hi.
trying to do a simple curl for the college site curl -A "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11) Gecko/2009061118 Fedora/3.0.11-1.fc9 Firefox/3.0.11" -L https://isiscc.smc.edu/pls/apex/f?p=123:1:3916268190676791 -vvv
* About to connect() to isiscc.smc.edu port 443 (#0) * Trying 207.151.69.31... connected * Connected to isiscc.smc.edu (207.151.69.31) port 443 (#0) * Initializing NSS with certpath: /etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Peer's certificate issuer is not recognized: 'CN=VeriSign Class 3 International Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US' * NSS error -8179 * Closing connection #0 * Peer certificate cannot be authenticated with known CA certificates curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html
I've gotten this on a number of different os/systems.
any thoughts??
ps. also tried using wget and still can't access it..
thanks
Once upon a time, bruce badouglas@gmail.com said:
hi.
trying to do a simple curl for the college site curl -A "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11) Gecko/2009061118 Fedora/3.0.11-1.fc9 Firefox/3.0.11" -L https://isiscc.smc.edu/pls/apex/f?p=123:1:3916268190676791 -vvv
They have a VeriSign-signed SSL cert, but they probably didn't follow the directions and install the intermediate cert correctly (it might work in Firefox because it includes more CA certs). Only the server admins for isiscc.smc.edu can fix that.
Until they get it fixed, you can bypass cert validation with the "--insecure" option to curl or the "--no-check-certificate" option to wget. It isn't recommended because it defeats the purpose of SSL.
hmm...
not sure the "--insecure -k" option is the right/best approach for this. although it does work..
As far as I can tell, it should be possible to download the "pem"/cert from the site, via FF, and to then use this data in the curl..
However, I can't quite get this to work correctly. Might be user error.
Here's what I've done so far.
the base curl cmd is: curl -A "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11) Gecko/2009061118 Fedora/3.0.11-1.fc9 Firefox/3.0.11" --cookie-jar wayne.lwp --cookie wayne.lwp -L "https://isiscc.smc.edu/pls/apex/f?p=123:1:3916268190676791" -vvv
running on fedora/centos as test systems
1) inserted the base site
https://isiscc.smc.edu/pls/apex/f?p=123:1:3916268190676791 into the
FF address bar. 2) selected the "lock" at the left of the address bar, to get the cert/data 3) did an export of the pem/cert data. -[not the chain] 4) as far as I can tell, from the debug "-vvv" output, ----* Initializing NSS with certpath: /etc/pki/nssdb ----* CAfile: /etc/pki/tls/certs/ca-bundle.crt the ca-bundle is the file with the certs.
I then copied the data from the foo.pem that I got from the smc site/pem and added the results to the end of the ca-bundle.crt file
I then reran the curl cmd, and got the same errors I got before..
So 1) Is the pem file I downloaded, the correct cert file for the site, and 2) Is the ca-bundle.crt file the correct file to append the data to/in. Or is there some different file that I should be doing the insertion of the downloaded pem/cert data.
Once all of this works, I'll place this in stackoverflow for others!
thanks
On Fri, Nov 1, 2013 at 11:15 AM, Chris Adams linux@cmadams.net wrote:
Once upon a time, bruce badouglas@gmail.com said:
hi.
trying to do a simple curl for the college site curl -A "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11) Gecko/2009061118 Fedora/3.0.11-1.fc9 Firefox/3.0.11" -L https://isiscc.smc.edu/pls/apex/f?p=123:1:3916268190676791 -vvv
They have a VeriSign-signed SSL cert, but they probably didn't follow the directions and install the intermediate cert correctly (it might work in Firefox because it includes more CA certs). Only the server admins for isiscc.smc.edu can fix that.
Until they get it fixed, you can bypass cert validation with the "--insecure" option to curl or the "--no-check-certificate" option to wget. It isn't recommended because it defeats the purpose of SSL.
-- Chris Adams linux@cmadams.net -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
bruce wrote:
As far as I can tell, it should be possible to download the "pem"/cert from the site, via FF, and to then use this data in the curl..
However, I can't quite get this to work correctly. Might be user error.
Here's what I've done so far.
[snip]
Actually what you want is the CA cert. Firefox has it.
In Firefox you can export the "VeriSign Class 3 International Server CA - G3" cert and specify it at your command line:
curl [previous options] --cacert verisign.pem
Hey Michael!!
Ok.
I tried to extract the pem as you suggested, placed it in a diff dir.. it works...
So I've got a couple of questions... How did you know which cert/pem file to extract? Why didn't my attempt at getting the cert from the "lock" of the url/address for the smc.edu site not work?
Also, any idea what I can do regarding the access/path errors I mentioned...
thanks
you 'da man!
On Fri, Nov 1, 2013 at 1:13 PM, Michael Cronenworth mike@cchtml.com wrote:
bruce wrote:
As far as I can tell, it should be possible to download the "pem"/cert from the site, via FF, and to then use this data in the curl..
However, I can't quite get this to work correctly. Might be user error.
Here's what I've done so far.
[snip]
Actually what you want is the CA cert. Firefox has it.
In Firefox you can export the "VeriSign Class 3 International Server CA - G3" cert and specify it at your command line:
curl [previous options] --cacert verisign.pem
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
bruce wrote:
I tried to extract the pem as you suggested, placed it in a diff dir.. it works...
