I'm new to Linux, just installed Lubuntu and faced the problem -
when i'm trying to clone my remote work repo from my company's git:
$ sudo git clone https://path/to/repo.git
I keep on receiving error:
Cloning into 'repo'...
fatal: unable to access 'https://path/to/repo.git/': server certificate verification failed. CAfile: none CRLfile: none
I know it's mentioning certificates, but i do not have any. And before, i worked on windows and was able to simply git clone this repo without any certs.
This error means that the git client cannot verify the integrity of the certificate chain or root. The proper way to resolve this issue is to make sure the certificate from the remote repository is valid, and then added to the client system.
Update list of public CA
The first thing I would recommend is to simply update the list of root CA known to the system as show below.
# update CA certificates
sudo apt-get install apt-transport-https ca-certificates -y
sudo update-ca-certificates
This may help if you are dealing with a system that has not been updated for a long time, but of course won’t resolve an issue with private certs.
Fetch certificates, direct connection
The error from the git client will be resolved if you add the certs from the remote git server to the list of locally checked certificates. This can be done by using openssl to pull the certificates from the remote host:
openssl s_client -showcerts -servername git.mycompany.com -connect git.mycompany.com:443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > git-mycompany-com.pem
This will fetch the certificate used by “https://git.mycompany.com”, and copy the contents into a local file named “git-mycompany-com.pem”.
Fetch certificates, web proxy
If this host only has access to the git server via a web proxy like Squid, openssl will only be able to leverage a squid proxy if you are using a version of OpenSSL 1.1.0 and higher. But if you are using an older version of OpenSSL, then you will need to workaround this limitation by using something like socat to bind locally to port 4443, and proxy the traffic through squid and to the final destination.
# install socat
sudo apt-get install socat -y
# listen locally on 4443, send traffic through squid "squidhost"
socat TCP4-LISTEN:4443,reuseaddr,fork PROXY:squidhost:git.mycompany.com:443,proxyport=3128
Then in another console, tell OpenSSL to pull the certificate from the localhost at port 4443.
openssl s_client -showcerts -servername git.mycompany.com -connect 127.0.0.1:4443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > git-mycompany-com.pem
Add certificate to local certificate list
Whether by proxy or direct connection, you now have a list of the remote certificates in a file named “git-mycompany-com.pem”. This file will contain the certificate, its intermediate chain, and root CA certificate.
The next step is to have this considered by the git client when connecting to the git server. This can be done by either adding the certificates to the file mentioned in the original error, in which case the change is made globally for all users OR it can be added to this single users’ git configuration.
** Adding globally **
cat git-mycompany-com.pem | sudo tee -a /etc/ssl/certs/ca-certificates.crt
** Adding for single user **
git config --global http."https://git.mycompany.com/".sslCAInfo ~/git-mycompany-com.pem
Which silently adds the following lines to ~/.gitconfig
[http "https://git.mycompany.com/"]
sslCAInfo = /home/user/git-mycompany-com.pem
Avoid workarounds
Avoid workarounds that skip SSL certification validation. Only use them to quickly test that certificates are the root issue, then use the sections above to resolve the issue.
git config --global http.sslverify false
export GIT_SSL_NO_VERIFY=true
I know there is an answer already. Just for those who use a private network, like Zscaler or so, this error can occur if your rootcert needs to be updated. Here a solution on how this update can be achieve if using WSL on a Windows machine:
#!/usr/bin/bash
# I exported the Zscaler certifcate out of Microsoft Cert Manager. It was located under 'Trusted Root Certification > Certificates' as zscaler_cert.cer.
# Though the extension is '.cer' it really is a DER formatted file.
# I then copied that file into Ubuntu running in WSL.
# Convert DER encoded file to CRT.
openssl x509 -inform DER -in zscaler_cert.cer -out zscaler_cert.crt
# Move the CRT file to /usr/local/share/ca-certificates
sudo mv zscaler_cert.crt /usr/local/share/ca-certificates
# Inform Ubuntu of new cert.
sudo update-ca-certificates
Related
For reference, my MacBook Air is running version 10.14.1.
