I am trying to make something very basic work and it just isn't working for me. I have a simple Node-RED flow with an inject input node and an email output node:
The properties of the email node look like this:
The error says:
"7/28/2017, 11:43:28 AM node: fname.lname#company.com
msg : error
"Error: unable to verify the first certificate"
I am able to manually send unauthenticated email through this server via telnet. Even if I enter account creds it gives me the same "Error: unable to verify the first certificate".
Am I missing something simple?
I don't have enough reputation to write a comment, but i am adding this line for the previous reply, somebody might need it,
to bypass this error in Node.js program, type:
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
The problem is that the mail server you are connecting to is using SSL and the certificate it is supplying is not signed by one of the trusted CA's built into the Node.JS implementation you are using.
I'm guessing it's a self signed certificate.
The Error says that Node.JS can not verify the first certificate in the presented chain.
My best guess is that Nodemailer (which is used under the covers by the email node) is seeing the STARTTLS option listed when it sends the EHLO command as it starts the connection to the mail server and is trying to upgrade the connection to one that is secure.
While I really wouldn't normally recommend this, you can turn off Node.JS's cert checking by exporting the following environment variable before starting Node-RED:
NODE_TLS_REJECT_UNAUTHORIZED=0
This turns off ALL certificate checking, so you are open to man in the middle attacks for any TLS/SSL connection made from Node-RED.
The real solution here is to get a proper certificate for the mail server, maybe something from the letsencrypt project especially if this mail server is internet facing in any way.
Related
I am trying to use hash-buster and making requests from my server to database's of hash-buster.
and each time I get this error:
Hash function : MD5
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:849: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning
I am new in python 3 also in Ubuntu(19.04). Please help me about adding certificate in my server, actually I need a step by step guide to install and activate it (or whatever).
I found my certifications in my server: (etc/ssl/certs/ca-certificates.crt). Is it possible to use my own certifications?
I hope my questions is clear, please feel free to ask me questions to make it clearer.
I am trying to use hash-buster....
I'm assuming that you mean this project.
... Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. ...
The code contains the following line, which probably is the reason for this warning:
response = requests.get('https://www.nitrxgen.net/md5db/' + hashvalue, verify=False).text
So it is explicitly disabling certificate validation here with verify=False. Given that there are other HTTPS requests in the code and this one is the only one with certificate validation disabled, it is likely to work around a problem with the site.
And, the SSLLabs report for www.nitrxgen.net shows that that the site is not properly configured:
This server's certificate chain is incomplete. Grade capped to B.
This incomplete certificate chain causes requests to fail. To work around the broken site one need to either import the missing chain certificate in the trust store or have it explicitly trusted by the code.
Since there are many similar questions already I don't want to repeat all the details. See for example Python requests SSL error - certificate verify failed
, Python Requests getting SSLerror, SSL error with Python requests despite up-to-date dependencies for more.
The actual requirement is that I have to achieve LDAP authentication for my organisation's internal web application which is being built on Django but not able to do so by far.
Therefore, I have decided to check if i'm able to establish the connection using the python-ldap module.
the details of the ldap server that I have:
server1 = dc3.something-software.com
server2 = dc5.something-software.com
and the python code:
def main(server="ldap://dc5.something-software.com", who='', cred=""):
try:
l = ldap.initialize(server)
l.simple_bind_s(who, cred)
if l:
print("Successfully connected")
l.search_s("cn=someone#something-software.com,dc=something-software,dc=com",
ldap.SCOPE_SUBTREE)
except Exception as e:
print(e)
return True
and this is giving me the following output
Successfully connected
{'msgtype': 101, 'msgid': 2, 'result': 1, 'desc': 'Operations error', 'ctrls': [], 'info': '000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580'}
implying that i'm actually able to connect to my ldap but not able to do anything else?
Im working on a windows operating system and I have tried the answers suggested for other similar questions though they've been mostly addressed for *NIX operating systems.
Thanks.
