i read this post on official documentation
https://hyperledger-fabric.readthedocs.io/en/latest/certs_management.html#certificate-renewal
I have some certified expired. I configure my Fabric CA adding env var FABRIC_CA_SERVER_CA_REENROLLIGNORECERTEXPIRY=true
and changing also fabric-ca-server-config.yaml with reenrollIgnoreCertExpiry: true
After restart the docker i use the command
fabric-ca-client reenroll --csr.keyrequest.reusekey -u https://localhost:11054 --mspdir /usr/src/hyperledger/fabric-samples/my-network/crypto-config/peerOrganizations/network.eu/msp --caname ca-test but
have this response
Post "https://localhost:11054/reenroll": x509: certificate has expired or is not yet valid: current time 2022-11-30T12:15:04Z is after 2022-11-24T14:09:00Z
Can you help me?
After this configuration i think that the previous command create new certficate without control expired date.
I have a ruby on rails app that is throwing an error when I try to run bundle install. The error is the following:
bundle stdout: Could not verify the SSL certificate for https://rails-assets.org/ There is a chance you are experiencing a man-in-the-middle attack, but most
likely your system doesn't have the CA certificates needed for verification
Our SSL certificate was updated just a few days ago and we haven't changed anything in the app. It started to throw this error out of the blue.
Is there any chance we need to update the root certificates in the system? I mean like running sudo update-ca-certificates or something like that? is it safe to do that?
The app is in digitalOcean and we use capistrano gem to deploy the app
#lingYan Thanks a lot for guiding me in the right direction! I read the links you posted but in my case I had to change the steps a little bit because I am not on Centos-7. So this is exactly what I did:
Made a backup of the certificates file in /etc/ssl/certs:
cp ca-certificates.crt
~/certificatesBackup/ca-certificates-backup.crt
Made a backup of the config file in /etc:
cp ca-certificates.conf
~/certificatesBackup/ca-certificates-backup.conf
Made a backup of the expired certificate in /etc/ssl/certs:
cp DST_Root_CA_X3.pem ~/certificatesBackup/DST_Root_CA_X3_backup.pem
Removed DST_Root_CA_X3.pem from ca-certificates.conf:
I opened the file with vim and removed the line
Removed expired certificate in /etc/ssl/certs:
sudo rm DST_Root_CA_X3.pem
Updated certificates:
update-ca-certificates -f -v
Checked if expired certificate was removed from the chain in ca-certificates.crt:
diff ~/certificatesBackup/ca-certificates-backup.crt
ca-certificates.crt
It showed the new certificate
It was still throwing the error after doing all the steps above so I realized that I didn't have the ISRG Root CA certificate. In order to add the ISRG Root CA I did the following (which I think it is not correct or maybe I am missing something):
Went to this page https://letsencrypt.org/certificates/ and
downloaded the file called ISRG Root X1 (self-signed / pem format)
Went to /usr/local/share/ca-certificates/
Created a new folder called isrgrootx1
Copied the pem file I downloaded previously into the isrgrootx1
folder
Made sure the permissions were OK (755 for the folder, 644 for the
file)
updated the certificates with update-ca-certificates -f -v
Checked if the certificate was added using the diff command: When I
ran the diff command it didn't show any change so I guess the
certificate was not added and the error is still there
Am I doing someting wrong? Are the steps above correct to add a new certificate? I am starting to feel frustrated with this :(
I checked the certificate of https://rails-assets.org/, it's signed by LetsEncrypt and one of the Root CA from LetsEncrypt is expired and that would be the cause of your issue.
To understand the issue:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
The possible solution:
https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4
Basically, if that's the cause, you need to remove the DST Root CA and make sure ISRG Root CA is in your certificate store.
For ubuntu or Debian system, the following document describes how to update the certificates:
/usr/share/doc/ca-certificates/README.Debian
Run the following command to create a directory for your own trusted ca-certificates:
sudo mkdir /usr/local/share/ca-certificates/extra
Copy the root certificate to the new directory:
sudo cp rootCA.crt /usr/local/share/ca-certificates/extra/
Make sure that the certificate file has the .crt extension.
