I'm running into a strange problem with certificates that I can't figure out how to debug. When I run wget inside of a docker container on one specific server it cannot verify certificates. The same wget works fine on the server machine itself (outside docker) and it works inside that same docker container on different servers.
Here's the setup for the docker container:
docker run --rm -ti debian:jessie bash
apt-get update
apt-get install wget
wget https://google.com
The response is:
converted 'https://google.com' (ANSI_X3.4-1968) -> 'https://google.com' (UTF-8)
--2016-06-22 14:22:02-- https://google.com/
Resolving google.com (google.com)... 216.58.217.142, 2607:f8b0:4004:807::200e
Connecting to google.com (google.com)|216.58.217.142|:443... connected.
ERROR: The certificate of 'google.com' is not trusted.
ERROR: The certificate of 'google.com' hasn't got a known issuer.
The certificate's owner does not match hostname 'google.com'
Since this same process works on other servers, it seems like the problem could only be some certificate problem on that server itself. But I must be confused: why should the certificates on the server itself have anything to do with what's happening inside of the docker container?
I would really appreciate any insight into this, in particular any debugging steps I can take to understand the problem better.
It seems that the certificates are out of date inside the jessie image.
try apt-get install ca-certificates before the wget
Docker uses iptables.
If you have iptable rules set up it's possible to direct EVERY https request to your own running server.
If you are, for example, running jenkins locally and using iptables to redirect 443 to default 8080 port than all your container traffic to port 443 ports will be redirected to that local jenkins server which will be unable to verify your certificate.
We ran into this problem when using Jenkins to build our docker images. our jenkins used iptables to get around running jenkins as root.
This worked fine for me, though to be safe, make sure your "ca-certificates" package is up to date. Most likely, you have some kind of security device on the network that is inspecting the traffic, and to do so, decrypting and encrypting with it's own certificate. Here's the certificate I get from my own testing:
bash$ openssl s_client -showcerts -connect www.google.com:443
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIdnEF+1C/AZowDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwNjA4MTIzNzI5WhcNMTYwODMxMTIzMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxYx0X
auhoQ4cobo6J3UMUNCbzKmJ/XSzDB5RLtjvbvtDfCMHm8hO91vvlcKRRrwqdYpiw
2zUcPDyjwOrZZsJlQglQw/rRpbfQQ6aKsKQWiT3sAIz5joXXi/622YhhGAAdyGGy
/tzsQkW0IqWAIFLFBbHWMvgDmvMwacps34B80U+p5Iq2xx2xHegl0RMb4HfSEpW/
H4A0MKvYR6uZZEEr39E+4R6IY9HSv1ZDq8csspyWjXpaIxd6ZD6+lGwvgyszQtNa
0aEP9+tNhF7jPRD5TedfvyOz81dUCvE0O2E+nfripG2gNBm4r5N6XWUH/lvoopaR
00eE2fKpk/fvZgZXAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBStL+4j1/n+vGwj3sL861LWCYDUGTAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAK1BpCyAbID8gpwWI
bQReJv81H/qvYvaaOFa7PLnqHhaAZmzjV1tkCsVB60IgsBDoNuPdtJ5klpxV+njs
VhDnxneaHL21zwUCuZvNVyYL9VCSYGWV1iNe6PtYYtbWt7of6bEiwZsSuPWaRuRp
YcvJH+mpv/EIDw1shU5UK3FpvnSHEH2jrs2psnC4BYSovT3pH2nxTCpiLiya1UNn
+qtqiCJyDKhEV6f1j+Awg/Fr+tVCZLjHcSmGqL3DNcHbCUalXrq4EwVK3Pg8lghU
Dm3e0J3EcjgMacIg+RP+2pOM5GvIwQ6BrKbmcnTjqsjcG1tQEV0ZSb6hx2bGYhc2
3TG+rQ==
-----END CERTIFICATE-----
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIDAjqDMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU2WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD
VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov
L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig
JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ
MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEAqvqpIM1qZ4PtXtR+
3h3Ef+AlBgDFJPupyC1tft6dgmUsgWM0Zj7pUsIItMsv91+ZOmqcUHqFBYx90SpI
hNMJbHzCzTWf84LuUt5oX+QAihcglvcpjZpNy6jehsgNb1aHA30DP9z6eX0hGfnI
Oi9RdozHQZJxjyXON/hKTAAj78Q1EK7gI4BzfE00LshukNYQHpmEcxpw8u1VDu4X
Bupn7jLrLN1nBz/2i8Jw3lsA5rsb0zYaImxssDVCbJAJPZPpZAkiDoUGn8JzIdPm
X4DkjYUiOnMDsWCOrmji9D6X52ASCWg23jrW4kOVWzeBkoEfu43XrVJkFleW2V40
fsg12A==
-----END CERTIFICATE-----
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3727 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 09AF6D01D3E3059EA0E4543E880035C34D74CEFCBB9D20F34F8CC1789D2485B2
Session-ID-ctx:
Master-Key: 575CCE0D8562480D591DE3983B2B6709D1FF5F0FCF219FFF66C30B90A5A906E5A8BD6688DED22EDFE6F7DC9702915E5B
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 3e 73 9d 09 9a 16 a9 a2-70 64 76 b4 16 b1 ca d0 >s......pdv.....