Based on the certificate error in your latest comment above, the directory server's SSL certificate is not trusted. Two solutions -- one is to ignore certificate problems, the second is to establish a trust. Ignoring cert errors is easy but less secure (i.e. I can make myself a cert that says I am yourhost.example.com ... and if you're not checking certificate validity, you'll happily communicate with my fake yourhost.example.com). Establishing the trust takes a little more effort and may create ongoing maintenance. Check the expiry date on the signing server ... you may need need to update the CA public key occasionally (some orgs just make 100 year expiring CA certs to avoid this, but some have their CA key renewed every year or five). Either way, you want to add a line before you start tls negotiation (con.start_tls_s).
To ignore certificate errors, add:
con.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
To establish a trust with the CA used to sign the directory server's key, you'll need to get the public key used to sign the certificate. Sometimes you can just ask the people who maintain the directory server -- I've got a zipped up copy of mine on a URL I send to people. But, if they don't have it, there are other ways to grab the cert. The OpenSSL client is a good one. Once you have the public key used to sign the directory server cert, use
con.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/CAFile.pem')
Once you do one of these two things, you should be able to start the TLS session successfully.
A node/electron app gets deployed on the end user's machine. It tries to make an HTTPS request to a server. Depending on the user's network setup, this may work fine, or Node may throw the error "Unable to Get Local Issuer Certificate". As far as I understand, this happens when the client is behind a proxy with SSL interception or something similar.
I know SO and github are full of questions like this. But the only generic "solution" I could find is breaking SSL entirely either at process level:
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0
or at request level:
rejectUnauthorized: "false"
There's also the option to somehow specify the correct certificate when making the HTTP request. But it seems to almost require custom setup for every user and I haven't found any examples of doing it in a generic way.
1. Why is this issue specific to Node apps, while every other app on the computer works fine?
2. Can it be fixed in a general and cross-platform way?
This link describes some otpions to fix this problem: https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting#php-56-certificate-verification-failure
But I simply don't know what to do specifically in Joomla and how to prevent this verification, because I can't set up ssl for my site.
warning:
Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /nfsmnt/hosting1_1/1/b/1bec1745-5e90-43d0-beb1-2d132937948b/domain.com/web/libraries/vendor/phpmailer/phpmailer/class.smtp.php on line 344
What is the sense of this verification, when so many websites don't run ssl?
Piece of code in Joomla library (class.smtp.php)
// Begin encrypted connection
if (!stream_socket_enable_crypto(
$this->smtp_conn,
true,
STREAM_CRYPTO_METHOD_TLS_CLIENT
)) {
return false;
}
return true;
}
You are missing the point. It's not the site that's using SSL, it's the mail server you are connecting to. For example if you use PHPMailer to send a message via your gmail account, the connection to gmail will be encrypted, regardless of whether your web server is.
The problem you are running into is that the mail server you are using is misconfigured. If it is advertising encryption to inbound connections, it should use a valid certificate. The error will be that the certificate has expired, is a self-signed certificate (and thus can't be trusted), or does not match the host name that you have connected to. The instructions in the guide tell you how to disable these checks, and they should be applied at the point PHPMailer is used, not by altering the library itself. You can find where to do this in the Joomla code base by searching for instances of new PHPMailer and following it with the code that sets the degraded SSL options in the guide. Bear in mind though that this is the wrong way to fix it. If your mail server can't be fixed, use a proper hosting company that knows what it's doing.
As for "not many sites run SSL", that's just not true. All sites should run SSL, but many do not. There is really no excuse not to now that you can get free real certificates with minimal hassle. For more compelling aguments, read this.
I've got a client-side cert secured rest endpoint which works when I hit it via curl using a known cert in Linux-land... That is to say, if I console.log(req.connection.getPeerCertificate()), I see a bunch of stuff. Cool.
... however, when one of my teammates tries to hit the same endpoint from a Windows Machine, req.connection.getPeerCertificate() is an empty object, even though they think they're attaching the cert correctly.
What's the best way to tell if they are, indeed, attaching the cert correctly? How should I go about debugging this?
The docs say:
If the peer does not provide a certificate, [getPeerCertificate] returns null or an empty object.
So you already know that the Windows client is not sending a valid certificate because getPeerCertificate() returns an empty object. Check the authorizationError property for additional information about any client certificate errors that may have occurred.
Debug this by finding out why the client isn't sending a certificate. Are you setting requestCert: true in your server options? Is the client properly configured? Is it sending a certificate that can be validated?