Run the following command to update the system certificates:
sudo update-ca-certificates
inside docker golang image i am trying to go install a package and fail on this error:
go install google.golang.org/protobuf/cmd/protoc-gen-go#1.27.0: google.golang.org/protobuf/cmd/protoc-gen-go#1.27.0: invalid version: Get "https://proxy.golang.org/google.golang.org/protobuf/cmd/protoc-gen-go/#v/1.27.0.info": x509: certificate signed by unknown authority
i tried installing CA certificates unsuccessfully
any idea what could be the problem ?
Ok so the problem was my security client: Cisco AnyConnect "Umbrella".
it was acting like a man in the middle and re-sign the request with its own certificate.
in order for the in-docker go client to trust the traffic re-signed by the Cisco Umbrella, the "Cisco Umbrella Root CA" certificate was needed to be added to the docker file:
so clicking on the .cer URI we can see that certificate.
now inside my container i could:
$ wget http://www.cisco.com/security/pki/certs/ciscoumbrellaroot.cer
then convert it from .cer to a .crt file:
$ openssl x509 -inform DER -in ciscoumbrellaroot.cer -out ciscoumbrellaroot.crt
then copy it to the certificate folder:
$ cp ciscoumbrellaroot.crt /usr/local/share/ca-certificates/ciscoumbrellaroot.crt
and lastly update certificates:
$ update-ca-certificates
which outputs this:
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
done! now we can go get any package:
$ go install google.golang.org/protobuf/cmd/protoc-gen-go#v1.27.1
go: downloading google.golang.org/protobuf v1.27.1
this was written about cisco security client but can be applied to any client out there
I just installed rvm and am trying to install ruby, and it's giving me an error message. Can anyone help?
alex$ type rvm | head -1
rvm is a function
alex$ rvm install 1.9.2
Installing Ruby from source to: /Users/alex/.rvm/rubies/ruby-1.9.2-p290, this may take a while depending on your cpu(s)...
ruby-1.9.2-p290 - #fetching
ruby-1.9.2-p290 - #downloading ruby-1.9.2-p290, this may take a while depending on your connection...
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
ERROR: There was an error, please check /Users/alex/.rvm/log/ruby-1.9.2-p290/*.log. Next we'll try to fetch via http.
Trying http:// URL instead.
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
**ERROR: There was an error, please check /Users/alex/.rvm/log/ruby-1.9.2-p290/*.log
ERROR: There has been an error while trying to fetch the source.
Halting the installation.
ERROR: There has been an error fetching the ruby interpreter. Halting the installation.**
I ran into this issue before when installing on 10.5 - I think I ended up installing the head version; for whatever reason that did not have the same SSL issue
rvm install ruby-1.9.2-head
I would check the answer on this post first, might do the trick? Curl Certificate Error when Using RVM to install Ruby 1.9.2
I ran into the exact same issue, and found that updating curl solved it swiftly.
RVM is running into a certificate error when trying to download Ruby 1.9.2. It looks like curl is having a certificate issue but I am not sure how to bypass it. I have included the exact error info below.
$ rvm install 1.9.2
Installing Ruby from source to: /Users/willdennis/.rvm/rubies/ruby-1.9.2-p180, this may take a while depending on your cpu(s)...
ruby-1.9.2-p180 - #fetching
ERROR: Error running 'bunzip2 '/Users/willdennis/.rvm/archives/ruby-1.9.2-p180.tar.bz2'', please read /Users/willdennis/.rvm/log/ruby-1.9.2-p180/extract.log
ruby-1.9.2-p180 - #extracting ruby-1.9.2-p180 to /Users/willdennis/.rvm/src/ruby-1.9.2-p180
ruby-1.9.2-p180 - #extracted to /Users/willdennis/.rvm/src/ruby-1.9.2-p180
Fetching yaml-0.1.3.tar.gz to /Users/willdennis/.rvm/archives
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
ERROR: There was an error, please check /Users/willdennis/.rvm/log/ruby-1.9.2-p180/*.log. Next we'll try to fetch via http.