I've tried to download ghcup by running this command in the terminal:
curl --proto '=https' --tlsv1.2 -sSf https://get-ghcup.haskell.org | sh
However, when I run this command, I recveieve the following error:
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
Could this error be caused by my MacBook running an old version?
In my Azure Linux web app, I'm trying to perform an API call to an external provider, with a certificate. That call fails, while it's working fine when deploying the same code on a Windows app service plan. The equivalent cURL command line is:
curl --cert-type p12 --cert /var/ssl/private/THUMBPRINT.p12 -X POST https://www.example.com
The call fails with the following error:
curl: (58) could not load PKCS12 client certificate, OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
The issue is caused by OpenSSL 1.1.1d, which by defaults requires a security level of 2, and my certificate is signed with SHA1 with RSA encryption:
openssl pkcs12 -in THUMBPRINT.p12 -nodes | openssl x509 -noout -text | grep 'Signature Algorithm'
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha1WithRSAEncryption
On a normal Linux VM, I could edit /etc/ssl/openssl/cnf to change
CipherString = DEFAULT#SECLEVEL=2
to security level 1, but on an Azure Linux web app, the changes I make to that file are not persisted..
So my question is: how do I change the OpenSSL security level on an Azure web app? Or is there a better way to allow the use of my weak certificate?
Note: I'm not the issuer of the certificate, so I can't regenerate it myself. I'll check with the issuer if they can regenerate it, but in the meantime I'd like to proceed if possible :)
A call with Microsoft support led me to a solution. It's possible to run a script whenever the web app container starts, which means it's possible to edit the openssl.cnf file before the dotnet app in launched.
To do this, navigate to the Configuration blade of your Linux web app, then General settings, then Startup command:
The Startup command is a command that's ran when the container starts. You can do what you want, but it HAS to launch your app, because it's no longer done automatically.
You can SSH to your Linux web app, and edit that custom_startup.sh file:
#!/usr/sh
# allow weak certificates (certificate signed with SHA1)
# by downgrading OpenSSL security level from 2 to 1
sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
# run the dotnet website
cd /home/site/wwwroot
dotnet APPLICATION_DLL_NAME.dll
The relevant doc can be found here: https://learn.microsoft.com/en-us/azure/app-service/containers/app-service-linux-faq#built-in-images
Note however that the Startup command is not working for Azure Functions (at the time of writing May 19th, 2020). I've opened an issue on Github.
To work around this, I ended up creating custom Docker images:
Dockerfile for a webapp:
FROM mcr.microsoft.com/appsvc/dotnetcore:3.1-latest_20200502.1
# allow weak certificates (certificate signed with SHA1)
# by downgrading OpenSSL security level from 2 to 1
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
Dockerfile for an Azure function:
FROM mcr.microsoft.com/azure-functions/dotnet:3.0.13614-appservice
# allow weak certificates (certificate signed with SHA1)
# by downgrading OpenSSL security level from 2 to 1
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
I am trying to access https wcf web service from my application using monodevelop in Linux. The web service call is throwing the following exception
SendFailure (Error writing headers) at
System.Net.HttpWebRequest.EndGetRequestStream (IAsyncResult
asyncResult) [0x00043] in
/home/abuild/rpmbuild/BUILD/mono-3.4.0/mcs/class/System/System.Net/HttpWebRequest.cs:845
at
System.ServiceModel.Channels.HttpRequestChannel+c__AnonStorey1.<>m__0
(IAsyncResult r) [0x0001d] in
/home/abuild/rpmbuild/BUILD/mono-3.4.0/mcs/class/System.ServiceModel/System.ServiceModel.Channels/HttpRequestChannel.cs:219.
when I try to load the web service url using https, the Firefox browser is giving a warning:
"This connection is Untrusted"
The certificate(.cer) is generated using Visual Studio 2008 makecert utility.I tried to install certificate using the below commands
certmgr -add -c -m My MyCert.cer
certmgr -ssl https://myserver.com:1200/Monik/TestSvc
But it looks like the certificates are not configured properly. In some of the forums it saying that move the certificate to /etc/httpd/conf . But there is no such folder in my system
Please let me know what I am missing?
