Fatal error: Uncaught CurlException: 60: Peer certificate cannot be authenticated with known CA certificates thrown in /home/ldr/public_html/src/base_facebook.php on line 886
See: http://ldr.x10.bz/examples/with_js_sdk.php
I've been getting this error for 2 days now and can't find any information on where it has come from? Why is the certificate known and is there a way for it to be unknown again?
It had been working for months previously, so not sure if the API has just updated but I've deleted everything and just uploaded the PHP SDK 3.1.1 but still no luck :(
I've read about disabling the peer verification but sounds like a bad idea (plus I know it works with it enabled). Probably accidentally unchecked a box somewhere- any ideas on how to restore it back to normal would be very appreciated :)
Thanks!
Certificates are verified against a truststore somewhere on your system. This truststore should be updated once in a while; e.g. Firefox and Windows do this when updating the software. The error is a bit unclear; it actually means your curl client gets a certificate for which it does not have a trusted (root) certificate.
You may want to visit that site with your favorite up to date browser and save the root certificate somewhere, then create a CA store with that single certificate in it. Of course it will fail if that one gets replaced or if the server chooses another certificate authority.
Possibly updating curl or the OpenSSL library may do the trick, try that first :).
Related
I am trying to use hash-buster and making requests from my server to database's of hash-buster.
and each time I get this error:
Hash function : MD5
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:849: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning
I am new in python 3 also in Ubuntu(19.04). Please help me about adding certificate in my server, actually I need a step by step guide to install and activate it (or whatever).
I found my certifications in my server: (etc/ssl/certs/ca-certificates.crt). Is it possible to use my own certifications?
I hope my questions is clear, please feel free to ask me questions to make it clearer.
I am trying to use hash-buster....
I'm assuming that you mean this project.
... Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. ...
The code contains the following line, which probably is the reason for this warning:
response = requests.get('https://www.nitrxgen.net/md5db/' + hashvalue, verify=False).text
So it is explicitly disabling certificate validation here with verify=False. Given that there are other HTTPS requests in the code and this one is the only one with certificate validation disabled, it is likely to work around a problem with the site.
And, the SSLLabs report for www.nitrxgen.net shows that that the site is not properly configured:
This server's certificate chain is incomplete. Grade capped to B.
This incomplete certificate chain causes requests to fail. To work around the broken site one need to either import the missing chain certificate in the trust store or have it explicitly trusted by the code.
Since there are many similar questions already I don't want to repeat all the details. See for example Python requests SSL error - certificate verify failed
, Python Requests getting SSLerror, SSL error with Python requests despite up-to-date dependencies for more.
The actual requirement is that I have to achieve LDAP authentication for my organisation's internal web application which is being built on Django but not able to do so by far.
Therefore, I have decided to check if i'm able to establish the connection using the python-ldap module.
the details of the ldap server that I have:
server1 = dc3.something-software.com
server2 = dc5.something-software.com
and the python code:
def main(server="ldap://dc5.something-software.com", who='', cred=""):
try:
l = ldap.initialize(server)
l.simple_bind_s(who, cred)
if l:
print("Successfully connected")
l.search_s("cn=someone#something-software.com,dc=something-software,dc=com",
ldap.SCOPE_SUBTREE)
except Exception as e:
print(e)
return True
and this is giving me the following output
Successfully connected
{'msgtype': 101, 'msgid': 2, 'result': 1, 'desc': 'Operations error', 'ctrls': [], 'info': '000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580'}
implying that i'm actually able to connect to my ldap but not able to do anything else?
Im working on a windows operating system and I have tried the answers suggested for other similar questions though they've been mostly addressed for *NIX operating systems.
Thanks.
Based on the certificate error in your latest comment above, the directory server's SSL certificate is not trusted. Two solutions -- one is to ignore certificate problems, the second is to establish a trust. Ignoring cert errors is easy but less secure (i.e. I can make myself a cert that says I am yourhost.example.com ... and if you're not checking certificate validity, you'll happily communicate with my fake yourhost.example.com). Establishing the trust takes a little more effort and may create ongoing maintenance. Check the expiry date on the signing server ... you may need need to update the CA public key occasionally (some orgs just make 100 year expiring CA certs to avoid this, but some have their CA key renewed every year or five). Either way, you want to add a line before you start tls negotiation (con.start_tls_s).
To ignore certificate errors, add:
con.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
To establish a trust with the CA used to sign the directory server's key, you'll need to get the public key used to sign the certificate. Sometimes you can just ask the people who maintain the directory server -- I've got a zipped up copy of mine on a URL I send to people. But, if they don't have it, there are other ways to grab the cert. The OpenSSL client is a good one. Once you have the public key used to sign the directory server cert, use
con.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/CAFile.pem')
Once you do one of these two things, you should be able to start the TLS session successfully.
I have just gone to https://couchdb.apache.org/ to get the latest CouchDB binary (upgrading from 2.2).
However, the download link redirects me to an organisation called Neighbourhoodie - a CouchDB services & consultancy firm (which was unexpected, but understandable as I know the installations may be served from mirrors).
When I ran the installer I got a warning from Windows that the binary is from an 'Unknown Publisher'.
I can't find a contact point on the CouchDB site to ask a question like this.
The unexpected redirect coupled with the Unknown Publisher have made me nervous - how can I know that it's safe to proceed with the upgrade?
You can verify that the couchdb contributors that signs public releases believed this binary is correct for windows users by comparing the site, sha1 and md5 sums they gave in an issue. Neither a sha1 or md5 alone is secure, but I think it would be exceedingly hard to find an attack that simultaneously works for both.
Also, if you download the gpg signature, binary and the https://downloads.apache.org/couchdb/KEYS you can verify that this signer is the same signer using the same key recognized on the apache download site. Using their trust is similar to tofu, you trust the channel with https and it trusts this key, so now you trust the key on another channel.