Trying http:// URL instead.
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
ERROR: There was an error, please check /Users/willdennis/.rvm/log/ruby-1.9.2-p180/*.log
Extracting yaml-0.1.3.tar.gz to /Users/willdennis/.rvm/src
ERROR: Error running 'tar zxf /Users/willdennis/.rvm/archives/yaml-0.1.3.tar.gz -C /Users/willdennis/.rvm/src --no-same-owner', please read /Users/willdennis/.rvm/log/ruby-1.9.2-p180/yaml/extract.log
/Users/willdennis/.rvm/scripts/functions/packages: line 55: cd: /Users/willdennis/.rvm/src/yaml-0.1.3: No such file or directory
Configuring yaml in /Users/willdennis/.rvm/src/yaml-0.1.3.
ERROR: Error running ' ./configure --prefix="/Users/willdennis/.rvm/usr" ', please read /Users/willdennis/.rvm/log/ruby-1.9.2-p180/yaml/configure.log
Compiling yaml in /Users/willdennis/.rvm/src/yaml-0.1.3.
ERROR: Error running '/usr/bin/make ', please read /Users/willdennis/.rvm/log/ruby-1.9.2-p180/yaml/make.log
Installing yaml to /Users/willdennis/.rvm/usr
ERROR: Error running '/usr/bin/make install', please read /Users/willdennis/.rvm/log/ruby-1.9.2-p180/yaml/make.install.log
ruby-1.9.2-p180 - #configuring
ERROR: Error running ' ./configure --prefix=/Users/willdennis/.rvm/rubies/ruby-1.9.2-p180 --enable-shared --disable-install-doc --with-libyaml-dir=/Users/willdennis/.rvm/usr ', please read /Users/willdennis/.rvm/log/ruby-1.9.2-p180/configure.log
ERROR: There has been an error while running configure. Halting the installation.
How can I resolve or avoid this error?
In case any one else comes across this while trying to update to 1.9.3 (although version probably doesn't matter), check the version of rvm that you have. Wayne seems to have moved from rvm.beginrescueend.com to rvm.io. The old site's security certificate has expired, so curl's response is correct.
Updating rvm from the new site fixed this problem and allowed me to move forward.
$ \curl -L https://get.rvm.io | bash -s stable --rails --autolibs=enabled
Update: As #rodgerdpack mentioned, the command changes and I've updated the above. In general, see https://rvm.io/ for the latest.
If do not want to change the script AND you do not want to add a cert "for ever" to the cert bundle. There is a very nice and quick solution:
#to download the cert
wget http://curl.haxx.se/ca/cacert.pem
#to let curl use it for the next calls
export CURL_CA_BUNDLE=~/cacert.pem
Then run your script.
To reset the environment variable (for subsequent script calls that should not use this cert) re-login to your system or unset the environment variable:
export CURL_CA_BUNDLE=
Curl is invoked in .rvm/scripts/fetch, which by default will be in your home directory.
Edit this using your favourite text editor: for example,
nano ~/.rvm/scripts/fetch
In lines 56 and 58 (may vary with other versions of RVM, of course) you'll see two lines which begin
fetch_command="curl ...
Simply add -k after curl, save and try again.
You need to download the ca certificate from http://curl.haxx.se/ca/cacert.pem and add them to your curl-ca-bundle-new.crt file.
