ssl/certificate issue for website

Discussion:

bruce

2013-11-01 15:01:10 UTC

hi.

trying to do a simple curl for the college site
curl -A "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11)
Gecko/2009061118 Fedora/3.0.11-1.fc9 Firefox/3.0.11" -L
https://isiscc.smc.edu/pls/apex/f?p=123:1:3916268190676791 -vvv

* About to connect() to isiscc.smc.edu port 443 (#0)
* Trying 207.151.69.31... connected
* Connected to isiscc.smc.edu (207.151.69.31) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Peer's certificate issuer is not recognized: 'CN=VeriSign Class 3
International Server CA - G3,OU=Terms of use at
https://www.verisign.com/rpa (c)10,OU=VeriSign Trust
Network,O="VeriSign, Inc.",C=US'
* NSS error -8179
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

I've gotten this on a number of different os/systems.

any thoughts??

ps. also tried using wget and still can't access it..

thanks

Chris Adams

2013-11-01 15:15:04 UTC

Permalink

Post by bruce
hi.
trying to do a simple curl for the college site
curl -A "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11)
Gecko/2009061118 Fedora/3.0.11-1.fc9 Firefox/3.0.11" -L
https://isiscc.smc.edu/pls/apex/f?p=123:1:3916268190676791 -vvv

--
Chris Adams <linux at cmadams.net>

bruce

2013-11-01 16:22:51 UTC

Permalink

hmm...

not sure the "--insecure -k" option is the right/best approach for
this. although it does work..

As far as I can tell, it should be possible to download the "pem"/cert
from the site, via FF, and to then use this data in the curl..

However, I can't quite get this to work correctly. Might be user error.

Here's what I've done so far.

the base curl cmd is:
curl -A "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11)
Gecko/2009061118 Fedora/3.0.11-1.fc9 Firefox/3.0.11" --cookie-jar
wayne.lwp --cookie wayne.lwp -L
"https://isiscc.smc.edu/pls/apex/f?p=123:1:3916268190676791" -vvv

running on fedora/centos as test systems

1) inserted the base site

Post by Chris Adams

https://isiscc.smc.edu/pls/apex/f?p=123:1:3916268190676791 into the

FF address bar.
2) selected the "lock" at the left of the address bar, to get the cert/data
3) did an export of the pem/cert data. -[not the chain]
4) as far as I can tell, from the debug "-vvv" output,
----* Initializing NSS with certpath: /etc/pki/nssdb
----* CAfile: /etc/pki/tls/certs/ca-bundle.crt
the ca-bundle is the file with the certs.

I then copied the data from the foo.pem that I got from the smc
site/pem and added the results to the end of the ca-bundle.crt file

I then reran the curl cmd, and got the same errors I got before..

So 1) Is the pem file I downloaded, the correct cert file for the
site, and 2) Is the ca-bundle.crt file the correct file to append the
data to/in. Or is there some different file that I should be doing the
insertion of the downloaded pem/cert data.

Once all of this works, I'll place this in stackoverflow for others!

thanks

Post by Chris Adams

They have a VeriSign-signed SSL cert, but they probably didn't follow
the directions and install the intermediate cert correctly (it might
work in Firefox because it includes more CA certs). Only the server
admins for isiscc.smc.edu can fix that.
Until they get it fixed, you can bypass cert validation with the
"--insecure" option to curl or the "--no-check-certificate" option to
wget. It isn't recommended because it defeats the purpose of SSL.
--
Chris Adams <linux at cmadams.net>
--
users mailing list
users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Michael Cronenworth

2013-11-01 17:13:06 UTC

Permalink

Post by bruce
As far as I can tell, it should be possible to download the "pem"/cert
from the site, via FF, and to then use this data in the curl..
However, I can't quite get this to work correctly. Might be user error.
Here's what I've done so far.

[snip]

Actually what you want is the CA cert. Firefox has it.

In Firefox you can export the "VeriSign Class 3 International Server CA - G3"
cert and specify it at your command line:

curl [previous options] --cacert verisign.pem

bruce

2013-11-01 18:02:46 UTC

Permalink

Hey Michael!!

Ok.

I tried to extract the pem as you suggested, placed it in a diff dir..
it works...

So I've got a couple of questions... How did you know which cert/pem
file to extract? Why didn't my attempt at getting the cert from the
"lock" of the url/address for the smc.edu site not work?

Also, any idea what I can do regarding the access/path errors I mentioned...

thanks

you 'da man!