On linux/mac this looks like:
(verify you obtain keys over ssl from apache, then:)
$ gpg --import KEYS.txt
...
gpg: key CDE711289384AE37: "**** (CODE SIGNING KEY) <****#apache.org>"
(download a sig and file from official downloads.apache.org site and verify + add your "tofu" trust in this key)
$ gpg --trusted-key CDE711289384AE37 --verify apache-couchdb-3.1.1.tar.gz.asc
(your gpg now trusts this key for new binaries)
$ gpg --verify apache-couchdb-3.1.0.msi.asc
(If the official KEYS file changes you would want to delete this trust and do the same process again:)
$ gpg --delete-key CDE711289384AE37
and windows gpg should look similar, maybe with / in place of --, etc.
ERROR: Registering runner... failed
runner=J4DBd8we
status=couldn't execute POST against https://tarun-labs.local/api/v4/runners:
Post https://tarun-labs.local/api/v4/runners: x509:
certificate signed by unknown authority PANIC:
Failed to register this runner
Hi I am facing same problem and tried searching many forums for answers and didn't got any solution yet. config.toml file location is not clear as the one I saw is not the right one I think It is in /gitlab-runner folder and shows only 3 parameters: [Concurrent][check Interval] and [Session Server]. So now way I can change any Value. As I am registering the runner ..the [runners] tab is not expected to be there.
I am trying this on home lab therefore do we need a "single" self signed certificate or need to have CA Certificate as well. Not clear [Full Chain ? or only CA+Server Cert]. I am using home lab so cannot arrange certificate from Pubic CA.
Also is there a way I can skip this error by bypassing SSL? I have seen tls verify or ssl verify option to be set to no.. Where to put that is not clear or mentioned in any forum whatsoever.
This should be common problem for many as fresh installation does not give you any runner to begin with so everyone should be doing these steps. Please help anyone?
From gitlab documentation.
GitLab Runner reads the PEM certificate (DER format is not supported) from a predefined file:
1 - /etc/gitlab-runner/certs/hostname.crt on *nix systems when GitLab Runner is executed as root.
2 - ~/.gitlab-runner/certs/hostname.crt on *nix systems when GitLab Runner is executed as non-root.
3 - ./certs/hostname.crt on other systems. If running Runner as a Windows service, this will not work. Use the last option instead.
If your server address is: https://my.gitlab.server.com:8443/, create the certificate file at: /etc/gitlab-runner/certs/my.gitlab.server.com.crt. To verify that the file looks correct, you can use a tool like openssl.
We have installed a server certificate in IIS for a website. When browsing over HTTPS to the website and inspecting the icon using chrome, we get a message "Your connection ... is encrypted with obsolete cryptography".
How do I configure IIS so that Chrome stops displaying this message, also need to balance the need to support IE>=8.
[EDIT]: As per the screenshot, we can see that the encryption method used is "AES_256_CBC with SHA1 for message authentication". The question is how do we change this in IIS so that Chrome no longer complains about "Obselete Cryptography".
The answer Steffen gave is incorrect (although the link he provided does provide the answer if you read further down). The reason Chrome gives the error regarding obsolete cryptography in this case is due to AES in CBC mode.
It has nothing to do with having a SHA-1 certificate.
The TL;DR - ignore this error, it doesn't matter.
If you really want to get rid of the error then you need to enable AES GCM instead. However this is easier said than done. I answered this in full on serverfault recently - see the second half of my answer here;
https://serverfault.com/questions/683697/change-key-exchange-mechanism-in-iis-8/683705#683705
Since am new to SSL and certificates, I struggled with this too. Here's how we solved this issue. Note that in our case, we are working with an internal web application and use a self-signed certificate.
Using OpenSSL on Linux, create a private key:
openssl genrsa -out box.key 2048
Then create and sign a certificate with the key (we set the expire date for a year out and 10 days):
openssl req -new -x509 -sha256 -days 375 -key box.key -out box.crt
Answer the questions (make sure the Common Name matches the web server's FQDN)
Configure your web server to use SSL using this key and certificate
Using Chrome on Windows, enter your web sites HTTPS URL
Click on the lock icon in the address bar, then select the Certificate Information link in the popup
Go to the Details tab, select the Copy to File... button to launch the Certificate Export Wizard
Using the wizard, select PKCS #7 as the export format, and save the certificate (i.e. mykey.p7b)
Install the certificate in the Trusted Root Certification Authorities certificate store (use certmgr.msc or right click on the certificate and select Install Certificate
Close Chrome, logout and re-login to Windows (force the old site warning out of the cache)
Re-open Chrome and enter your web sites HTTPS URL
Admire your shiny green lock icon with modern cryptography
You might want to read https://www.chromium.org/Home/chromium-security/education/tls#TOC-Deprecation-of-TLS-Features-Algorithms-in-Chrome, which was the first hit when looking for this specific error message.
It is hard to know for sure without having a look at your certificate, but I guess the following description from the linked page will match your certificate:
SHA-1 is deprecated in Chrome at the start of 2015.
Certificates expiring in 2016 will be marked as "secure, but with minor errors".
Certificates expiring in 2017 are later will be treated as "affirmatively insecure".
To answer my own question:
Ensure latest Windows Updates have been installed
Download and run IIS Crypto (https://www.nartac.com/Products/IISCrypto)
Ensure that this Cipher is top of the list on the left hand side:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Apply changes in IIS Crypto
Restart the server
In this link there are a black and a white lists about ciphers. Maybe if you just use the white ones it would solve your problem. Look after the lists in the comments you will see that it has change a little since the answer was written.
It helped me a lot when I started to have this problem with Glassfish, I hope it helps you with IIS too.