To find the location of this file use:
$ curl-config --ca
/usr/share/curl/curl-ca-bundle.crt
Backup your curl-ca-bundle.crt file:
$ cp /usr/share/curl/curl-ca-bundle.crt /usr/share/curl/curl-ca-bundle.crt.old
Then you want to concatenate the two file using:
$ cat cacert.pem /usr/share/curl/curl-ca-bundle.crt >> curl-ca-bundle-new.crt
Perhaps all these complicated solutions were once necessary, but now all you need to do is first upgrade RVM and your problem will be solved:
$ rvm get stable
$ rvm reload
$ rvm install ruby-1.9.3-p194
If you don't mind disabling certificate check in curl (I don't):
echo insecure > ~/.curlrc
On Centos 5.6 (Final)
I had a problem with installing rvm 1.9.2
The error was:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
ERROR: There was an error, please check /usr/local/rvm/log/ruby-1.9.2-p290/*.log. Next we'll try to fetch via http.
Trying http:// URL instead.
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
ERROR: There was an error, please check /usr/local/rvm/log/ruby-1.9.2-p290/*.log
ERROR: There has been an error while trying to fetch the source.
Halting the installation.
ERROR: There has been an error fetching the ruby interpreter. Halting the installation.
Here is a list of actions which helped me to solve the problem
$ curl-config --ca # show path to the certificate
/usr/local/share/curl/curl-ca-bundle.crt
$ cd /usr/local/share/curl/ # go to that path
$ cp curl-ca-bundle.crt curl-ca-bundle.crt.bak # backup certificate
$ curl http://curl.haxx.se/ca/cacert.pem -o curl-ca-bundle.crt # download new
$ rvm install 1.9.2 # bingo it works
Btw curl version is curl 7.18.0 (to check '$ curl -V')
I was attempting to install ruby-1.9.2-p290 and came across the same problem. After running which curl and realizing that the curl instance was coming from an installation of MAMP on my system (OS X Snow Leopard), I reconfigured my PATH variable to use the system default at /usr/bin/curl. Using this version, curl 7.19.7, I had no problem installing the latest version of Ruby with RVM.
I had trouble installing 1.9.2 using RVM, here is my solution:
Download yaml-0.1.3.tar.gz from http://www.filewatcher.com/m/yaml-0.1.3.tar.gz.466845.0.0.html
Save it to /Users//.rvm/archives/yaml-0.1.3.tar.gz
Run these commands:
chmod 777 yaml-0.1.3.tar.gz
tar zxf /Users//.rvm/archives/yaml-0.1.3.tar.gz -C /Users//.rvm/src
I still got the file not found error but the installation went on to be successful
[2011-07-05 14:24:07] tar zxf /Users//.rvm/archives/yaml-0.1.3.tar.gz -C /Users//.rvm/src --no-same-owner
tar (child): /Users//.rvm/archives/yaml-0.1.3.tar.gz: Cannot open: No such file or directory
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error exit delayed from previous errors
Thank you Dorothy - this recipe worked for me with the following minor modifications for a Win7 environment:
For others with this issue -
Appreciate the discussion about updating the CA_Bundle - Good to do
but it didn't help with this issue - the pyyaml website cert will still
cause CURL to throw an error and since CURL is launched within the installer,
no way to add a -k option.
Ruby 1.9.2-p290 is trying to install YAML 0.1.4 so Google for a
mirror and download that version - YAML-0.1.3 will have no effect in
bypassing the issues.
You need to do the windows equivalent of CHMOD 777 - within the rvm/src
folder to the extracted files. Change security so that everyone has
ownership/all privileges and turn off the read-only attribute for all files and
folders.
The installer will still throw errors when it tries to download (CURL error), but will resume by trying to extract. The extraction will throw errors because the tarball is already extracted to the src folder. The next step of configuring YAML should work without errors if permissions in step 3 were set correctly and the installation should complete without further problems. (If installing via cygwin/bash, you will need to add a C compiler like 'gcc' and add 'ncurses' (tput command) and 'make' to the default core cygwin setup options.)
$ sudo apt-get install curl
$ curl -L https://get.rvm.io | bash -s stable --ruby with ruby
$ curl -L https://get.rvm.io | bash -s stable --rails with rails