0010 - 70 37 62 e2 d3 e6 ac b3-31 31 4d 4b 1c 9b 2b 6c p7b.....11MK..+l
0020 - cc 1c 0d 3d ae dc ce c2-d4 36 41 4c 04 54 f0 e3 ...=.....6AL.T..
0030 - 15 03 04 b5 32 0d 8b c0-5b c0 d6 03 8d df d8 bf ....2...[.......
0040 - 74 7c ae ac da 3b 1a 8d-d7 56 3d 3a ee dd 69 d3 t|...;...V=:..i.
0050 - fb 2d 34 4a c4 51 0c e6-39 18 20 f1 cc 5d ab 66 .-4J.Q..9. ..].f
0060 - 9f f9 47 6f b4 09 6f 4f-42 6c 72 42 fd 92 a3 3b ..Go..oOBlrB...;
0070 - 95 3d a1 14 e5 33 b8 b4-8a de 0f f4 4b b6 08 2b .=...3......K..+
0080 - bb f6 18 3c 51 90 c8 ce-8c 9d 84 37 de be 07 72 ...<Q......7...r
0090 - 5d 5a fa 6a 28 70 95 29-28 5e 0d 26 0f 59 c7 d2 ]Z.j(p.)(^.&.Y..
00a0 - b5 86 1e 99 ....
Start Time: 1466605956
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
To make this work on your own network, you'll need to add the CA from your local security appliance into your container:
sudo cp ca.pem /usr/local/share/ca-certificates/my-ca.crt
sudo update-ca-certificates
My problem was also related to iptables. I ended up solving it by changing my iptables port forwarding rules to have an exception for any traffic originating from 0.0.0.0/0:
sudo iptables -t nat -A PREROUTING -p tcp ! -s 0.0.0.0/0 --dport 80 -j REDIRECT --to-port 8000
sudo iptables -t nat -A PREROUTING -p tcp ! -s 0.0.0.0/0 --dport 443 -j REDIRECT --to-port 8080
where ! -s 0.0.0.0/0 means "where the source is not 0.0.0.0/0 (traffic originating from this machine)"
You will probably have to remove whatever rules you have in place before adding these new ones.
EDIT: Turned out that didn't quite work either for reasons I don't understand. What I finally got to work was using ! -s 172.18.0.0/24, which seems to be docker's default (?) mask.
Related
My Chrome Version 92.0.4515.159 (Official Build) (64-bit) browser says: NET::ERR_CERT_AUTHORITY_INVALID when requesting the https://www.europasprak.com/ page.
The page https://incomplete-chain.badssl.com/ says:
incomplete-chain.badssl.com
The SSL Check https://www.sslshopper.com/ssl-checker.html#hostname=europasprak.com:443 shows:
europasprak.com resolves to 51.178.39.8
Server Type: Apache/2.4.46 (Unix) OpenSSL/1.1.1j PHP/7.3.9
The certificate will expire in 89 days. Remind me
The hostname (europasprak.com) is correctly listed in the certificate.
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.
I just created the certificate:
sudo certbot certonly --webroot -w /home/europasprak/dev/learnintouch/www.europasprak -d europasprak.com -d www.europasprak.com \
-m example#example.com --agree-tos --staging
and it gave me the certificate files.
I can see it does not need to be renewed:
sudo certbot certonly --webroot -w /home/europasprak/dev/learnintouch/www.europasprak -d europasprak.com -d www.europasprak.com --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not due for renewal, but simulating renewal for dry run
Simulating renewal of an existing certificate for europasprak.com and www.europasprak.com
Performing the following challenges:
http-01 challenge for europasprak.com
http-01 challenge for www.europasprak.com
Using the webroot path /home/europasprak/dev/learnintouch/www.europasprak for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- The dry run was successful.
