I recently tried to renew my certificates for a web server I run and I am getting the below error::
SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)
I saw some posts on the community page but nothing seemed to be exactly what my problem was.
Any thoughts?
I faced with the same issue today, and this answer helped me:
I also re-installed ca-certificates package and certbot renew works now.
For Ubuntu / Debian
sudo apt-get install --reinstall ca-certificates
Turns out this was because the clock on the server I was logged into had drifted by over a year because ntp was not installed.
I installed ntp, the date and time updated correctly and I was able to renew my certificates.
Related
As part of an automated build, we run download some code from github. Minimal example:
wget github.com
Recently, the command started failing with a certificate error:
URL transformed to HTTPS due to an HSTS policy
--2017-10-05 11:43:45-- https://github.com/
Resolving github.com (github.com)... 192.30.253.112, 192.30.253.113
Connecting to github.com (github.com)|192.30.253.112|:443... connected.
ERROR: cannot verify github.com's certificate, issued by 'CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
Unable to locally verify the issuer's authority.
I tried updating the certificate store, and wget itself:
update-ca-certificates
apt-get install wget
The error is still the same.
My wget version is GNU Wget 1.17.1, and the OS is Ubuntu 16.04.3.
You can avoid checking the validity of the certificate adding the --no-check-certificate option on the wget command-line.
The answer turned out to lie somewhere in packet configuration. Unfortunately, I am unable to tell exactly why. The suspicion is some mono version installed from a ppa was messing with our cert store.
I've been trying off and on to get a LAMP development server operational behind my corporate firewall (McAfee Web Gateway). I have a Ubuntu/Trusty64 image on a virtualbox VM provisioned through Vagrant. I cannot get "some" {most} repositories to load for a proper sudo apt-get update. I'm getting a 401 authentication required error on all 'security.ubuntu.com trusty-security/*' sources and 'archive.ubuntu.com trusty/*' sources and all fail to fetch. Therefore most all sudo apt-get install {whatever} fails and I cannot add the necessary PPA repository to install the LAMP environment I want.
I can turn off SSL verification for some things and can get many things installed - but I need SSL working correctly within this environment.
Digging deeper, I find that if I curl -v https://url.com:443, I get the
curl(60): ssl certificate error: unable to get local issuer certificate.
I have the generic bundle 'ca-bundle.crt' installed locally in /usr/local/share/ca-certificates/ and ran sudo update-ca-certificates which seemed to update ca-certificates.crt in etc/ssl/certs/.
I ran a strace -o stracker.out curl -v https://url.com:443 and searched for the failing stat() as suggested in here by No-Bugs_Hare and found that curl was looking for 'c099e901.0' in /etc/ssl/certs/ and it isn't there. Googling that particular HEXID is no joy and am stuck at this step.
Next I tried strace -o traceOppenSSL.out openssl s_client -connect url.com:443 to see if I can get more detail but can't see what causes the
verify error:num=20:unable to get local issuer certificate
followed by two other errors (I'm sure all relating to the first one), then displays the "Server Certificate" within a BEGIN / END block, followed by a bunch of other metadata. The entire session ends with
Verify return code: 21 (unable to verify the first certificate).
So, this is not my forte and I'm doing what I can to try and get this VM operational. Like I said earlier, I've been trying many things and understand most of the issue is the fact that I'm behind a McAfee firewall within my corporate structure. I don't know how to troubleshoot more than what I've explained above but I'm willing to dig deeper.
I have a few questions. Why is curl looking for that particular hex ID and where would I find or generate the beast? Are there other troubleshooting steps I should try? The VM is a server-class Ubuntu install, so I only have a SSH CLI terminal and no WindowManager GUI to work with this.
FYI my certificate is trusted by GeoTrust SSL CA.
I do the following command :
npm adduser --registry https://npm.****.fr and the error thrown is UNABLE_TO_VERIFY_LEAF_SIGNATURE.
I did a lot of test to fix it.
I try with curl and fix the issue by adding my website CRT on system (/usr/share/ca-certificates/extra/***.crt then dpkg-reconfigure ca-certificates). The same error occured on NPM.
I try to specify option ca, cafile, cert, nothing change.
If I provide the option strictssl=false, it works but I don't really like this option...
Any ideas ?
I had a similar issue, following command did the trick:
npm config set strict-ssl false
export NODE_TLS_REJECT_UNAUTHORIZED=0
I fix it by adding the CA certificate to my server.
Indeed it's the CA certificate missing, not the website certificate. But it is strange that GeoTrust SSL CA is not provide with apt-get install ca-certificates.
I am running a secure site on apache and openssl 1.0.1.
This works fine in the browser, but when I curl the site, I am getting the following error
curl: (35) error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)
From what I can find, this is some incompatibility between openssl 0.9.8 on the client, and 1.0.1 on the server.
Is there maybe some server-side configuration in mod_ssl to prevent this error, or would I be best to downgrade to 0.9.8, and if the latter, any advice for doing so on Ubuntu? For example, if I apt-get remove and apt-get install, do I need to reinstall / restart apache for the changes to take effect?
Thanks,
This is an old question, but since it is still unanswered:
This is a bug in OpenSSL 0.9.8, but can be fixed (or overridden) in Apache. See https://stackoverflow.com/a/8058839 for a fix. Note that the ServerName directive should be identical to the name used by the client (e.g., "localhost" will not work).
I'm running Ubuntu 11.10 and I'm trying to install RVM.
I enter "bash < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer)" and then press enter, and nothing happens. It pauses for a second and then returns to the command prompt.
RVM doesn't install. I run rmv-v and get The program 'rvm' is currently not installed.
No errors.
Any thoughts?
Thanks.
Jason
UPDATE: I removed the -s option from curl and now I see some messages. Specifically:
0curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
UPDATE 2: I reinstalled Git, and now when I run curl-config --ca, I get:
curl-config --ca
/etc/ssl/certs/ca-certificates.crt
I downloaded the cacert.pem file from curl.haxx.se and created a new ca-certificates.crt file with it.
However, I'm still getting:
0curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Not sure what else to try other than disabling the checking, which I'd rather not do.
The SSL certificate on https://rvm.io expired. Looks like RVM migrated to a new domain. See: https://github.com/wayneeseguin/rvm/issues/889