When I used openssl APIs to validate server certificate (self signed), I got following error :
error 19 at 1 depth lookup:self signed certificate in certificate
chain
As per openssl documentation, this error (19) is
"X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in
certificate chain - the certificate chain could be built up using the
untrusted certificates but the root could not be found locally."
Why this error occurs ? Any problems with my server certificate ?
You have a certificate which is self-signed, so it's non-trusted by default, that's why OpenSSL complains. This warning is actually a good thing, because this scenario might also rise due to a man-in-the-middle attack.
To solve this, you'll need to install it as a trusted server. If it's signed by a non-trusted CA, you'll have to install that CA's certificate as well.
Have a look at this link about installing self-signed certificates.
Here is one-liner to verify certificate to be signed by specific CA:
openssl verify -verbose -x509_strict -CAfile ca.pem certificate.pem
This doesn't require to install CA anywhere.
See How does an SSL certificate chain bundle work? for details and correct certificate chain handling.
If you're running Charles and trying to build a docker container then you'll most likely get this error.
Make sure to disable Charles (macos) proxy under proxy -> macOS proxy
Charles is an
HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.
So anything similar may cause the same issue.
The solution for the error is to add this line at the top of the code:
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
if you are testing your end points using Postman, just go to settings and disable "Enable SSL certificate verification"
Related
When I try to install yarn, I've got the following output:
Internal Error: Error when performing the request
at ClientRequest.<anonymous> (C:\Program Files\nodejs\node_modules\corepack\dist\corepack.js:3937:20)
at ClientRequest.emit (node:events:390:28)
at TLSSocket.socketErrorListener (node:_http_client:447:9)
at TLSSocket.emit (node:events:390:28)
at emitErrorNT (node:internal/streams/destroy:157:8)
at emitErrorCloseNT (node:internal/streams/destroy:122:3)
at processTicksAndRejections (node:internal/process/task_queues:83:21)
TL;DR
Create a custom CA certificate file (in this example c:\temp\combo.ca.cer) containing BASE64-encoded DERs of all certs your corporate network security solution is presenting to Node.js when Node.js makes HTTPS requests
I used advice from https://stackoverflow.com/a/44726189 to create my custom CA cert file
set NODE_EXTRA_CA_CERTS=c:\temp\combo.ca.cer
corepack enable
yarn set version stable
Root Cause Analysis
I had the "Internal Error: Error when performing the request" at "corepack.js:3937:20" like everyone who's been here so I looked in line 3937 and discovered it was a vanilla https.get call. I stuck in some extra debugging into corepack.js to see what was being accessed and discovered it was failing trying to reach "https://registry.npmjs.com/pnpm".
I navigated to "https://registry.npmjs.com/pnpm" in my web browser and discovered my corporate environment let it load up with no errors. So I fired up Node JS and issued to see what would happen:
https.get("https://registry.npmjs.com/pnpm", {}, res => console.log(res));
I received a "unable to get local issuer certificate" error. In my corporate environment, there's a security solution that injects it's own self-signed certificates into responses from any outbound https requests. What that means for me is that I need to instruct anything issuing https requests (eg Node.js and curl) to use a custom CA certificate file.
To get corepack to work, I first hard-coded a custom CA certificate file into corepack.js and while it's pretty ugly, it did work. A bit of further digging around I found the NODE_EXTRA_CA_CERTS environment variable option used by Node.js so also tried the following in a Administrator-privileged cmd session with success (also removing the corepack.js hack I made earlier):
set NODE_EXTRA_CA_CERTS=c:\temp\combo.ca.cer
corepack enable
yarn set version stable
The combo.ca.cer was constructed by navigating to https://registry.npmjs.com/pnpm and exporting all the CA certs (root and any intermediate CA certs) to text files and copy-pasting the contents of all the CA cert files into a single text file called combo.ca.cer. I used advice from https://stackoverflow.com/a/44726189 to create my custom CA cert file.
As part of the initial setup of a work computer, I got this same error. Even a clean run of yarn (yarn init -2 in an empty folder) would cause the error.
Turning off my VPN made yarn work as expected.
Googling the error lead me to this page which got me to suspect the VPN. https://github.com/nodejs/corepack/issues/67
I had the same problem and for me it was solved by running yarn set version stable.
