xxxx/mandrills/email_bounced_back failed: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I used https://www.sslshopper.com/ssl-checker to check and seems ok (green)
I am using cPanel & WHM 64.0 (build 20)