The certbot version:
sudo certbot --version
certbot 1.12.0
Here is the Apache configuration I have in the apache/conf/extra/httpd-ssl.conf file:
<VirtualHost _default_:443>
ServerName www.europasprak.com:443
ServerAdmin example#example.se
ErrorLog "/home/europasprak/programs/install/apache/logs/error_log"
TransferLog "/home/europasprak/programs/install/apache/logs/access_log"
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/europasprak.com/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/europasprak.com/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/europasprak.com/fullchain.pem"
Here is the Apache configuration I have in the apache/conf/extra/httpd-vhosts.conf file:
<VirtualHost *:443>
ServerName www.europasprak.com
ServerAlias europasprak.com
DocumentRoot /home/europasprak/dev/learnintouch/www.europasprak
CustomLog /home/europasprak/programs/install/logs/learnintouch-access_log combined
<Directory "/home/europasprak/dev/learnintouch/www.europasprak">
Include /home/europasprak/dev/learnintouch/engine/setup/url_rewrite.conf
AllowOverride All
Require all granted
</Directory>
AddDefaultCharset UTF-8
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/europasprak.com/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/europasprak.com/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/europasprak.com/fullchain.pem"
</VirtualHost>
Some additional commands show:
13:12 $ curl -v https://incomplete-chain.badssl.com
* Trying 104.154.89.105:443...
* TCP_NODELAY set
* Connected to incomplete-chain.badssl.com (104.154.89.105) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
stephane#stephane-pc:~$ openssl s_client -connect incomplete-chain.badssl.com:443 -servername incomplete-chain.badssl.com
CONNECTED(00000003)
depth=0 C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = *.badssl.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = *.badssl.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = *.badssl.com
i:C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGqDCCBZCgAwIBAgIQCvBs2jemC2QTQvCh6x1Z/TANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMjAwMzIzMDAwMDAwWhcN
MjIwNTE3MTIwMDAwWjBuMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
YTEVMBMGA1UEBxMMV2FsbnV0IENyZWVrMRwwGgYDVQQKExNMdWNhcyBHYXJyb24g
VG9ycmVzMRUwEwYDVQQDDAwqLmJhZHNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDCBOz4jO4EwrPYUNVwWMyTGOtcqGhJsCK1+ZWesSssdj5s
wEtgTEzqsrTAD4C2sPlyyYYC+VxBXRMrf3HES7zplC5QN6ZnHGGM9kFCxUbTFocn
n3TrCp0RUiYhc2yETHlV5NFr6AY9SBVSrbMo26r/bv9glUp3aznxJNExtt1NwMT8
U7ltQq21fP6u9RXSM0jnInHHwhR6bCjqN0rf6my1crR+WqIW3GmxV0TbChKr3sMP
R3RcQSLhmvkbk+atIgYpLrG6SRwMJ56j+4v3QHIArJII2YxXhFOBBcvm/mtUmEAn
hccQu3Nw72kYQQdFVXz5ZD89LMOpfOuTGkyG0cqFAgMBAAGjggNhMIIDXTAfBgNV
HSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUne7Be4ELOkdp
cRh9ETeTvKUbP/swIwYDVR0RBBwwGoIMKi5iYWRzc2wuY29tggpiYWRzc2wuY29t
MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
awYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Et
c2hhMi1nNi5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2Nh
LXNoYTItZzYuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUH
AgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQIDMHwGCCsG
AQUFBwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t
MEYGCCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl
cnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEE
AdZ5AgQCBIIBbgSCAWoBaAB2ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaO
HtGFAAABcQhGXioAAAQDAEcwRQIgDfWVBXEuUZC2YP4Si3AQDidHC4U9e5XTGyG7
SFNDlRkCIQCzikrA1nf7boAdhvaGu2Vkct3VaI+0y8p3gmonU5d9DwB2ACJFRQdZ
VSRWlj+hL/H3bYbgIyZjrcBLf13Gg1xu4g8CAAABcQhGXlsAAAQDAEcwRQIhAMWi
Vsi2vYdxRCRsu/DMmCyhY0iJPKHE2c6ejPycIbgqAiAs3kSSS0NiUFiHBw7QaQ/s
GO+/lNYvjExlzVUWJbgNLwB2AFGjsPX9AXmcVm24N3iPDKR6zBsny/eeiEKaDf7U
iwXlAAABcQhGXnoAAAQDAEcwRQIgKsntiBqt8Au8DAABFkxISELhP3U/wb5lb76p
vfenWL0CIQDr2kLhCWP/QUNxXqGmvr1GaG9EuokTOLEnGPhGv1cMkDANBgkqhkiG
9w0BAQsFAAOCAQEA0RGxlwy3Tl0lhrUAn2mIi8LcZ9nBUyfAcCXCtYyCdEbjIP64
xgX6pzTt0WJoxzlT+MiK6fc0hECZXqpkTNVTARYtGkJoljlTK2vAdHZ0SOpm9OT4
RLfjGnImY0hiFbZ/LtsvS2Zg7cVJecqnrZe/za/nbDdljnnrll7C8O5naQuKr4te
uice3e8a4TtviFwS/wdDnJ3RrE83b1IljILbU5SV0X1NajyYkUWS7AnOmrFUUByz
MwdGrM6kt0lfJy/gvGVsgIKZocHdedPeECqAtq7FAJYanOsjNN9RbBOGhbwq0/FP
CC01zojqS10nGowxzOiqyB4m6wytmzf0QwjpMw==
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = *.badssl.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2414 bytes and written 445 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 6D14962A68C1190A92BF35C87CBBD88EFF179361453CB59CA14F318BB3A84CCE
Session-ID-ctx:
Master-Key: C1A08B4ED09A6E57535700BE20EF728A5DFA768733A6D122C83C0136F50B8B0CEC766F1B6A658A63AC4D61C2C2B05149
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 5b d5 ed df 6b dc 79 68-af a2 3e 33 a2 72 4a fe [...k.yh..>3.rJ.
