How to , and other stuff about linux, photo, php … A linux, photography blog. To remember some linux situation, and fix them quickly.

September 22, 2022

curl: (60) SSL certificate problem: certificate has expired

Filed under: Linux — Tags: , , , — admin @ 11:30 am

I have this problem on a debian 9 client, that try to run a curl to a website that have valid SSL .

The fix is to blacklist the expired ssl on the client computer, not on server.

sed -i ‘s|mozilla/DST_Root_CA_X3.crt|!mozilla/DST_Root_CA_X3.crt|’ /etc/ca-certificates.conf && update-ca-certificates

March 12, 2018

Amazon ec2 ami certbot-auto problem

Filed under: Linux — Tags: , , , , , , — admin @ 11:15 am

Today tried to renew some ssl and surprise

 

certbot-auto renew
Error: couldn’t get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 7, in <module>
from certbot.main import main
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py”, line 10, in <module>
import josepy as jose
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/__init__.py”, line 41, in <module>
from josepy.interfaces import JSONDeSerializable
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py”, line 8, in <module>
from josepy import errors, util
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py”, line 4, in <module>
import OpenSSL
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/__init__.py”, line 8, in <module>
from OpenSSL import rand, crypto, SSL
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/rand.py”, line 12, in <module>
from OpenSSL._util import (
File “/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/_util.py”, line 6, in <module>
from cryptography.hazmat.bindings.openssl.binding import Binding
ImportError: No module named cryptography.hazmat.bindings.openssl.binding

 

Well tryied everything

rm -rf /opt/eff.org    ( didn’t worked for me )

Reinstalled same problem.

The only solution was this found on a comment on github

$ unset PYTHON_INSTALL_LAYOUT
$ /opt/eff.org/certbot/venv/local/bin/pip install –upgrade certbot
$ /opt/eff.org/certbot/venv/local/bin/certbot –help

 

 

 

January 11, 2017

php 5.6 ssl verify error

Filed under: Linux — Tags: , , — admin @ 12:15 pm

New problem in town . A server could not send e-mail using php . But can connect using telnet .
stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:#012error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Some error from php class.
Well it appear that there is no cert on server
php -r “print_r(openssl_get_cert_locations());”

Array
(
[default_cert_file] => /etc/pki/tls/cert.pem
[default_cert_file_env] => SSL_CERT_FILE
[default_cert_dir] => /etc/pki/tls/certs
[default_cert_dir_env] => SSL_CERT_DIR
[default_private_dir] => /etc/pki/tls/private
[default_default_cert_area] => /etc/pki/tls
[ini_cafile] =>
[ini_capath] =>
)

For me this file was not there
/etc/pki/tls/cert.pem
After I run
update-ca-trust
I have copy the file
/etc/pki/tls/certs/ca-bundle.crt to /etc/pki/tls/cert.pem and it worked .

 

UPDATE

Today facing same problem but more complicated. The cer.pem was there ..but mail was not sending . So how to debug it ?

Well first of all we need to see what root certificat is needed.

So I run

openssl s_client -crlf -connect mail.domain.com:465

depth=0 C = EN, CN = mail.domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = EN, CN = mail.domain.com
verify error:num=21:unable to verify the first certificate
verify return:1

….


subject=/C=EN/CN=mail.domain.com
issuer=/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA

No client certificate CA names sent

 

From here we see that we need StartCom Class 1 DV Server CA

So I search on google and find it here

https://www.startssl.com/root

So I download the CA pem file into /etc/pki/ca-trust/source/anchors/

and after this run also

update-ca-trust extract

After this all was working fine.

 

 

More information can be found here

Trusting additional CAs in Fedora / RHEL / CentOS: an alternative to editing /etc/pki/tls/certs/ca-bundle.crt (or /etc/pki/tls/cert.pem)

and here

http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html

October 5, 2015

Comodo intermediate certificate

Filed under: Linux — Tags: , , , — admin @ 11:22 am

Well when try to install a ssl certificate from comodo they send you a zip with 4 files.
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
www_domain_com.crt

If you want to install this on apache it sholuld be something like this

SSLCertificateFile /path/www_domain_com.crt
SSLCertificateKeyFile /path/www_domain_com.key
SSLCACertificateFile /path/intermediate.crt

Where intermediate.crt is
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > intermediate.crt

December 16, 2014

Setting up HAProxy with SSL

Filed under: Linux — Tags: , , , , — admin @ 2:02 pm

Well today I was set up a haproxy to use ssl, and did’t figure out from first time how to get only one file for the pem.
In haproxy you have only one file with all certificates.

So the order is this:
cat matrafox.info.key >> matrafox.info.pem
cat matrafox.info.crt >> matrafox.info.pem
cat intermediate.bundle >> matrafox.info.pem

After this just add the
bind *:443 ssl crt /etc/ssl/matrafox.info.pem
And you will have the right one.

Older Posts »

Powered by WordPress