So we have a self-hosted version of Atlassian BitBucket running on Ubuntu server which holds the code repository. We use a SSL certificate from DigiCert . Every year we renew the certificate which has never caused issues. However this time most of the developers are getting the following error when pushing and pulling code from GIT after the certificate was renewed
fatal: unable to access : SSL certificate problem: unable to get local
issuer certificate
Another Error:
fatal: unable to access : Peer's Certificate issuer is not
recognized.
However, when we try to access the website using Chrome (or any other browser), it works fine and there is no error
All searches online point to this error when you're using a self-signed or internal PKI certificate. We are totally stumped on why a certificate issued by a public authority like DigiCert is getting this error.
Any help on this would be highly appreciated.
Ensure the root cert is added to git.exe's certificate store as discussed here.
Tell Git where to find the CA bundle by running:
git config --system http.sslCAPath /absolute/path/to/git/certificates
or copying the CA bundle to the /bin directory and adding the following to the gitconfig file:
sslCAinfo = /bin/curl-ca-bundle.crt
Reinstalling Git.
Ensuring that the complete CA is present, including the root cert.
Check www.atlassian.com more ssl errors for resolutions.
Related
I can connect fine with Python to any external https site without this error:
SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)')))
But I have a local webserver on my laptop with a self-signed certificate that works fine in itself but Python generates an _ssl.c:1108 error when I try to connect to it.
Any ideas?
The python client does not have access and trust the CA certificate that signed the web server certificate. In your case that is the self-signed web server certificate.
To get the python client working, you can do the following:
disable certificate verification. That is not a good idea but I guess is ok for a quick test. The emphasis is on "it is not recommended".
Download the self-signed certificate and make it accessible to the python client and specify it as trusted CA certificate.
Download and install a certificate from well known CAs such as LetsEncrypt (free) or commercial CAs. This is the recommended approach.
You could go into depth on the items mentioned herein and get a conceptual understanding how TLS operates.
EDIT 1: You could also get a free certificate from LetsEncrypt CA. Or you could get a free test certificate from most of the commercial CAs like DigiCert etc. See this link for getting and installing a free test certificate signed by a DigiCert test CA.
See this for details on python client configuration for TLS.
When executing an openstack command, it is failing to verify a certificate that was signed by an internal CA.
CentOS 7
Root CA installed in /etc/pki/ca-trust/source/anchors
openstack 3.3.0
$ openstack server list
Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. SSL exception connecting to https://XXXXX :13000/v2.0/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)
I hit the url from a browser and downloaded the certificate. Then ran openssl verify successfully.
$ openssl verify -CAfile /etc/ssl/certs/ca-bundle.trust.crt 10.92.50.11.crt
10.92.50.11.crt: OK
Does the root CA need to be placed in another area for the command line to pick it up?
Explicitly pointing at the CA certificate by setting OS_CACERT did the trick. Other people in my environment didn't have to do this. I'm not sure why it was necessary, but that's what fixed my issue.
export OS_CACERT=/path/to/ca.crt
Reference: http://docs.openstack.org/user-guide/common/cli-set-environment-variables-using-openstack-rc.html
Shortly after we renewed our SSL certificate on Heroku, all Mailgun webhooks (post requests made by Mailgun to our endpoint so that we can track email deliveries) started failing with the error "Could not connect to remote server: HTTPS certificate validation failure".
How could we check whether this issue might be caused from misconfiguration of our SSL certificate rather than an issue on Mailgun's side?
Here are the details of steps we took to renew and install the certificate:
We followed these instructions to generate a new private key and
CSR.
After uploading the CSR and downloading the CRT file on Namecheap, we ran heroku certs:update as described here.
These are the checks we made to verify successful installation of the new certificate:
Navigated to our site with Chrome, Safari, and Firefox and checked
the certificates. Everything looks right.
Ran heroku certs. The certificate looks good and it is shown as trusted.
Used the online checker here and here (as watery suggested in the comments). Everything is green.
Verified with Namecheap that the intermediates were setup correctly. They basically confirmed that the output of openssl s_client -showcerts -connect www.mysite.com:443 looks right.
A potential lead:
After running brew update openssl and rvm install 2.3.1 --disable-binary, the following was observed. Running Net::HTTP.get URI('https://www.google.com') works, while the same command with our URL fails with OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed.
However, running Net::HTTP.get for our URL on a freshly installed linux Docker container
does not fail, so there may be additional environment factors.
Any leads to the likely cause of this issue, or suggestions for steps we can take to find such lead, are much appreciated.
The issue was found as described in my other related question. COMODO added a new root called COMODO RSA Certification Authority instead of the previous COMODO Certification Authority. The new root was not whitelisted by Mailgun. I contacted support, and they are working to whitelist it.
I think this is related to SSL chaining issue. Please check the ssl certificate you are using must be in order of domain_cert > root_cert > intermediate_cert(they can be multiple). You need to concat certificate in fixed order to fix this issue. I hope this helps you. For more you can test you website ssl in this https://www.ssllabs.com/ssltest/
I am already 3 hours fighting with setting SSL certificate for a Heroku app. I am following this tutorial, but when I run
heroku certs:add server.crt bundle.pem server.key --app my-app-name
I always get this error:
Resolving trust chain... failed
! No certificate given is a domain name certificate.
I have bought the SSL certificate at DNSimple. What's is still wrong, why am I missing. It makes me despair, even Google didn't help...
All help will be appreciated.
In my case the ZIP file I downloaded from my SSL provider contained 2 .crt files and I picked the wrong one when running the certs:update. Re-running with the other .crt file solved the problem
Seems like your certs and your bundle are not resolving properly, i.e. either the trust chain is broken (not all certs exist in bundle for domain -> intermediate CA -> root CA) or alternatively your cert is not valid for the domain that Heroku is expecting.
Make sure the fully qualified domain name in your cert matches the domain you are using.
I'm trying to install a Comodo SSL certificate on a shared server, which has directadmin installed. I have assigned the user an unique ip address, made the CSR request and uploaded the certificate.
In directadmin I get the response that both the certificate and private key are saved. Unfortunately, when I browse to the https://www.domain.com I get a SSL error, saying that the certificate is untrusted, because it is self-signed.
I'm confused why this error occurs. It seems to me that I followed the correct steps to install the Comodo ssl certificate. I also tried deleting the private key and certificate through the command line on the server. But this does not seem to resolve the error.
What direction should I be looking into solving this issue?
Check if you installed the intermediate certificate. You have to list one or more intermediate certificates in the field for your public key.
You can also use the GlobalSign OneClickSSL plugin for DirectAdmin and let the plugin do everything for you automatically.
See: https://www.globalsign.com/ssl/oneclickssl/directadmin/
And: http://www.youtube.com/#/watch?v=tVP9i6Ing1M