0010 - 68 8d 8b a9 27 e6 35 d8-0a 73 14 96 c3 e2 6c 7f h...'.5..s....l.
0020 - d6 51 09 7e 83 08 4c 9c-c9 f9 a3 f4 58 55 bd 67 .Q.~..L.....XU.g
0030 - b3 11 1b e8 fe 02 be a9-b8 9a e3 78 8c 90 54 20 ...........x..T
0040 - e0 b6 c0 c9 62 e4 37 ee-9a f1 aa 54 41 5c 13 7b ....b.7....TA\.{
0050 - 59 07 16 9d 5f 7d 47 c8-b0 52 a1 b5 d1 6c 28 33 Y..._}G..R...l(3
0060 - 2c 1d 90 24 65 a1 de 67-be 09 78 ff 1c 20 ba ca ,..$e..g..x.. ..
0070 - 29 c9 27 7c e9 6a 85 95-39 0c a2 80 27 1f f9 24 ).'|.j..9...'..$
0080 - 13 cb 98 08 d7 fc b4 1b-56 7a d4 ae bc 82 a3 e5 ........Vz......
0090 - 9a b4 03 e2 51 70 b1 be-b1 ab 51 3b cf 3d 92 96 ....Qp....Q;.=..
00a0 - d0 d9 f1 b8 2c 94 ad bc-f6 50 60 85 43 6d 7c 81 ....,....P`.Cm|.
00b0 - 66 e1 c4 36 ae 5b 36 56-e6 f5 57 ce 97 ee d3 c4 f..6.[6V..W.....
00c0 - 8e 93 df a9 01 77 99 77-10 c8 7a e6 82 fe 06 19 .....w.w..z.....
Start Time: 1630235514
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
read:errno=0
openssl x509 -in -noout -issuer
Can't open -noout for reading, No such file or directory
140596603377024:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('-noout','r')
140596603377024:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
unable to load certificate
openssl x509 -in cert.pem -noout -issuer
issuer=C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3
I finally did some verification of the certificate files:
europasprak#vps-3506b083:/etc/letsencrypt/live/europasprak.com$ openssl x509 -in cert.pem -noout -issuer
issuer=C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3
europasprak#vps-3506b083:/etc/letsencrypt/live/europasprak.com$ openssl x509 -in chain.pem -noout -subject
subject=C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3
europasprak#vps-3506b083:/etc/letsencrypt/live/europasprak.com$ openssl verify -untrusted chain.pem
(This command hangs indefinitely)
europasprak#vps-3506b083:/etc/letsencrypt/live/europasprak.com$ openssl crl2pkcs7 -nocrl -certfile fullchain.pem | openssl pkcs7 -print_certs -noout
subject=CN = europasprak.com
issuer=C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3
subject=C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3
issuer=C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
subject=C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
issuer=C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Doctored Durian Root CA X3
Looking at your certificate the Common Name (CN) and Organization (O) are incorrect as they both say Staging, they should say R3 and Let's Encrypt. When creating the certificate you specified --staging. Use the below command to generate a certificate.
sudo certbot ‐‐apache ‐d your_domain ‐d www.your_domain
i already install custom ssl on my dns (cloudflare), when i want to check with openssl s_client -connect www.website.com:443 this is the show of my output.
CONNECTED(00000003)
6870300:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:802:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1586067870
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
but when i compare to other website with same command, it show very different
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=*.ssl.hwcdn.net
i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=*.ssl.hwcdn.net
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6300 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 6189DF5D01CEEF48EE50AF6DD40542D77D083B889A07B8603942BAB5D6579AB4
Session-ID-ctx:
Master-Key: EEE2D439E6CF417D8D932A460EDEA22125676FD139A2DDA1662A415DC959A516FB1AD2D01778C3CD30521B23013A81B2
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 43200 (seconds)
TLS session ticket:
0000 - ea 64 d2 dc 93 ae 32 b9-c5 80 e5 8c f1 98 8d 60 .d....2........`
0010 - 27 f1 af 82 96 4b 30 a7-db c5 ed 28 9a 5a fa 31 '....K0....(.Z.1
0020 - b7 1f 58 f8 46 72 c7 b2-90 1f fc 85 a4 25 dc 3d ..X.Fr.......%.=
0030 - b2 70 8d 6d 71 fa fc d1-88 33 fd 01 24 31 3c a4 .p.mq....3..$1<.
