How to , and other stuff about linux, photo, php … Another blog just like others on internet

January 11, 2017

php 5.6 ssl verify error

Filed under: Linux — Tags: , , — admin @ 12:15 pm

New problem in town . A server could not send e-mail using php . But can connect using telnet .
stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:#012error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Some error from php class.
Well it appear that there is no cert on server
php -r “print_r(openssl_get_cert_locations());”

Array
(
[default_cert_file] => /etc/pki/tls/cert.pem
[default_cert_file_env] => SSL_CERT_FILE
[default_cert_dir] => /etc/pki/tls/certs
[default_cert_dir_env] => SSL_CERT_DIR
[default_private_dir] => /etc/pki/tls/private
[default_default_cert_area] => /etc/pki/tls
[ini_cafile] =>
[ini_capath] =>
)

For me this file was not there
/etc/pki/tls/cert.pem
After I run
update-ca-trust
I have copy the file
/etc/pki/tls/certs/ca-bundle.crt to /etc/pki/tls/cert.pem and it worked .

 

UPDATE

Today facing same problem but more complicated. The cer.pem was there ..but mail was not sending . So how to debug it ?

Well first of all we need to see what root certificat is needed.

So I run

openssl s_client -crlf -connect mail.domain.com:465

depth=0 C = EN, CN = mail.domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = EN, CN = mail.domain.com
verify error:num=21:unable to verify the first certificate
verify return:1

….


subject=/C=EN/CN=mail.domain.com
issuer=/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA

No client certificate CA names sent

 

From here we see that we need StartCom Class 1 DV Server CA

So I search on google and find it here

https://www.startssl.com/root

So I download the CA pem file into /etc/pki/ca-trust/source/anchors/

and after this run also

update-ca-trust extract

After this all was working fine.

 

 

More information can be found here

Trusting additional CAs in Fedora / RHEL / CentOS: an alternative to editing /etc/pki/tls/certs/ca-bundle.crt (or /etc/pki/tls/cert.pem)

and here

http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html

October 5, 2015

Comodo intermediate certificate

Filed under: Linux — Tags: , , , — admin @ 11:22 am

Well when try to install a ssl certificate from comodo they send you a zip with 4 files.
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
www_domain_com.crt

If you want to install this on apache it sholuld be something like this

SSLCertificateFile /path/www_domain_com.crt
SSLCertificateKeyFile /path/www_domain_com.key
SSLCACertificateFile /path/intermediate.crt

Where intermediate.crt is
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > intermediate.crt

December 16, 2014

Setting up HAProxy with SSL

Filed under: Linux — Tags: , , , , — admin @ 2:02 pm

Well today I was set up a haproxy to use ssl, and did’t figure out from first time how to get only one file for the pem.
In haproxy you have only one file with all certificates.

So the order is this:
cat matrafox.info.key >> matrafox.info.pem
cat matrafox.info.crt >> matrafox.info.pem
cat intermediate.bundle >> matrafox.info.pem

After this just add the
bind *:443 ssl crt /etc/ssl/matrafox.info.pem
And you will have the right one.

April 23, 2012

Invalid command “SSLEngine”, perhaps misspelled or defined by a module not included in the server configuration

Filed under: Linux — Tags: , , , , — admin @ 3:53 pm

If you have bellow error you should install mod_ssl
“Invalid command “SSLEngine”, perhaps misspelled or defined by a module not included in the server configuration”
The error message indicates that the module mod_ssl required to run SSL engine on a CentOS server is missing and needs to be installed.
Install the mod_ssl module using yum
yum install mod_ssl
Once it is installed, make sure to restart the Apache service
service httpd restart

Powered by WordPress