I am trying to import a SSL certificate on Ubuntu 14.04. I have downloaded an SSL certificate using
openssl s_client -showcerts -connect pypi.python.org:443
Afterward, I copied the certificate to /etc/ssl/certs (this is where $SSL_CERT_DIR points to and where my working certificates are). However when I re-run the command
openssl s_client -showcerts -connect pypi.python.org:443
I still get
Verify return code: 20 (unable to get local issuer certificate)
What am I doing wrong?
Related
Description:
Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.
The following openssl commands can be used to do a manual test: openssl s_client -connect ip:port -tls1 If the test is successful, then the target support TLSv1
Env:
Nuxt application in dockerfile (same as any other nodejs web application)
To fix this issue either you'll need to add in your nginx conf file:
ssl_protocols TLSv1.2;
don't forget to replace the default configuration in nginx using docker file:
COPY ./nginx/conf.d /etc/nginx/conf.d
this may not solve the issue, if it's the case upgrade your node version (in my case i'm using 16.17.0-alphine)
you can test it locally before deploying running this cmd:
openssl s_client -connect ip:port -tls1 (and openssl s_client -connect ip:port -tls1_1)
should not show your certificate, then run: openssl s_client -connect ip:port -tls1_2
if now you're able to see your certificate only in the second command then you have successfully fixed the issue.
I bought a PositiveSSL Wildcard from https://www.ssls.com/
I have received 3 files a .ca-bundle a .crt and a .p7b.
I configured the certificates with NGINX but I'm getting an error:
"Servers certificate chain is incomplete"
https://www.ssllabs.com/ssltest/analyze.html?d=api.billgun.com
How can I fix this?
Servers certificate chain is incomplete
means you don't have intermediate certificates, certificates have expired or are in wrong order.
It looks like you don't have any intermediate certificates: https://www.sslshopper.com/ssl-checker.html#hostname=https://api.billgun.com/.
When you open your site in a browser you will get green padlock because browsers can download missing intermediate certificates but other tools won't be able to connect ie. curl:
curl -I 'https://api.billgun.com/'
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
or openssl:
openssl s_client -connect api.billgun.com:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.billgun.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.billgun.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.billgun.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
The fastest way to generate correct chain is to:
open your site in a browser
click on green padlock and display certificate properties
export every certificate in the chain (in your case, you should get 3 files: -billguncom.crt, COMODORSADomainValidationSecureServerCA.crt, COMODORSACertificationAuthority.crt)
combine the files in order from leaf to root cert:
cat -- -billguncom.crt COMODORSADomainValidationSecureServerCA.crt COMODORSACertificationAuthority.crt > billgun_com.crt
install new cert on server
test nginx cofiguration nginx -t
restart server service nginx restart
There is a tool to automate the procedure of producing a bundle of correctly chained certificates. https://github.com/zakjan/cert-chain-resolver (I'm the author.)
Usage:
cert-chain-resolver -o domain.bundle.pem domain.pem
domain.pem is your input certificate
domain.bundle.pem is the certificate bundle, that you can use in your web server configuration
I generated a certificate in the directory of my Haskell app:
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out certificate.csr
openssl x509 -req -in certificate.csr -signkey key.pem -out certificate.pem
and then I ran my app:
import Network.Wai
import Network.Wai.Handler.Warp
import Servant
import Network.Wai.Handler.WarpTLS
startApp :: IO ()
startApp = do
let port = 3345
let tls = tlsSettings "certificate.csr" "key.pem"
runTLS tls (setPort port defaultSettings) app
And then went to https://localhost:3345 and I got an error "empty certificate chain"
What's wrong with it? Maybe I've put my certificate somewhere such as "/opt/...."?
For now all 3 files are in the root directory of my application: key.pem, certificate.csr and certificate.pem.
UPDATE:
It's arch linux, whereas on hosting I have Ubuntu, therefore I'll need a solution for both.
This certificate is self-signed, whereas on hosting it's issued by let's encrypt.
I've changed a code a bit: "csr" to pem:
let tls = tlsSettings "certificate.pem" "key.pem"
runTLS tls (setPort port defaultSettings) app
Here's another error:
$ curl -v https://localhost:3345
* Rebuilt URL to: https://localhost:3345/
* Trying ::1...
* connect to ::1 port 3345 failed: Connection refused
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 3345 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
TL;DR: Handling certificates is hard. Use the self-signed .pem file (and the key) and add security exceptions to your browser or your operating system. The .csr file isn't something you can use. The server is fine (except for the .csr file), but you will end up with security warnings till you get your key signed by a CA (which isn't possible for local domain names).
What's wrong with it?
The server is (almost) fine. However, you want to send the .pem file. The .csr is a request for signing your certificate by a certificate authority (CA). A CA needs to get trusted by the user or another CA (that's trusted by the user). Let's have a look at your original commands:
openssl genrsa -out key.pem 2048
This will generate the private key, which will get used for the TLS handshake and other operations.
openssl req -new -key key.pem -out certificate.csr
This will generate the mentioned certificate sigining request. You would send this request to a CA, which checks your identity. For example, they would check whether the FQDN actually is yours. Otherwise, you could ask for a certificate for stackoverflow.com and use a MITM attack. This also concludes that you cannot ask a (non-local) CA for a certificate on a local name, like localhost or hostname.local.domain.name.
openssl x509 -req -in certificate.csr -signkey key.pem -out certificate.pem
This will take the original certificate request, use your own key to sign it, and generate a certificate (certificate.pem). Usually, this certificate contains a CA chain, e.g. who signed the CA's certificate, who signed the certificate of the one that signed the CA's certificate and so on, till we end up at a root certificate.
So, all you have to do is to use that certificate together with your private key. This will lead to security warnings though, since you cannot prove your own identity. That's why you need --insecure in curl and a security exception in most browsers. That aside, it will work. Note that the server doesn't know that its certificate is self-signed. It's just using two files to initiate the communication with the client.
Can somebody let me know how to check my server has VeriSign G5 root certificate installed. I have executed the following command
openssl s_client -connect api-3t.sandbox.paypal.com:443 -showcerts
and it return the following result
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 . It means my server installed with VeriSign G3 root certificate?
Server : CentOS 5
I always use the socket command line tool to do quick socket tests for programs I'm writing. http://w21.org/jnickelsen/socket/
I was wondering if there was a similar command line tool to set up a quick ssl socket client/server to test things.
Edit: Easy Answer
So to make it easy on people who may wonder the same thing:
If you want to be a client use openssl's s_client:
openssl s_client -connect host:port
If you want to be a server use openssl's s_server:
openssl s_server -accept <port> -key <keyfile> -cert <certfile>
Quick And Dirty cert and key for the server to use for testing:
openssl req -x509 -nodes -days 365 -newkey rsa -keyout keyfile.key -out certfile.crt
Quick SSL Client:
openssl s_client -connect <host>:<port>
Quick SSL Server:
openssl s_server -accept <port>