0040 - 6c 0d 00 9f 8f 2c 4e 3a-e5 f2 63 60 f3 0c 64 ef l....,N:..c`..d.
0050 - 44 c5 7e 1b 64 55 bc 89-ea f1 8e 2d 8d 23 f4 d0 D.~.dU.....-.#..
0060 - 0e 63 47 a7 c8 8a 98 b9-ee e6 13 cd ed fe 81 d6 .cG.............
0070 - c1 d4 c3 3c c4 b7 75 57-c7 fb 4b a6 0a 18 f2 76 ...<..uW..K....v
0080 - 6b b7 83 5e d3 bc 72 8b-28 f9 0b 5a 68 2e fb d7 k..^..r.(..Zh...
0090 - 7e 17 fe 1d b5 52 1b fa-31 83 6b ff 9f c0 31 e6 ~....R..1.k...1.
Start Time: 1586068272
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
closed
also i check with website ssl checker, they show nothing wrong and everything is configured correct. but im curios what different from website ssl checker to openssl connection checker, or i missing something ? any idea ? thanks
It could be that SSL certificate is not configured properly for your www.website.com entity. Please check if it has been configured correctly; May be accessing the www.website.com with a browser over https could give you more information whether the problem lay at client side or server side.
Hope it was helpful
I have read many posts mentioning issues with local issuer certificate, but I failed to find an answer for my case.
I have setup a nginx proxy, that accepts client certificates for authorization. Everything works good from a browser that has imported the certificate.
I now try to connect to my server via curl without using the -k option, which I definately want to avoid. All involved certificates are self signed.
If I run
curl --key user.key --cert user.cert https://10.11.2.7:5043/v2/
I get the following:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
So, I follow the instructions that are listed in the mentioned link, and I run:
openssl s_client -connect 10.11.2.7:5043 |tee logfile
#Which gives the following:
depth=0 C = AT, ST = Vienna3, L = Vienna3, O = myCompany3, OU = IT, CN = 10.11.2.7:5043, emailAddress = a#b.c
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = AT, ST = Vienna3, L = Vienna3, O = myCompany3, OU = IT, CN = 10.11.2.7:5043, emailAddress = a#b.c
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/C=AT/ST=Vienna3/L=Vienna3/O=myCompany3/OU=IT/CN=10.11.2.7:5043/emailAddress=a#b.c
i:/C=AT/ST=Vienna3/L=Vienna3/O=myCompany3/OU=IT/CN=10.11.2.7:5043/emailAddress=a#b.c
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDtDCCApygAwIBAgIJANlY3T3cLe2EMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYD
VQQGEwJBVDEQMA4GA1UECAwHVmllbm5hMzEQMA4GA1UEBwwHVmllbm5hMzETMBEG
A1UECgwKemVub3RyYWNrMzELMAkGA1UECwwCSVQxFzAVBgNVBAMMDjEwLjExLjIu
Nzo1MDQzMRQwEgYJKoZIhvcNAQkBFgVhQGIuYzAeFw0xODA4MjAxMTEzMzFaFw0x
OTA4MjAxMTEzMzFaMIGCMQswCQYDVQQGEwJBVDEQMA4GA1UECAwHVmllbm5hMzEQ
MA4GA1UEBwwHVmllbm5hMzETMBEGA1UECgwKemVub3RyYWNrMzELMAkGA1UECwwC
SVQxFzAVBgNVBAMMDjEwLjExLjIuNzo1MDQzMRQwEgYJKoZIhvcNAQkBFgVhQGIu
YzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOYMlaIIU5vGpoxpS37+
KKff8gix2AuDcWWYE5Q2rQGwN3tH0ccS6ZyY8bOsDd81xUMrEAY53pwCJNchwi5Y
/2mOKeMDHDNO+f5t1YW7uEF6L4Nb3qQZ1CxHamT/xd6koxTdfhMljZ19VmZpL2T5
WNWH4ehEc8z7PvqpJeRNc3MpSRnVhj7NdoXE59qQwkhqfdPa3YrTZZuN6oYWHgMP
KyvwfvtpBqHJFovsXmOiD40MsSrF14AL5J5H6DV8mXwS+5TK0XFrkbPateGW89o7
