when ever i call api using axios and fetch in android i am getting error like this in my logcate.
_response: 'java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.'
i have tried all the solutions but nothing is worked for me.
i am getting error when i run open ssl check command in terminal for my domain
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.geniusedusoft.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.geniusedusoft.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.geniusedusoft.com
verify error:num=21:unable to verify the first certificate
verify return:1
First, try to check the date-time of the device. If the device time is wrong, you will receive a certificate error. If it is not the case, you should check the https certificate, this can happen for several reasons, including:
The CA that issued the server certificate was unknown
The server certificate wasn't signed by a CA, but was self-signed
The server configuration is missing an intermediate CA
The easy solution is to add usesCleartextTraffic to AndroidManifest.xml.
It solved my problem.
Related
Use Case
this is my use case: I have a page available trough cloudflare (proxied), let's call it example.com.
I created a Origin Certificate with Cloudflare and linked it in my nginx config, works fine. Cloudflare works in "Full" SSL mode.
Now I want to be able to basically add 127.0.0.1 example.com to my /etc/hosts so the server itself can directly access the page (it is not really an option to use a different domain with software running on this server to circumvent this).
Now obviously when I curl -v https://example.com I get a ssl error.
What I did so far
So basically, did some research and learned about CA chains and so on.
I found the Cloudflare Origin root CA's (Cloudflare Documentation, Step 4) and included that in the cert chain in my nginx server (basically first the Cloudflare Origin cert they generated for me, then the Root CA). I also installed the Root CA to /usr/share/ca-certificates (and /usr/local/share/ca-certificates) and ran dpkg-reconfigure ca-certificates and it was properly added to the /etc/ssl/certs dir. So far so good?
Result: Does not work.
Further research
Stumbling upon this guide I looked the following up:
cert.pem is my Cloudflare issued certificate
ca.pem is the cloudflare root CA (the ecc file)
root#host:~/ssltest# openssl verify cert.pem
O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed
root#host:~/ssltest# openssl x509 -noout -issuer -in cert.pem
issuer=C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
root#host:~/ssltest# openssl x509 -noout -issuer -in ca.pem
issuer=C = US, ST = California, L = San Francisco, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL ECC Certificate Authority
root#host:~/ssltest# openssl verify -CAfile ca.pem cert.pem
O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed
So basically the Issuer of cert.pem and Subject of ca.pem do not match up.
This means for me: Either there is an Intermediate Cert that I do not know how to get, or Cloudflare gave me a cert that is not from the root CA they gave me.
Also the difference between Issuer and Subject is super small:
CloudFlare Origin SSL Certificate Authority
CloudFlare Origin SSL ECC Certificate Authority
What can I do to fix it?
I'm probably just not seeing something here, can anyone help me out? Thank you!
There are two CA certificates offered on the site you refer to:
The first one is the RSA certificate with the OU "CloudFlare Origin SSL Certificate Authority". The seconds one is the ECC certificate OU "CloudFlare Origin SSL ECC Certificate Authority".
Looks like you took ECC certificate while you should have taken the RSA certificate.
When i am trying to send mail using SMTP it is throwing error as shown below.
Source: Send SMTP Mail Message.
Message: The Remote Certificate is invalid according to the validation procedure.
Exception Type: System.Security.Authentication.AuthenticationException.
I Tried below solutions to resolve.
Disabled Antivirus.
Allowed Less Secure App from my gmail Account.
I have already read below UI Path topics but i didn’t find link to download the trusted certificate.
The remote certificate is invalid according to the validation
Remote Certificate Is Invalid - UiPath
Windows maintains its trusted CAs in a Certification Directory, and you can read more about that here. The server's certificate is either self-signed, or the certifying authority is not part of your Certification Directory (resolving the whole chain of trust).
Since you mentioned Gmail - that's quite unusual since Google Trust Services is trusted by Global Sign, and Global Sign usually is part of the CD. Here's an example of the required certificate for Gmail (SMTP via port 465):
lynxvvv:~ wolfgangradl$ openssl s_client -connect smtp.gmail.com:465 -showcerts
CONNECTED(00000006)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp.gmail.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=smtp.gmail.com
i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
-----BEGIN CERTIFICATE-----
MIIEgjCCA2qgAwIBAgIII4WYR6PlomgwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
(...)
You can always download and install a custom certificate into the store, here's an excellent article from Super User. If we're talking about Gmail, then you could get them from Google directly as well.
