I need some help troubleshooting - not sure where to begin looking for the problem.
I have an instance of Hitch on my company server. When I access the hitch endpoint via my desktop browser, it proxy's me to the service as expected. However, when I access the hitch endpoint via curl (on the same desktop), it fails. In the Hitch log I see the error:
Handshake failure: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Can anyone suggest a starting point for troubleshooting? (I've done update-ca-certificates on both machines already, but that's as far as my knowledge takes me...)
Any advice is welcome! Thanks!
Mark
Related
I am very new to development, so I apologize in advance if I am not being clear enough. I appreciate any feedback on the question and how to better pose it.
I'm currently working on an angular app hosted in WSL2. To get it to run locally, this is what I do:
Launch solution in VS Code
From terminal, run npm start
Then, I click on Run and Debug
Once I get the Now listening on: ..... message, I move on to Chrome to start debugging my app
Since this morning, I keep getting a ERR_CONNECTION_REFUSED in the browser, and I'm currently waiting on IT to step in as there could have been some security changes placed that are blocking the requests. Also, I'm not using the VPN.
In the meantime, is there a way to know for sure (or get as close as possible to) what is causing the connection to be refused in my particular scenario? I'm curious about it, but I don't know how to even search the topic properly due to lack of proper terms.
What should one do to at least obtain more details about the issue on their own (perhaps, to help expedite help by collecting important info upfront)? Where my apps are hosted in WSL2, I get very confused between the ip address originating the request and that of the server.
I appreciate any guidance anyone could provide.
It turned out there was a VPN software running where the firewall was ON, even though I was not in the VPN (it went on after I connected to the VPN the previous day). I guess there was nothing else I could have done anyway.
I have VMware Photon OS running in VMware Player. This will be used as the host OS to run Docker containers.
However, since I'm behind a ZScaler, I'm having issues running commands that access external resources. E.g. docker pull python gives me the following output (I added some line breaks to make it more readable):
error pulling image configuration:
Get https://dseasb33srnrn.cloudfront.net/registry-v2/docker/registry/v2/blobs/sha256/a0/a0d32d529a0a6728f808050fd2baf9c12e24c852e5b0967ad245c006c3eea2ed/data
?Expires=1493287220
&Signature=gQ60zfNavWYavBzKK12qbqwfOH2ReXMVbWlS39oKNg0xQi-DZM68zPi22xfDl-8W56tQmz5WL5j8L39tjWkLJRNmKHwvwjsxaSNOkPMYQmhppIRD0OuVwfwHr-
1jvnk6mDZM7fCrChLCrF8Ds-2j-dq1XqhiNe5Sn8DYjFTpVWM_
&Key-Pair-Id=APKAJECH5M7VWIS5YZ6Q:
x509: certificate signed by unknown authority
I have tries to extract the CA root certificates (in PEM format) for ZScaler from my Windows workstation, and have appended them to /etc/pki/tls/certs/ca-bundle.crt. But even after restarting Docker, this didn't solve the issue.
I've read through numerous posts, most referencing the command update-ca-trust which does not exist on my system (even though the ca-certificates package is installed).
I have no idea how to go forward. AFAIK, there are two options. Either:
Add the ZScaler certificates so SSL connections are trusted.
Allow insecure connections to the Docker hub (but even then it will probably still complain because the certificate isn't trusted).
The latter works by the way, e.g. executing curl with the -k option allows me to access any https resource.
The problem is zscaler is acting as MAN-IN-THE-MIDDLE doing the ssl inspecting in your organization (see https://support.zscaler.com/hc/en-us/articles/205059995-How-does-Zscaler-protect-SSL-traffic-).
Since you've tried put the certificate in docker, I guess you've been already familiar with steps described in https://stackoverflow.com/a/36454369/1443505. The answer in this is almost correct for the zscaler scenario. One thing need to note is that because zscaler intercepts the CA tree. We need add all the certificates on the chains.
For now, the certificate chains behind zscaler looks as following
We need to export them all one by one and follow the instructions in https://stackoverflow.com/a/36454369/1443505 for each of them.