YAWRssIQa9N0UxGvp4fc6YZv2q+H1GnYU7qhMPtgDHS/qoIVwJCGPDDcJBSPURtL
p8sCAwEAAaMrMCkwDwYDVR0RBAgwBocECgsCBzAJBgNVHRMEAjAAMAsGA1UdDwQE
AwIF4DANBgkqhkiG9w0BAQsFAAOCAQEAr/bXIJBdy5iVVzih1BMrJfTfxhqhZb0e
YPmyuamc/7ek5IRqgfoBLLtXMmFaWVA5apRnWD+m6+3uCHD6vaJCz9uPQZPjOZm+
66wsBz6QAHUXWEUXrIp/F2gwSrWPHMGiLXpZ5/AhhfE/UpdsJQR3VxEoEDW2PDMN
Zc2A5ISiWHXiolQEWwBHJOxAvnVuxqvq94vC8e47a7L7CfhuZ9eq2tOD2pCw+hZa
JDmPU/fIH1P5DmU9ffSEyKwyXkkOtYJpJso2eYsZLsFte2qtUUx9IGykQHgP7SOK
0BKw9iMoY6/9sXnZ7o+vlcUnMhmdnInD9N4TYf089KvZm77FusHhow==
-----END CERTIFICATE-----
subject=/C=AT/ST=Vienna3/L=Vienna3/O=myCompany3/OU=IT/CN=10.11.2.7:5043/emailAddress=a#b.c
issuer=/C=AT/ST=Vienna3/L=Vienna3/O=myCompany3/OU=IT/CN=10.11.2.7:5043/emailAddress=a#b.c
---
Acceptable client certificate CA names
/C=AT/ST=Vienna1/L=Vienna1/O=myCompany/OU=IT/CN=10.11.2.7:5043
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1751 bytes and written 281 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: AA3F09732742D0ACD0F582362AB7CEA2DAFA628A2FD0BAFAF6B6514EA7D8812F
Session-ID-ctx:
Master-Key: 649F2319073FAF982C71279593067DFA95E31E68C3E6BE267BBBCAD048A8E5B290464C83E82E09C60EFA5235C1CA7B36
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 3b d0 96 e2 c6 85 4e 93-37 c0 0e aa e2 a0 e5 7b ;.....N.7......{
0010 - ba 85 0d 1a 55 da 25 f4-2d 1a d5 1d f9 4a 43 c6 ....U.%.-....JC.
0020 - 7d 22 79 17 03 3c b4 19-a8 17 e9 65 4d 85 f1 85 }"y..<.....eM...
0030 - e7 a5 1b 68 0a c1 8a 28-d7 95 7d ae e7 39 be 1a ...h...(..}..9..
0040 - 10 cc 0d ad 81 1c c5 7e-7b e6 41 96 5a dc 2a 8c .......~{.A.Z.*.
0050 - 91 ee 86 38 52 29 ab 02-3a 08 62 bd e6 2a 24 49 ...8R)..:.b..*$I
0060 - d9 b1 19 4f 09 3f 3d 98-cd 25 49 e3 77 43 87 f9 ...O.?=..%I.wC..
0070 - 31 f1 ec 56 84 e1 cf 3e-35 2b 23 23 9b 3e 99 18 1..V...>5+##.>..
0080 - 10 b6 ba 57 76 09 ba a7-eb 35 31 85 61 a6 f5 6e ...Wv....51.a..n
0090 - ff c1 c3 6d 01 8f 28 8d-15 a3 67 75 fe 6d 47 ff ...m..(...gu.mG.
00a0 - 36 eb 71 8e 12 a9 73 1d-18 72 25 02 6d 4f 62 10 6.q...s..r%.mOb.
Start Time: 1534764737
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes
---
As the mentioned link above advices, I copied the certificate (including the BEGIN CERTIFICATE and END CERTIFICATE lines), and save them into a file, which I named trusted_certs.crt, and tried running curl with:
curl -vs --key user.key --cert user.cert --cacert /path/to/trusted_certs.crt https://10.11.2.7:5043/v2/
Unfortunatelly, it still does not work, and sais:
Trying 10.11.2.7...
* TCP_NODELAY set
* Connected to 10.11.2.7 (10.11.2.7) port 5043 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /path/to/trusted_certs.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
I obviously do somehing wrong, but I fail to find it out. Any help welcome!
From OpenSSL Verify return code: 20 (unable to get local issuer certificate):
This error also happens if you're using a self-signed certificate with a keyUsage missing the value keyCertSign.
Helped in my case.
I sometimes use elinks for web browsing and it happens that some https sites fail to load because of an SSL error.
One example is https://www.rust-lang.org that doesn't load in elinks, but work fine other browsers like chromium and firefox.
