I am running a vagrant box with Centos 7 as its OS. I installed blackfire without error and then tried to profile from the web browser. It started profile, but then just hung and hung and never finished. I then tried it via curl in the command line and got the following error:
$ blackfire curl https://gitlist.demo.blackfire.io/
Profiling: [####------------------------------------] 1/10
Error while running command: exit status 60
Use the option '--ignore-exit-status' to ignore command exit status
* About to connect() to gitlist.demo.blackfire.io port 443 (#0)
* Trying 54.76.137.79...
* Connected to gitlist.demo.blackfire.io (54.76.137.79) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=gitlist.demo.blackfire.io
* start date: Jul 07 14:09:16 2019 GMT
* expire date: Oct 05 14:09:16 2019 GMT
* common name: gitlist.demo.blackfire.io
* issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
* NSS error -8181 (SEC_ERROR_EXPIRED_CERTIFICATE)
* Peer's Certificate has expired.
* Closing connection 0
curl: (60) Peer's Certificate has expired.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a
"bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Can someone explain to me what this error is? I have used Blackfire successfully on other projects (albeit, those were Ubuntu boxes) and have never seen this error. I can't find much on the web about this as well.
cURL is not sending the HTTP request because the "Peer's Certificate has expired".
As suggested, you could have added the "--insecure" option.
But it seems the certificate has been renewed.
Related
I' trying to get hostapd working with eap-peap and a Let's encrypt certificate. When connecting with my Android phone though, it does not connect and complains the certificate was expired.
hostapd logs
wlan0: STA <mac> IEEE 802.11: authenticated
wlan0: STA <mac> IEEE 802.11: associated (aid 1)
wlan0: CTRL-EVENT-EAP-STARTED <mac>
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
SSL: SSL3 alert: read (remote end reported an error):fatal:certificate expired
OpenSSL: openssl_handshake - SSL_connect error:0A000415:SSL routines::sslv3 alert certificate expired
wlan0: CTRL-EVENT-EAP-FAILURE <mac>
wlan0: STA <mac> IEEE 802.1X: authentication failed - EAP type: 0 (unknown)
wlan0: STA <mac> IEEE 802.1X: Supplicant used different EAP type: 25 (PEAP)
wlan0: STA <mac> IEEE 802.11: deauthenticated due to local deauth request
Client configuration
EAP Method: PEAP
Identity:
Password:
CA-Certificate: Use System Certificate
Domain:
Phase2 Authentication: MSCHAPV2
Anonymous Identity:
When configuring the CA-Certificate validation mode to "no validation" however, the connection works flawlessly.
Certificate
> openssl x509 -in /etc/hostapd/certs/server.pem -text
[...]
Validity
Not Before: Jan 29 09:40:58 2023 GMT
Not After : Apr 29 09:40:57 2023 GMT
Subject: CN = <domain>
[...]
hostapd.conf
# EAP Settings
eap_server=1
ieee8021x=1
eapol_version=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP
rsn_pairwise=CCMP
eap_user_file=/etc/hostapd/hostapd.eap_user
ca_cert=/etc/hostapd/certs/ca.pem
server_cert=/etc/hostapd/certs/server.pem
private_key=/etc/hostapd/certs/server.key
hostapd.eap_user
# Wildcard for all other identities
* PEAP,TTLS,TLS
# Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
"testaccount1" MSCHAPV2 "SuperSecretPassword1" [2]
On my Windows machine, these settings work flawlessly, the certificate is presented to me and I can decide to accept it (or not). However, the validation method is very different on Windows.
I'm therefore wondering if any of you have experience with this on Android.
I'm also confused with the lines
wlan0: STA <mac> IEEE 802.1X: authentication failed - EAP type: 0 (unknown)
wlan0: STA <mac> IEEE 802.1X: Supplicant used different EAP type: 25 (PEAP)
This looks to me like I misconfigured somethin in eap_user - but then again it is working as long as certificate validation is not enabled.
For anyone looking for an answer to this:
Above configuration actually works flawlessly with Windows and iOS. Only getting Android to work requires a different configuration in hostapd.conf and on the Android device:
in hostapd.conf:
For ca_cert, download the Root-CA that is used in the certificate chain for signature of the intermediate CA which signed your server.pem. In my case, this was ISRG Root X1. All Let's Encrypt certificates are available on https://letsencrypt.org/de/certificates/
For server_cert, the fullchain.pem file is used, containing the server certificate and the intermediate certificate chain.
on Android:
Download the same Root CA and add it specifically as Wifi Certificate. This certificate needs to be selected when connecting.
It appears as if Android does not use the system certificate store or the system certificate store for wifi certificates does not contain the Let's Encrypt Root CA. Therefore, this CA needs to be added manually rendering the process on android much more complicated on unmanaged devices.
