Jenkins Certificate Installation: ERR_SSL_VERSION_OR_CIPHER_MISMATCH - jenkins

ERR_SSL_VERSION_OR_CIPHER_MISMATCH -
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite
All I could find online regarding this error is that this may relate to RSA/DSA. I've checked this out and could not find any conflicts so I'm not sure why the error still occurs. I am using keytool to install this certificate on a Jenkins server. How can I resolve this error and install my certificate?

Related

How to get serverless framework to use CA Cert

I'm on a corporate network. Said network requires a ca certificate for all encrypted transmissions.
I make this work using NPM by npm config set cafile /path/to/cerrname.pem
When I attempt to run serverless (or sls commands) commands of any kind I get
Error: unable to get local issuer certificate
at TLSSocket.onConnectSecure (node:_tls_wrap:1530:34)
at TLSSocket.emit (node:events:394:28)
at TLSSocket.emit (node:domain:475:12)
at TLSSocket._finishInit (node:_tls_wrap:944:8)
at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:725:12)
This "unable to get local issuer certificate" is the exact same error I get if I don't set the CA file in npm.
How can I set the CA file in serverless framework?
I have looked at this answer (Serverless Framework Login From Behind a Proxy?), which feels close, but when running the command in the accepted answer and then trying to run serverless I get the same unable to get local issuer certificate error.
I believe it's possible to address that by setting NODE_EXTRA_CA_CERTS, at least some users in the past were successful with that approach: https://github.com/serverless/serverless/issues/9548#issuecomment-857882498

Trusted Certificate fails after upgrade from 4.6.1 to 4.7.2

After upgrading a service written in F# from 4.6.1 to 4.7.2 i startet getting a classic SSL/TLS error "The request was aborted: Could not create SSL/TLS secure channel".
TLS 1.2 is enabled on all servers.
I verified with Fiddler that the old version and the new version of the application both uses TLS 1.2 as they should and have done for a long time.
The requests appears to be identical.
The service runs as a Network Service, however i get the same error if i run it as admin.
The certificate is selfsigned and placed in Trusted Root Certification Auth.
The certificate is only used to internal https between our services.
If I add the certificate to Personal certificates in certmgr the error disappears and the service works!
From my view it is as if after upgrading to 4.7.2 the Trusted Ca certificates are "ignored".
Adding the certificate to Personal when its placed in Trusted Certificates is not a solution.
I havent been able to identify the change which somehow must have been introduced in 4.7.2.
What am i missing?

Configuring mitmproxy: installing cert, mitim.it, magic url not working iOS

I'm following link 1 to mitm my iPhone. I'm getting stuck at installing the mitm certificate on the phone.
Every bit of documentation points toward going to mimt.it once you've set up mitmproxy server to install the cert. No such luck, further more the instructions to manually install a certificate on iOS point to a password protected MIT.edu domain link 2
When attempting to install by going to mitim.it I get this error:
[+++] PokemonGo MITM Proxy listening on 8081
[!] Make sure to have the CA cert .http-mitm-proxy/certs/ca.pem installed on your device
[-] PROXY_TO_SERVER_REQUEST_ERROR on /:
[-] HTTPS_CLIENT_ERROR on :

Getting Invalid certificate error on bundle with heroku

I have a private gem repository hosted in the cloud and accessible via https. The certificates are valid and signed.
The problem is when deploying an app that uses this private repo to Heroku, I'm getting this output:
Retrying source fetch due to error (2/3): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://mygemserver.com/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
Retrying source fetch due to error (3/3): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://mygemserver.com/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
Could not verify the SSL certificate for https://mygemserver.com/.
There is a chance you are experiencing a man-in-the-middle attack, but most
likely your system doesn't have the CA certificates needed for verification. For
information about OpenSSL certificates, see bit.ly/ruby-ssl. To connect without
using SSL, edit your Gemfile sources and change 'https' to 'http'.
Bundler Output: Fetching source index from https://mygemserver.com/
Retrying source fetch due to error (2/3): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://mygemserver.com/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
Retrying source fetch due to error (3/3): Bundler::Fetcher::CertificateFailureError Could not verify the SSL certificate for https://mygemserver.com/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
Could not verify the SSL certificate for https://mygemserver.com/.
There is a chance you are experiencing a man-in-the-middle attack, but most
likely your system doesn't have the CA certificates needed for verification. For
information about OpenSSL certificates, see bit.ly/ruby-ssl. To connect without
using SSL, edit your Gemfile sources and change 'https' to 'http'.
!
! Failed to install gems via Bundler.
!
! Push rejected, failed to compile Ruby app
It looks like it is not able to validate the certificates. I got the same problem on my local and was able to fix by running 'rvm osx-ssl-certs update'. This command updates the certificates bundle recognised by the system. How can I reproduce this behaviour in Heroku?
It turned out that we were able to fix this by appending an intermediate certificate, provided by comodo, to the certificate itself.

Where does grails store a self-generated SSL certificate?

I'm running grails on my local dev box (Mac OS 10.8) to host a web service over SSL using a self-signed certificate and the WeakSSL grails plugin. The problem is I'm connecting to this server through an Xcode iPhone simulator, and it's giving me an untrusted certificate error.
I've found instructions on how to install a certificate to the phone/simulator, but my question is how do I find this certificate on my machine to install?
I think if you are using grails 2.2.x you won't see the directory in ~.grails/. To find the keystore, the plugin uses a Pattern matched to Grails version 1.3.x and 2.0.x - 2.1.x.
Ideally you should see the certificates stored in ~./grails/${grailsVersion}
Have a look a the plugin code where certificates are found.
Created JIRA defect for the same.
Pattern matcher will not work for Grails version 2.2.x and above because of the below code.
import java.util.regex.Pattern
Pattern V2X = Pattern.compile("2.[01].\\d+?")
assert !V2X.matcher("2.2.0").find()
Also, consider using openssl to get the key directly from the running grails server with a command like this:
openssl s_client -connect localhost:8443
AFTER starting grails with something like this:
grails run-app -https
The output of the openssl command will have the self signed certificate that you can add to your clients trusted certificates.

Resources