Checking the https://www.rust-lang.org certificate with the command line give a very short output:
$ echo | openssl s_client -connect www.rust-lang.org:443 2>/dev/null
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 297 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1459658221
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
As a comparison google output is:
$ echo | openssl s_client -connect www.google.com:443 2>/dev/null
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIF8zP738syB4wDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwMzIzMTk0MTQ0WhcNMTYwNjE1MTkyMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoxzls
wT/PC9gErDAme+LX9PAdv8270+BHCaNe/YxZE093ryPQq5PPKHsBNSzNvHwNfWuv
H3z/CBvaIiFgBimSm3cWOvjXipqTL5sHGkLr/RNAxmwo2dUKZ0LBUCXB4YvXkMb0
lI3XpgZk1CUzE7jj3HDgA+IOpT8JgbmKH19Z7+lwBzaunztBk8YM/LKrb9XtDzYW
diPkBwm0xx2dj2jCrj49Hvug9qAGQ5Zx8YuNrwR5qYXW/8aVB6MJ8r/ZLKzU39k3
nvp5ZylyGklJAuGneCblChzpR18ab8k2B/26qgCv7T4MLoAGRTbvTrZ0HxTj8aie
yI0+jZjRQjBeYwGPAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBQKfpRDWX9xAx1/4SBXfKJdHrqPHjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAiwUNf4uVHi1f8u1m
nd2vEHlOIQkNFLeuj9RPQfsFPL7fX/UzE5HbLzp1y4ICnRuCONKhz08YZ56pQ09A
+MfzIm0/e3yytHRf5f+YWATKkGtEh3pJdkOJM2UYIFFDs382a+bau7dTVyZFgMyS
m2Wlhw/zCLBgIebkSwsrrJAftwKu2AjvG6XJCUd08MSEe6UVF15COudEdVkKoDWR
ZmITWRFSFAeeJ5dKAzRojKVgGYV8tw6ByVKSizl5WS+hrXdD4IHkProKEFbSQgIv
Eyv87d8W8yscamZDU6Da+Djjxf07LkE3qDtd/RQY+IMm4V17ko6WfaV7ibionAA5
uAnzkw==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3727 bytes and written 423 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: BBBB89FD38DF58981900A70A2F92A01E57888CF80B71AE19DE5F92EDE389D7FE
Session-ID-ctx:
Master-Key: 80B4C5C3F81C7AFDAA226BB0285E9F9088737151CCB4EA742328C727363F9663997E68D757CB73B79EF8E3C90B622E12
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - ee 03 90 3e 12 a6 14 ba-f9 db 39 f7 6f 3c bf 58 ...>......9.o<.X
0010 - 32 5d 0a 6f 08 cf 17 f9-16 49 91 c3 4f 99 50 01 2].o.....I..O.P.
0020 - 6a 90 47 0a 7d 62 5e b8-26 ef 21 9f f3 df a9 35 j.G.}b^.&.!....5
0030 - 17 90 53 cf 6a 1e d8 e7-ef d9 7a fc ea 80 c0 74 ..S.j.....z....t
0040 - c2 ee ba e4 5c ef 04 38-45 58 75 f6 7f f4 cd 78 ....\..8EXu....x
0050 - eb 31 5d be c2 c9 bb cd-dc c1 13 cc 81 84 48 39 .1]...........H9
0060 - 12 52 43 ae c6 24 1b 6e-85 7f 23 90 ff 80 9c 11 .RC..$.n..#.....
0070 - 49 e2 b4 c1 bf 32 08 e5-c4 55 84 de 46 77 d0 a1 I....2...U..Fw..
0080 - 92 7b 7c 1b 54 a1 49 c2-b0 d7 b9 f8 65 d2 1d 19 .{|.T.I.....e...
0090 - 2d 8e 5a 66 72 6c c8 50-7c d7 aa b8 58 28 7c 7d -.Zfrl.P|...X(|}
00a0 - 4c 64 1a 85 Ld..
Start Time: 1459659110
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
Why chromium and firefox get the right certificate and not elinks,
and is there a way to read these sites in elinks?
You need to use Server Name Indication (SNI) to successfully access www.rust-lang.org. With openssl s_client this can be done by adding the -servername parameter:
$ openssl s_client -connect www.rust-lang.org:443 \
-servername www.rust-lang.org
...
subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.rust-lang.org
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
All modern browser support SNI and it is heavily used in the internet. For instance all of Cloudflare Free SSL needs SNI. My guess is that the version of elinks you use does not support SNI yet. I've found a related bug report from 09/2015 against elinks 0.12pre6. Given that this version is still the newest version and that it looks like that development of elinks stopped in 2012 my guess is that the issue is still unresolved.
The latest git version from elinks seems to solve all these problems.
First off happy new year,
Im having a few issues with LDAPS on a windows server 2008 AD
Details
Server - Windows server 2008 R2
Roles - Active directory, CA, DNS, FILE, ISS
SSL certificate - wildcard- *.inbay.co.uk created for IIS to be used with the exchange server. purchased from godaddy*
We are connecting to the sever via url ldap.inbay.com on port 636
Port forwarding and firewalls are fine- double checked it
When i try to connect it says it can not verify the issuer of the certificate, and its serving the self signed certificate for SSL LDAP connections.