I've just installed Neo4j 1.8.2 onto Azure by following this step-by-step process...
http://de.slideshare.net/neo4j/neo4j-on-azure-step-by-step-22598695
Unfortunately, when I browse to http://:7474/webadmin Fiddler says Error 10061 - No connection could be made because the target machine actively refused it.
I've followed the instructions exactly and haven't received any errors.
Any help much appreciated.
So, I think I got to the bottom of this. I think it was due to the size of compute / VM I was creating. It looks like the problem is caused when running on Extra Small instances. I created a new installation using a Small instance and everything now works :).
Try setting the server to accept connections form all hosts, and maybe use a newer Neo4j, say 1.9.4
http://docs.neo4j.org/chunked/stable/security-server.html#_secure_the_port_and_remote_client_connection_accepts
The way the VM Depot image is set up, it's pre-configured to allow all hosts to connect, and the Neo4j server will auto-start. The only thing you need to take care of, when constructing your VM, is to open an Input Endpoint, with any public port you want (preferably 7474 to stay true to Neo4j) and internal port 7474.
Note that the UI changed a bit since the how-to was published: You can specify the endpoint as the last step before creating your virtual machine. Other than that, the instructions should be the same. And... once the VM is up and running (it'll take about 5-10 minutes), you just visit http://yourservicename.cloudapp.net:7474 and you should see the web admin. Note: this is not the same as your vm name. If you named your VM something like 'neo' then you do not want http://neo:7474 or http://neo.cloudapp.net:7474. You need to use your cloud service name (you had to create a name for the service when you deployed the VM.
I've deployed that image several times in demos, and just tried again right now to make sure nothing wonky happened. Worked perfectly.
Let me preface this by saying I have basically 0 knowledge of web development. That being said, I'll still try to provide you with as much information as I possibly can. Our client is using IIS7 on a Windows Server 2008 R2 machine. The TortoiseSVN error they're getting is this:
Error: Could not send request body: an existing connection was forcibly closed by the remote host.
Using the powers of Google, it seems that there's two possible things that could be occurring here. As it is a 4GB file, I've seen people mention that it could be a configuration issue in that the timeout could be a little short, that I might need to enable a setting somewhere to allow committing of larger files or that it could be a network issue. It might be useful to note that they can commit smaller files.
I've all ready tried disabling the firewall, as well as the antivirus, on the server and having them retry, but that didn't work. They are trying to upload from a desktop to the server and they are on the same network through a gigabit switch. I'm sure I'm missing useful information for you guys but I'm a total noob to web dev, their set up, and actually understanding what they're trying to do. If you need any more information from me I'll be glad to provide it.
The problem could be the too strict timeout options configured in Apache2's reqtimeout module. I simply disabled it
a2dismod reqtimeout
/etc/init.d/apache2 restart
Chocolate to: https://serverfault.com/questions/297562/svn-https-problem-could-not-read-status-line-connection-was-closed-by-ser
I am facing below error while logging into Entrust Authority Security manager server version 7.1.
"Unable to retrieve valid certification revocation list"
This installation was working properly before 1 year. Now when i tried to login we are getting the above error. Can anyone please help on this issue.
Thanks Santhosha K
This is becuase the OCSP server that is being run by the Certificate Authority cannot be accessed. It is very likely that their machine is down for maintenance, but it could be down or inaccessible for other reasons.
Like with any utility, call your CA and notify them of the problem.
When you will check in the event-viewer the error code 2658 would be reported for such case. This is basically because the workstation clock has been advanced intentionally or Security Manager application is not aware of the time change. Please start Entrust/Master Control to acknowledge the time change or correct your clock.
Do following and the login to Security Manager would be successful
Start Entrust/Master Control to acknowledge the time change or correct your clock. During the login process, a message is displayed indicating that Entrust/Master Control Time is not the same as the machine time. The user is asked whether or not they want Entrust/Master Control to put these changes into effect.
Click OK.
Start the Entrust/Authority services in Entrust/Master Control.