Mono handles certificates via mozroots so best thing in your case would probably be to run this:
sudo mozroots --import --machine --sync
sudo certmgr -ssl -m https://myserver.com:1200/Monik/TestSvc
First command will synchronise public root certificates. Second will ask you if you want to trust your server certificate which will be displayed to you after entering command. Type "yes".
I am trying to find out why my HTTPS link is not working for my website:
So I ran this command to try:
curl https://localhost/
I am using a valid signed SSL certificate and my HTTP link is working fine. I am using a Multi Domain certificate that was exported from an IIS 6 server. My instance on AWS has the 443 port enabled.
Here is a picture of my CA certificates:
I have tried to change the http.conf file's Virtual Host following the instructions in here: http://ananthakrishnanravi.wordpress.com/2012/04/15/configuring-ssl-and-https-for-your-website-amazon-ec2/
Is there any suggestions on how to get my website properly working on a HTTPS protocol?
Let me know if you need anymore information.
Thanks,
If you're not sure of the certificate that your web server is serving, you can use this command to view the certificate:
openssl s_client -showcerts -connect hostname.domain.tld:443
Also, the hostname in the certificate must match the site that you are requesting. For example, if you request a page from localhost, but your certificate is for www.yourdomain.com, the certificate check will fail.
This means that you are using a self-signed certificate.
In order for this warning not to appear, you need to purchase a certificate from a Certificate Authority.
If you are using Self Signed SSL certificate then you faced this issue.
For this you can use curl command with -k option.
curl -k https://yourdomain.com/
And if you are trying with Postman that time disable the SSL Certificate option in setting.
I got a same error but not similar to your, but summary here hope useful for others:
OS: CentOS 7
Run Python's pyspider error:
File "/usr/local/lib64/python3.6/site-packages/tornado/concurrent.py", line 238, in result
raise_exc_info(self._exc_info)
File "", line 4, in raise_exc_info
Exception: HTTP 599: Peer's certificate issuer has been marked as not trusted by the user.
root cause and steps to fix:
previously existed a soft link:
/usr/lib64/libcurl.so.4 -> /usr/lib64/libcurl.so.4.3.0_openssl
which is invalid one, so changed to valid:
/usr/lib64/libcurl.so.4 -> /usr/lib64/libcurl.so.4.3.0
while two file is:
-rwxr-xr-x 1 root root 435192 Nov 5 2018 /usr/lib64/libcurl.so.4.3.0
-rwxr-xr-x 1 root root 399304 May 10 09:20 /usr/lib64/libcurl.so.4.3.0_openssl
then for pyspider reinstall pycurl:
pip3 uninstall pycurl
export PYCURL_SSL_LIBRARY=nss
export LDFLAGS=-L/usr/local/opt/openssl/lib;export CPPFLAGS=-I/usr/local/opt/openssl/include;pip install pycurl --compile --no-cache-dir
in which PYCURL_SSL_LIBRARY is nss, due to current curl backend is nss according to
# curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.36 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
...
can fix my problem.
I have a situation where the client makes a call through curl to a https url. The SSL certificate of the https url is self signed and therefore curl cannot do certificate validation and fails. curl provides an option -k/--insecure which disables certificate validation.
My question is that on using --insecure option, is the data transfer that is done between client and server encrypted(as it should be for https urls)? I understand the security risk because of certificate validation not being done, but for this question I am only concerned about whether data transfer is encrypted or not.
Yes, the transfered data is still sent encrypted. -k/--insecure will "only make" curl skip certificate validation, it will not turn off SSL all together.
More information regarding the matter is available under the following link:
curl.haxx.se - Details on Server SSL Certificates
It will be encrypted but insecure. If you trust the certificate you should add the certificate to your certificate store instead of connecting insecurely.
macOS:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/new-root-certificate.crt
Ubuntu, Debian:
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
sudo update-ca-certificates
CentOS 6:
yum install ca-certificates
update-ca-trust force-enable
cp foo.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
CentOs 5:
cat foo.crt >>/etc/pki/tls/certs/ca-bundle.crt
Windows:
certutil -addstore -f "ROOT" new-root-certificate.crt