I have to scrape a website without disabling SSL. I tried by using Nokogiri gem
require 'httparty'
require 'nokogiri'
require 'open-uri'
page = open("https://mywebsiteurl.com",{ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE})
doc = Nokogiri::HTML(page)
puts doc
This code works by disabling SSL. but I want it to work without disabling SSL.
when I tried without disabling SSL I got this error
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
when I do curl https://mywebsiteurl.com I got this result.
* Hostname was NOT found in DNS cache
* Trying xxx.xxx.xxx.xxx...
* Connected to wxxxxxxxxx.com (xxx.xxx.xxx.xxx) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: certificate has expired
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
I upgraded my Plan on Heroku to be able to use Heroku SSL, which includes Automated Certificate Management (ACM).
Hence when i run heroku certs:info I get:
Certificate details:
Common Name(s): www.myapp.fr
Expires At: 2018-04-29 10:10 UTC
Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Starts At: 2018-01-29 10:10 UTC
Subject: /CN=www.myapp.fr
SSL certificate is verified by a root authority.
or heroku certs:
Name Common Name(s) Expires Trusted Type
────────────────── ──────────────── ──────────────────── ─────── ────
tyrannosaurs-12099 www.myapp.fr 2018-04-29 10:10 UTC True ACM
However, my app still appears as being unsecured (no https) and when I run curl -kvI https://www.myapp.fr, here is what I get:
[2.3.4]
* Rebuilt URL to: https://www.myapp.fr/
* Trying 79.125.111.38...
* Connected to www.myapp.fr (79.125.111.38) port 443 (#0)
* Unknown SSL protocol error in connection to www.myapp.fr:-9838
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to www.myapp.fr:-9838
Any idea on How can I get my HTTPS working ?
I think I solved it at that time doing this: In order to force all clients to use https you will need to update your application to check for this. In Rails this is usually done by setting
config.force_ssl = true
in config/environments/production.rb.
Then wait a few minutes and it should be OK.
I have a following single line code in rails:
Curl::Easy.new("https://www.uts.edu.au/" ).perform
Running this is giving following error:
Curl::Err::SSLCACertificateError: Peer certificate cannot be authenticated with given CA certificates
Can anyone please suggest how to fix it ?
For further help:
curl -v https://www.uts.edu.au/
* Adding handle: conn: 0x16a3a40
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x16a3a40) send_pipe: 1, recv_pipe: 0
* About to connect() to www.uts.edu.au port 443 (#0)
* Trying 54.79.20.73...
* Connected to www.uts.edu.au (54.79.20.73) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
For some reason, Curl is failing to use trusted CAs. By any chance, are you running this inside a Docker Container without CAs?
Please provide the output of curl -v https://www.uts.edu.au/
Update:
It seems there is a problem with the Chain of Certificates for the host you are making requests.
The certificate might lack necessary meta-data or its certificate
authority might be malfunctioning
https://whatsmychaincert.com/generate?host=www.uts.edu.au
I am trying create a channel according to documentation
Hyperledger Fabric v1.0 docs
Have an issue with certificate. On the docker "hyperledger/fabric-tools" node I can find certificate with current name - tlsca.example.com. But the channel cannot be created. I have certificate hand shake issue. Should I check/mount certificate to the peer node ?
root#4b6423da537b:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com# peer channel create -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls $CORE_PEER_TLS_ENABLED --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
2017-07-27 16:49:58.949 UTC [msp] GetLocalMSP -> DEBU 001 Returning existing local MSP
2017-07-27 16:49:58.949 UTC [msp] GetDefaultSigningIdentity -> DEBU 002 Obtaining default signing identity
2017-07-27 16:49:58.954 UTC [grpc] Printf -> DEBU 003 Failed to dial orderer.example.com:7050: connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of \"x509: ECDSA verification failure\" while trying to verify candidate authority certificate \"tlsca.example.com\")"; please retry.
Error: Error connecting due to rpc error: code = Internal desc = connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of \"x509: ECDSA verification failure\" while trying to verify candidate authority certificate \"tlsca.example.com\")"
Usage:
Thanks.
i meet the same problem. And run this command to close the network.
./network_setup.sh down mychannel
The reason that cause my problem is that the source code exists a error. So i modify this code error and reopen the network. This problem work out.
It would seem that you are in the incorrect working directory. When running the sample manually, you start the cli container and it places you in the /opt/gopath/src/github.com/hyperledger/fabric/peer directory. That is where you should be running the peer command. It would seem from your post that you were running the peer command in the /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com directory in the container, and it is not finding the configuration files that were mounted for the example.