I'm trying to set up an SSL connection to SagePay from my website. I can run the openssl s_client successfully, it returns: Verify return code: 0 (ok), but only if I specify the CApath e.g.
openssl s_client -connect test.sagepay.com:443 -CApath /usr/local/ssl/certs/
When I try using the website I get an error:
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
How do I tell NGINX where to find the ssl certs I have installed?
Related
I have a EC2 instance on AWS, that I want to make a curl in one specific website. When I try, a receive the error "OpenSSL SSL_connect: Connection reset by peer in connection to host" when I try to use the openssl s_client -connect host:443 -showcerts command to retrieve the ssl certificate, I receive the message:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
But, when I try to do it on my personal computer, I can do both: the openssl and the curl command without errors.
I am following the F5 KB article to test SSL client based cert auth using openssl s_client but it keeps failing with this error:
OpenSSL> s_client -connect auc.akmlab.local:443 -key "C:\HELPAG\akmlab files\certs\admin-c-auth-ca-cert2.key" -cert "C:\HELPAG\akmlab files\certs\admin-c-auth-ca-cert.crt"
unable to load certificate
8204:error:0909006C:PEM routines:get_name:no start line:crypto\pem\pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
error in s_client
OpenSSL>
I am trying to google for this but cannot find much info anyway related to SSL client auth.
I have imported this same user cert to my browser and this works fine.
The server is a f5 bigip device with the root certificate from the CA which has signed the user certificated.
I have an application running on Centos7 that needs to connect to a remote host over HTTPS. However, it is unable to verify the certificate and fails. Also, if I try to download a file from the server using wget, I get the below error:
[root#foo:~]# wget https://10.65.127.9/index.html
--2017-05-22 09:03:01-- https://10.65.127.9/index.html
Connecting to 10.65.127.9:443... connected.
ERROR: cannot verify 10.65.127.9's certificate, issued by ‘/CN=us6877vnxe7827’:
Unable to locally verify the issuer's authority.
To connect to 10.65.127.9 insecurely, use `--no-check-certificate'.
So I get the certificate from the host:
openssl s_client -connect 10.65.127.9:443 <<<'' | openssl x509 -out /etc/pki/ca-trust/source/anchors/mycert.pem
And execute the following to process it:
update-ca-trust extract
This however results in the same issue.. If I run:
openssl s_client -connect 10.65.127.9:443 -showcerts -debug
I do get some errors and various messages:
depth=0 CN = us6877vnxe7827
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = us6877vnxe7827
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=us6877vnxe7827
i:/CN=us6877vnxe7827
Server certificate
subject=/CN=us6877vnxe7827
issuer=/CN=us6877vnxe7827
---
No client certificate CA names sent
---
Verify return code: 21 (unable to verify the first certificate)
Any ideas what I may be missing? If any further info helps, please let me know.
For wget you need to provide the certificate authority (CA) certificate(s) that signed the https server certificate. If you have those CA certificates - add them under --ca-certificate=file or --ca-directory=directory options
If you don't have them and you want to skip https server certificate verification (unsecure and can be dangerous) then use --no-check-certificate option.
I had the same problem with Jenkins trying to connect to our GitLab server.
The server does have a valid official certificate in our case, but Java didn't except it.
You are right about downloading the certificate.
However, the application you are mentioning is probably running inside a Java Virtual Machine (as a lot of applications are).
So from the point that you downloaded the certificate to a PEM file, you may have to add it to the VM's trusted certificates instead.
This article describes how to do that. Hope it helps.
I'm currently trying to connect to an EPP server using openssl s_client to verify my connection. The below command outputs the following.
openssl s_client -connect example.com:700
Response:
CONNECTED(00000003)
depth=1 /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
41282:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL0 98-64.30.2/src/ssl/s3_pkt.c:1145:SSL alert number 40
41282:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.30.2/src/ssl/s23_lib.c:185:
I then proceeded to download the DigiCert SHA2 Secure Server CA from https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt
I then re-attempted using a self-signed cert created with openssl, along with the new DigiCert certificate.
openssl s_client -connect example.com:700 -CAfile DigiCertSHA2SecureServerCA.crt -key key.pem -cert cert.pem -debug
And I get the same error. What could I be doing wrong here?
From the information you provide the client gets the certificate from the server and continues with the handshake but then gets a handshake_failure (alert 40) back from the server. Getting this error at this stage of handshake is likely caused by the server expecting to get a client certificate which the client did not provide. But, to be really sure one would need to have more information, ideally a full packet capture of the connection.
If you are using a self-signed certificate you should use the same file for both -CAfile and -cert. If you are using DigiCert CA in -CAfile then in -cert it should be a certificate signed by DigiCert.
Also the server needs to accept your certificate, which means it needs to have its CA (and possible intermediate CAs) beforehand.
I'm trying to connect to RabbitMQ server using SSL but i'm getting this error "SSL peer cert verification failed".
I check the certificate using openssl like so:
openssl s_client -connect host:port -CAfile cacert.pem
And got "Verify return code: 0 (ok)" so i believe that the certificate is OK.
I'm trying to use the amqps_bind.c example in here.
I only need server verification so I removed the amqp_ssl_socket_set_key().
The code is failing in amqp_socket_open().
Also i have a C# code that can connect to the same server using SSL without any errors.
I have found my issue.
The cacert.pem file that I provided was all the chain of certificates.
After extracting only the root certificate I can connect to the sever.
Apart from that check the following config also in your rabbitmq.config
{verify,verify_peer},
{fail_if_no_peer_cert,true}]},
change those to following if you do not want to verify peer
{verify,verify_none},
{fail_if_no_peer_cert,false}]},