Verify the link below. First, we need to disable antivirus.
https://forum.uipath.com/t/the-remote-certificate-is-invalid-according-to-the-validation/37727/3
As a followup to this original question:
Unable to get certificate locally
I did solve the original problem as jww answered.
And I have now followed the same steps of importing the certificate chain for our company site, from "comodo". I simply added them to the file which I originally used with the "google.com" root certs.
Now, although this still works fine with "google", when I connect to our company website, I still get the error code 20 on the SSL_get_verify_result() call.
Is this a result of our using a "wildcard" certificate? i.e.: *.domain.com.
The version of OpenSSL I am currently using is 1.0.1g.
I don't see any other differences from my perspective.
Thanks for any advice.
----- Updated ------
First, let me comment that I am not mentioning our domain, and not posting too much material from the OpenSSL command, as I am not familiar enough with what should be kept confidential.
What I did was combine the base64 encoded certificates into one big file, as the previous post instructed. And I obtained them via the browser "export" utility in the same manner for both. That means the certificates that we use, as well as the google certificates from my previous post are all concatenated. Specifically it looks like this now:
Our Company Cert
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
and it is signed by these guys - ComodoRSA
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
and that is signed at the root here - ComodoRoot
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
and this is the GOOGLE G3 who signed the "www.google.com"
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
and the GOOGLE G3 is signed by this one - globalSign
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
Then the code segment I use to test looks like this:
strcpy(host,"our.domain.com");
// strcpy(host,"www.google.com");
/* Build our SSL context*/
ctx = initialize_ctx(KEYFILE,NULL);
/* Connect the TCP socket*/
sock = tcp_connect(host,port);
And then later...
result = SSL_get_verify_result(ssl);
switch(result) {
case X509_V_ERR_CERT_HAS_EXPIRED : break;
case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN : break;
case X509_V_OK : break;
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT : break;
default :puts("Certificate doesn't verify");
}
Simply put, this same code, using this same CRT file, does not give me a "20" error when I use the www.google.com" host, but does give me an error "20" when I use our server. The extent of the test involves changing that commented out name of the host.
Connections to the HTTPS server with commercial clients (Chrome, IE, FF...) have no errors.
As for the comment that recommended the command, I get the following (hopefully I pasted the necessary information):
For Google:
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
verify return:1
read:errno=0
---- other stuff ----
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
And for our domain, I am getting the following (company specifics hidden):
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
read:errno=10054
---- other stuff ---
Certificate chain
0 s:/C=US/postalCode=00000/ST=IL/L=city/street=main/O=company./OU=PremiumSSL Wildcard/CN=*.domain.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
----
Now, the chain is that our certificate is signed by "ComodoRSA", and that it is signed by "ComodoRoot".
However, as I originally indicated, our certificate is a "wildcard" certificate, where the google certificate isn't.
So that was my question: Is there a problem using wild card certificates with the version of openSSL 1.0.1g?
--- EDIT2 ----
I am adding more content to the post, so I can include an image from the browser.
Our certificate is on a live web site, and is not self signed.
I am checking the common name in a portion of the code not shown. In this post I am only hoping for advice on this error.
I found a site that uses the same chain we use: DrudgeReport.com
I simply extracted the certificates with the browser, and saved them into a file. This was identical to the steps I used form the google.com site. (View certificate and copy to file)
The result from Drudge is error 19 which is "self signed", not error 20 which was my error. The root level (comodo secure) is the same when I copy to file from either site (as I would expect).
As I learn this from your comments and the link, I see the next intermediate question is: how do I know what certificates are being sent by the server, and which were in the store? Then I would know which to import. What, if any, is the indicator from the openssl command output you provided?
The educational material on openssl and this is rather difficult to find. Just a lot of doc, which to a novice such as myself, is rather circular in it's definitions.
Thanks for your feedback so far.
So that was my question: Is there a problem using wild card certificates with the version of openSSL 1.0.1g?
It is not a problem of wildcard certificates. In fact, your code does not even check the subject of the certificate at all (i.e. your code is insecure), it mostly checks the certificate chain, expiration and purpose of the certificate. And the error message from openssl s_client clearly points out the problem:
verify error:num=20:unable to get local issuer certificate
Thus, the problem is not the certificate subject but that it cannot find a local trust anchor. Looking at the certificate chain provided by your server gives the following certificate chain:
[1] CN=*.domain.com, issued by [2]
[2] CN=COMODO RSA Organization Validation Secure Server CA, issued by [3]
[3] CN=COMODO RSA Certification Authority, issued by [ROOT]
The expected [ROOT] is "CN=AddTrust External CA Root" - only this CA is not in your list of trusted root CA.