So I've got a couple of questions... How did you know which cert/pem file to extract? Why didn't my attempt at getting the cert from the "lock" of the url/address for the smc.edu site not work?
I read the "Issued By" line: * Peer's certificate issuer is not recognized: 'CN=VeriSign Class 3 International Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US'
You downloaded the client certificate that is signed by the CA certificate. In order for curl/NSS to validate the client certificate it needs the CA certificate and not the client certificate.
Also, any idea what I can do regarding the access/path errors I mentioned...
In regards to your private mail, I do not know why you are seeing errors. You may have damanged the cert databases in /etc/pki/nssdb, which are empty by default, but are still used during CA checking.
You can verify the ca-bundle is unharmed by running "rpm -qV ca-certificates". Nothing should print to your terminal if it verifies successfully.
ooopps...
when I run rpm -qV ca-certificates
I get
rpm -qV ca-certificates S.5....T. c /etc/pki/tls/certs/ca-bundle.crt
when I try to do yum erase ca-certificates.. yum offers to remove a bunch of things!!
[root@dell-1 parseapp2]# rpm -e ca-certificates error: Failed dependencies: ca-certificates is needed by (installed) qt-1:4.6.3-10.fc13.x86_64 ca-certificates is needed by (installed) neon-0.29.3-1.fc13.x86_64 ca-certificates is needed by (installed) java-1.6.0-openjdk-1:1.6.0.0-51.1.8.8.fc13.x86_64 ca-certificates is needed by (installed) qt-1:4.6.3-10.fc13.i686 ca-certificates is needed by (installed) libpurple-2.7.11-1.fc13.x86_64 ca-certificates >= 2008-5 is needed by (installed) openssl-1.0.0d-1.fc13.x86_64 ca-certificates >= 2008-5 is needed by (installed) openssl-1.0.0d-1.fc13.i686
thoughts??
thanks
On Fri, Nov 1, 2013 at 4:12 PM, Michael Cronenworth mike@cchtml.com wrote:
bruce wrote:
I tried to extract the pem as you suggested, placed it in a diff dir.. it works...
So I've got a couple of questions... How did you know which cert/pem file to extract? Why didn't my attempt at getting the cert from the "lock" of the url/address for the smc.edu site not work?
I read the "Issued By" line:
- Peer's certificate issuer is not recognized: 'CN=VeriSign Class 3
International Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US'
You downloaded the client certificate that is signed by the CA certificate. In order for curl/NSS to validate the client certificate it needs the CA certificate and not the client certificate.
Also, any idea what I can do regarding the access/path errors I mentioned...
In regards to your private mail, I do not know why you are seeing errors. You may have damanged the cert databases in /etc/pki/nssdb, which are empty by default, but are still used during CA checking.
You can verify the ca-bundle is unharmed by running "rpm -qV ca-certificates". Nothing should print to your terminal if it verifies successfully.
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
why in the world would anybody want to remove it? this has clearly dependency impact
"yum reinstall ca-certificates" is your friend
Am 01.11.2013 21:30, schrieb bruce:
ooopps...
when I run rpm -qV ca-certificates
I get
rpm -qV ca-certificates S.5....T. c /etc/pki/tls/certs/ca-bundle.crt
when I try to do yum erase ca-certificates.. yum offers to remove a bunch of things!!
[root@dell-1 parseapp2]# rpm -e ca-certificates error: Failed dependencies: ca-certificates is needed by (installed) qt-1:4.6.3-10.fc13.x86_64 ca-certificates is needed by (installed) neon-0.29.3-1.fc13.x86_64 ca-certificates is needed by (installed) java-1.6.0-openjdk-1:1.6.0.0-51.1.8.8.fc13.x86_64 ca-certificates is needed by (installed) qt-1:4.6.3-10.fc13.i686 ca-certificates is needed by (installed) libpurple-2.7.11-1.fc13.x86_64 ca-certificates >= 2008-5 is needed by (installed) openssl-1.0.0d-1.fc13.x86_64 ca-certificates >= 2008-5 is needed by (installed) openssl-1.0.0d-1.fc13.i686
thoughts??
thanks
On Fri, Nov 1, 2013 at 4:12 PM, Michael Cronenworth mike@cchtml.com wrote:
bruce wrote:
I tried to extract the pem as you suggested, placed it in a diff dir.. it works...
So I've got a couple of questions... How did you know which cert/pem file to extract? Why didn't my attempt at getting the cert from the "lock" of the url/address for the smc.edu site not work?
I read the "Issued By" line:
- Peer's certificate issuer is not recognized: 'CN=VeriSign Class 3
International Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US'
You downloaded the client certificate that is signed by the CA certificate. In order for curl/NSS to validate the client certificate it needs the CA certificate and not the client certificate.
Also, any idea what I can do regarding the access/path errors I mentioned...
In regards to your private mail, I do not know why you are seeing errors. You may have damanged the cert databases in /etc/pki/nssdb, which are empty by default, but are still used during CA checking.
You can verify the ca-bundle is unharmed by running "rpm -qV ca-certificates". Nothing should print to your terminal if it verifies successfully.
-
bruce -
Chris Adams -
Michael Cronenworth -
Reindl Harald