Post by Michael Cronenworth

[snip]
Actually what you want is the CA cert. Firefox has it.
In Firefox you can export the "VeriSign Class 3 International Server CA -
curl [previous options] --cacert verisign.pem
--
users mailing list
users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Michael Cronenworth

2013-11-01 20:12:52 UTC

Permalink

Post by bruce
I tried to extract the pem as you suggested, placed it in a diff dir..
it works...
So I've got a couple of questions... How did you know which cert/pem
file to extract? Why didn't my attempt at getting the cert from the
"lock" of the url/address for the smc.edu site not work?

I read the "Issued By" line:
* Peer's certificate issuer is not recognized: 'CN=VeriSign Class 3
International Server CA - G3,OU=Terms of use at
https://www.verisign.com/rpa (c)10,OU=VeriSign Trust
Network,O="VeriSign, Inc.",C=US'

You downloaded the client certificate that is signed by the CA certificate. In
order for curl/NSS to validate the client certificate it needs the CA
certificate and not the client certificate.

Post by bruce
Also, any idea what I can do regarding the access/path errors I mentioned...

bruce

2013-11-01 20:30:24 UTC

Permalink

ooopps...

when I run rpm -qV ca-certificates

I get

rpm -qV ca-certificates
S.5....T. c /etc/pki/tls/certs/ca-bundle.crt

when I try to do yum erase ca-certificates.. yum offers to remove a
bunch of things!!

[root at dell-1 parseapp2]# rpm -e ca-certificates
error: Failed dependencies:
ca-certificates is needed by (installed) qt-1:4.6.3-10.fc13.x86_64
ca-certificates is needed by (installed) neon-0.29.3-1.fc13.x86_64
ca-certificates is needed by (installed)
java-1.6.0-openjdk-1:1.6.0.0-51.1.8.8.fc13.x86_64
ca-certificates is needed by (installed) qt-1:4.6.3-10.fc13.i686
ca-certificates is needed by (installed) libpurple-2.7.11-1.fc13.x86_64
ca-certificates >= 2008-5 is needed by (installed)
openssl-1.0.0d-1.fc13.x86_64
ca-certificates >= 2008-5 is needed by (installed)
openssl-1.0.0d-1.fc13.i686

thoughts??

thanks

Post by bruce

* Peer's certificate issuer is not recognized: 'CN=VeriSign Class 3
International Server CA - G3,OU=Terms of use at
https://www.verisign.com/rpa (c)10,OU=VeriSign Trust
Network,O="VeriSign, Inc.",C=US'
You downloaded the client certificate that is signed by the CA certificate.
In order for curl/NSS to validate the client certificate it needs the CA
certificate and not the client certificate.

Post by bruce
Also, any idea what I can do regarding the access/path errors I mentioned...

In regards to your private mail, I do not know why you are seeing errors.
You may have damanged the cert databases in /etc/pki/nssdb, which are empty
by default, but are still used during CA checking.
You can verify the ca-bundle is unharmed by running "rpm -qV
ca-certificates". Nothing should print to your terminal if it verifies
successfully.
--
users mailing list
users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Michael Cronenworth

2013-11-02 00:36:02 UTC

Permalink

Post by Michael Cronenworth
rpm -qV ca-certificates
S.5....T. c /etc/pki/tls/certs/ca-bundle.crt
when I try to do yum erase ca-certificates.. yum offers to remove a
bunch of things!!

# yum reinstall ca-certificates

Reindl Harald

2013-11-01 20:33:09 UTC

Permalink

why in the world would anybody want to remove it?
this has clearly dependency impact

"yum reinstall ca-certificates" is your friend

Post by bruce
ooopps...
when I run rpm -qV ca-certificates
I get
rpm -qV ca-certificates
S.5....T. c /etc/pki/tls/certs/ca-bundle.crt
when I try to do yum erase ca-certificates.. yum offers to remove a
bunch of things!!
[root at dell-1 parseapp2]# rpm -e ca-certificates
ca-certificates is needed by (installed) qt-1:4.6.3-10.fc13.x86_64
ca-certificates is needed by (installed) neon-0.29.3-1.fc13.x86_64
ca-certificates is needed by (installed)
java-1.6.0-openjdk-1:1.6.0.0-51.1.8.8.fc13.x86_64
ca-certificates is needed by (installed) qt-1:4.6.3-10.fc13.i686
ca-certificates is needed by (installed) libpurple-2.7.11-1.fc13.x86_64
ca-certificates >= 2008-5 is needed by (installed)
openssl-1.0.0d-1.fc13.x86_64
ca-certificates >= 2008-5 is needed by (installed)
openssl-1.0.0d-1.fc13.i686
thoughts??
thanks

Post by bruce

Post by bruce
Also, any idea what I can do regarding the access/path errors I mentioned...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20131101/f5727b5d/attachment.sig>