I tested this with LDAP admin
i googled around and fount couple of articles.didn't help much
this is the output i get when i run the Certutil -VerifyStore MY command
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.
PS C:\Users\Administrator> Certutil -VerifyStore MY
MY
================ Certificate 0 ================
Serial Number: 4b90e844870a99
Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository
, O=GoDaddy.com, Inc., L=Scottsdale, S=Arizona, C=US
NotBefore: 12/03/2013 13:29
NotAfter: 25/03/2014 10:18
Subject: CN=*.inbay.co.uk, OU=Domain Control Validated
Non-root Certificate
Template:
Cert Hash(sha1): b2 d6 9e 83 3c 58 54 83 52 fb 1a 15 50 ca 8c e3 ff 73 15 08
Key Container = {71FC82A4-088D-4E7E-90F7-02518A4737D7}
Unique container name: 9897d36f7e68959f5c8e90d29eb57258_17f1a298-bcac-495b-8ef3-1cc37965ce9e
Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
Verified Issuance Policies:
2.16.840.1.114413.1.7.23.1
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
1.3.6.1.5.5.7.3.2 Client Authentication
Certificate is valid
================ Certificate 1 ================
Serial Number: 3c56d548390980b8420af7c1965d2fd1
Issuer: CN=localhost
NotBefore: 06/08/2013 10:27
NotAfter: 06/08/2023 00:00
Subject: CN=localhost
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): 53 80 b4 86 29 33 14 be 3b 6f 77 12 0e c1 3d 9e a3 71 ba 34
Key Container = IIS Express Development Certificate Container
Unique container name: fad662b360941f26a1193357aab3c12d_17f1a298-bcac-495b-8ef3-1cc37965ce9e
Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=20
Issuer: CN=localhost
NotBefore: 06/08/2013 10:27
NotAfter: 06/08/2023 00:00
Subject: CN=localhost
Serial: 3c56d548390980b8420af7c1965d2fd1
53 80 b4 86 29 33 14 be 3b 6f 77 12 0e c1 3d 9e a3 71 ba 34
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Exclude leaf cert:
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
53 80 b4 86 29 33 14 be 3b 6f 77 12 0e c1 3d 9e a3 71 ba 34
Issuer: CN=localhost
NotBefore: 06/08/2013 10:27
NotAfter: 06/08/2023 00:00
Subject: CN=localhost
Serial: 3c56d548390980b8420af7c1965d2fd1
53 80 b4 86 29 33 14 be 3b 6f 77 12 0e c1 3d 9e a3 71 ba 34
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b01
09 (-2146762487)
------------------------------------
Verifies against UNTRUSTED root
================ Certificate 2 ================
Serial Number: 4ada0ad8a1800a8c4eca7496f0a354af
Issuer: CN=inbay-INBAY-DC01-CA, DC=inbay, DC=local
NotBefore: 24/09/2013 14:51
NotAfter: 24/09/2018 15:01
Subject: CN=inbay-INBAY-DC01-CA, DC=inbay, DC=local
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): 35 31 0a f7 22 ff 1e eb b9 e1 f7 46 07 b9 00 7e 26 72 11 26
Key Container = inbay-INBAY-DC01-CA
Unique container name: 3a799630eec48121d0d4d01abd8c671c_17f1a298-bcac-495b-8ef3-1cc37965ce9e
Provider = Microsoft Software Key Storage Provider
Signature test passed
Verified Issuance Policies: All
Verified Application Policies: All
Certificate is valid
================ Certificate 3 ================
Serial Number: 1f744eb2000000000002
Issuer: CN=inbay-INBAY-DC01-CA, DC=inbay, DC=local
NotBefore: 24/09/2013 17:26
NotAfter: 24/09/2014 17:26
Subject: CN=Inbay-DC01.inbay.local
Certificate Template Name (Certificate Type): DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Cert Hash(sha1): 04 d9 93 c9 8e 30 bb 10 bd 5c ad 15 86 fd 93 58 ff 1f 52 a4
Key Container = 463be5b6728428cbeb4f0752659c5778_17f1a298-bcac-495b-8ef3-1cc37965ce9e
Simple container name: le-DomainController-160a2aad-80f6-409a-b56c-37730ce782ec
Provider = Microsoft RSA SChannel Cryptographic Provider
Private key is NOT exportable
Encryption test passed
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.1 Server Authentication
Certificate is valid
CertUtil: -verifystore command completed successfully.
Im worried about the following error we get, is it something i have to be worried about
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487)
What i did
I added the SSL cert to the trusted root
Added the cert to the default domain Group policy > computer config > security > public key policies
Thanks in advance for any assistance provided...