While you give not the detailed names of the certificates you have in your local trust store my guess is that the CA you call "ComodoRoot" is similar to what I have as "[3] CN=COMODO RSA Certification Authority" in the list. Only, in your trust store it is likely the self-signed version of the certificate while in the certificate chain provided by the server it is a certificate issued by "[ROOT] CN=AddTrust External CA Root". Both certificates have the same public and private key which means that the signatures in certificate chain can be successfully validated with both.
But, the old (and long unsupported version) of OpenSSL you are using can not properly deal with this kind of situation. It will follow the certificate chain send by the server and then expect the last certificate in the chain signed by on of the certificates in your trust store. If this fails it will not check if a shorter chain might be validated successfully instead.
This means it will succeed if you either have "CN=AddTrust External CA Root" in your trust store or if the server sends a short chain which ends with "[2] CN=COMODO RSA Organization Validation Secure Server CA" since then it will find the issuer for this (your "ComodoRoot", i.e. "CN=COMODO RSA Certification Authority") in your trust store.
For a more detailed explanation of this problem see this answer at stackoverflow.com or this article. Note that there is no way to fix this in code with OpenSSL 1.0.1 - you need to either add the missing certificate to your trust store or make changes to the certificate chain send by the server.
I have an application running on Centos7 that needs to connect to a remote host over HTTPS. However, it is unable to verify the certificate and fails. Also, if I try to download a file from the server using wget, I get the below error:
[root#foo:~]# wget https://10.65.127.9/index.html
--2017-05-22 09:03:01-- https://10.65.127.9/index.html
Connecting to 10.65.127.9:443... connected.
ERROR: cannot verify 10.65.127.9's certificate, issued by ‘/CN=us6877vnxe7827’:
Unable to locally verify the issuer's authority.
To connect to 10.65.127.9 insecurely, use `--no-check-certificate'.
So I get the certificate from the host:
openssl s_client -connect 10.65.127.9:443 <<<'' | openssl x509 -out /etc/pki/ca-trust/source/anchors/mycert.pem
And execute the following to process it:
update-ca-trust extract
This however results in the same issue.. If I run:
openssl s_client -connect 10.65.127.9:443 -showcerts -debug
I do get some errors and various messages:
depth=0 CN = us6877vnxe7827
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = us6877vnxe7827
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=us6877vnxe7827
i:/CN=us6877vnxe7827
Server certificate
subject=/CN=us6877vnxe7827
issuer=/CN=us6877vnxe7827
---
No client certificate CA names sent
---
Verify return code: 21 (unable to verify the first certificate)
Any ideas what I may be missing? If any further info helps, please let me know.
For wget you need to provide the certificate authority (CA) certificate(s) that signed the https server certificate. If you have those CA certificates - add them under --ca-certificate=file or --ca-directory=directory options
If you don't have them and you want to skip https server certificate verification (unsecure and can be dangerous) then use --no-check-certificate option.
I had the same problem with Jenkins trying to connect to our GitLab server.
The server does have a valid official certificate in our case, but Java didn't except it.
You are right about downloading the certificate.
However, the application you are mentioning is probably running inside a Java Virtual Machine (as a lot of applications are).
So from the point that you downloaded the certificate to a PEM file, you may have to add it to the VM's trusted certificates instead.
This article describes how to do that. Hope it helps.
I have this certificate on my server:
DigiCert -> DigiCert High Assurance EV CA-3 -> wildcard.mydomain.com
And if "DigiCert High Assurance EV CA-3" is not installed on the client machine I will get a error from the browser that is server certificate is not valid. If I installed it manually it's working fine.
But if I go to i.e. https://github.com I can see this certificate chain in the browser:
DigiCert -> DigiCert High Assurance EV CA-1 -> github.com
If I check in my user certificate store via certmgr.msc I can find the Root CA (DigiCert) but not the immediate certificate. Why is this working?
Maybe I can setup Apache to send the immediate certificate to the browser?
You can use SSLCertificateChainFile to provide the intermediate certificates to the browser.