As development team we try to upgrade the openssl libraries in our product. Unfortunately we are stuck with a problem when linking agains openssl 1.1.1. The error we phase is
verify_callback: [-10] Could not complete SSL handshake: Certificate error: General verification, self signed certificate [18]
As if we cannot use the self signed certificates anymore. In our code we access the google mail server using a TLS connection. This was working fine with the older version of openssl.
My question:
Is there a way to get around this error? Are there build options to get a library which is compatible with older Openssl libs?
Help is very much appreciated
Jasper de Keijzer
After studying the new API of OpenSSL I found out that you can define the maximum protocol to be used. In case of self-signed certificates I use now
SSL_set_max_proto_version(ssl, TLS1_2_VERSION);
This solves the handshake error which I got when using the default TLS setting. This happens to be TLS1.3.
I try to do ssl connection for my server in c.
i have take this code : https://wiki.openssl.org/index.php/Simple_TLS_Server and I have generated certificate with certbot:
sudo certbot certonly --standalone
I have copy cert.pem and privkey.pem present in /etc/letsencrypt/live/MY_DOMAIN/ on my program directory.
but when I try to connect with curl, I get this error:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
and my server print :
1996193792:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1407:SSL alert number 48
thank you for your help !
That oversimple server does not handle a chain cert (or certs), also called intermediate, which every real CA this century requires, including LE. It is suitable only for test certs you generate yourself, or some limited environments like the intranet of a company that runs its own private CA.
Replace SSL_CTX_use_certificate_file on the cert.pem file with SSL_CTX_use_certificate_chain_file on the fullchain.pem file.
Also, SSLv23* methods have (finally!) been replaced by TLS* methods as of 1.1.0 in 2016, although the obsolete names remain as synonyms for now.
I have set up a SQL Server database server on my Ubuntu 16 machine. To make it secure over a host network I am working on adding an SSL encryption certificate on it.
I tried following the steps as mentioned on this link ssl-encryption-mssql
But after restarting the service of SQL Server, it breaks giving the below exit code status
code=exited, status=1/FAILURE
I even tried to check the logs using journalctl -u mssql-server.service -b but it is not helpful at all. For the referrence, I am adding the screenshot of journalctl command below:
My /var/opt/mssql/mssql.conf looks something like this after following the steps from official doc.
[sqlagent]
enabled = false
[EULA]
accepteula = Y
[network]
tlscert = /etc/ssl/certs/cert.pem
tlskey = /etc/ssl/private/privkey.pem
tlsprotocols = 1.2
forceencryption = 1
EDIT-1: I further checked out the logs from /var/log/syslog, it stated the following log-
Error: 49940, Severity: 16, State: 1.Unable to open one or more of the user-specified certificate file(s). Verify that the certificate file(s) exist with read permissions for the user and group running SQL Server and found this question which seems similar, I tried the approach as told by Charles but it doesn't seem to work. Even I am using the Let's Encrypt Certificates.
EDIT-2: It is not a licensed version, could this be the reason?
How to resolve this error?
I just faced the same problem even though I followed the same steps as mentioned in the microsoft documentation. The actual problem seems to be with the permissions on the folder paths where the certificate files are located.
You can verify whether mssql user is able to connect or not using the openssl commands.
This command will do a basic verification on whether the certificates are valid or not.
sudo su - mssql -c "openssl verify -verbose -CAfile /etc/ssl/certs/mssql_ca.pem /etc/ssl/certs/cert.pem"
If you wanted to see if the combination of certificates are actually working or not (with key), you can start a openssl server service and then connect to it with another openssl client connection.
sudo su - mssql -c "openssl s_server -accept 8443 -cert /etc/ssl/certs/cert.pem -key /etc/ssl/private/privkeyrsa.pem -CAfile /etc/ssl/certs/mssql_ca.pem"
openssl s_client -connect localhost:8443
Another small correction from the documentation (I am using CA provided certificate), had to convert the key file format (might not require for you).
openssl rsa -in /etc/ssl/private/key.pem -out /etc/ssl/private/privkeyrsa.pem
2010-04-20 15:33:39,421 WARNING appengine_rpc.py:399 ssl module not found.
Without the ssl module, the identity of the remote host cannot be verified, and
connections may NOT be secure. To fix this, please install the ssl module from
http://pypi.python.org/pypi/ssl .
To learn more, see http://code.google.com/appengine/kb/general.html#rpcssl .
how can i do ?
thanks
As the message describes, install the SSL module from that URL. Or, if you're not concerned about using a secure connection to authenticate and upload your app, just ignore the message.