10:01 a.m.
hi.
trying to do a simple curl for the college site
curl -A "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11)
Gecko/2009061118 Fedora/3.0.11-1.fc9 Firefox/3.0.11" -L
https://isiscc.smc.edu/pls/apex/f?p=123:1:3916268190676791 -vvv
* About to connect() to isiscc.smc.edu port 443 (#0)
* Trying 207.151.69.31... connected
* Connected to isiscc.smc.edu (207.151.69.31) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Peer's certificate issuer is not recognized: 'CN=VeriSign Class 3
International Server CA - G3,OU=Terms of use at
https://www.verisign.com/rpa (c)10,OU=VeriSign Trust
Network,O="VeriSign, Inc.",C=US'
* NSS error -8179
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
I've gotten this on a number of different os/systems.
any thoughts??
ps. also tried using wget and still can't access it..
thanks
10:15 a.m.
Once upon a time, bruce <badouglas(a)gmail.com> said:
hi.
trying to do a simple curl for the college site
curl -A "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11)
Gecko/2009061118 Fedora/3.0.11-1.fc9 Firefox/3.0.11" -L
https://isiscc.smc.edu/pls/apex/f?p=123:1:3916268190676791 -vvv
They have a VeriSign-signed SSL cert, but they probably didn't follow
the directions and install the intermediate cert correctly (it might
work in Firefox because it includes more CA certs). Only the server
admins for isiscc.smc.edu can fix that.
Until they get it fixed, you can bypass cert validation with the
"--insecure" option to curl or the "--no-check-certificate" option to
wget. It isn't recommended because it defeats the purpose of SSL.
--
Chris Adams <linux(a)cmadams.net>
11:22 a.m.
hmm...
not sure the "--insecure -k" option is the right/best approach for
this. although it does work..
As far as I can tell, it should be possible to download the "pem"/cert
from the site, via FF, and to then use this data in the curl..
However, I can't quite get this to work correctly. Might be user error.
Here's what I've done so far.
the base curl cmd is:
curl -A "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11)
Gecko/2009061118 Fedora/3.0.11-1.fc9 Firefox/3.0.11" --cookie-jar
wayne.lwp --cookie wayne.lwp -L
"https://isiscc.smc.edu/pls/apex/f?p=123:1:3916268190676791" -vvv
running on fedora/centos as test systems
1) inserted the base site
>https://isiscc.smc.edu/pls/apex/f?p=123:1:3916268190676791 into
the
FF address bar.
2) selected the "lock" at the left of the address bar, to get the cert/data
3) did an export of the pem/cert data. -[not the chain]
4) as far as I can tell, from the debug "-vvv" output,
----* Initializing NSS with certpath: /etc/pki/nssdb
----* CAfile: /etc/pki/tls/certs/ca-bundle.crt
the ca-bundle is the file with the certs.
I then copied the data from the foo.pem that I got from the smc
site/pem and added the results to the end of the ca-bundle.crt file
I then reran the curl cmd, and got the same errors I got before..
So 1) Is the pem file I downloaded, the correct cert file for the
site, and 2) Is the ca-bundle.crt file the correct file to append the
data to/in. Or is there some different file that I should be doing the
insertion of the downloaded pem/cert data.
Once all of this works, I'll place this in stackoverflow for others!
thanks
On Fri, Nov 1, 2013 at 11:15 AM, Chris Adams <linux(a)cmadams.net> wrote:
Once upon a time, bruce <badouglas(a)gmail.com> said:
> hi.
>
> trying to do a simple curl for the college site
> curl -A "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11)
> Gecko/2009061118 Fedora/3.0.11-1.fc9 Firefox/3.0.11" -L
> https://isiscc.smc.edu/pls/apex/f?p=123:1:3916268190676791 -vvv
They have a VeriSign-signed SSL cert, but they probably didn't follow
the directions and install the intermediate cert correctly (it might
work in Firefox because it includes more CA certs). Only the server
admins for isiscc.smc.edu can fix that.
Until they get it fixed, you can bypass cert validation with the
"--insecure" option to curl or the "--no-check-certificate" option
to
wget. It isn't recommended because it defeats the purpose of SSL.
--
Chris Adams <linux(a)cmadams.net>
--
users mailing list
users(a)lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
12:13 p.m.
bruce wrote:
As far as I can tell, it should be possible to download the
"pem"/cert
from the site, via FF, and to then use this data in the curl..
However, I can't quite get this to work correctly. Might be user error.
Here's what I've done so far.
[snip]
Actually what you want is the CA cert. Firefox has it.
In Firefox you can export the "VeriSign Class 3 International Server CA - G3"
cert and specify it at your command line:
curl [previous options] --cacert verisign.pem
1:02 p.m.
Hey Michael!!
Ok.
I tried to extract the pem as you suggested, placed it in a diff dir..
it works...
So I've got a couple of questions... How did you know which cert/pem
file to extract? Why didn't my attempt at getting the cert from the
"lock" of the url/address for the smc.edu site not work?
Also, any idea what I can do regarding the access/path errors I mentioned...
thanks
you 'da man!
On Fri, Nov 1, 2013 at 1:13 PM, Michael Cronenworth <mike(a)cchtml.com> wrote:
bruce wrote:
>
> As far as I can tell, it should be possible to download the "pem"/cert
> from the site, via FF, and to then use this data in the curl..
>
> However, I can't quite get this to work correctly. Might be user error.
>
> Here's what I've done so far.
[snip]
Actually what you want is the CA cert. Firefox has it.
In Firefox you can export the "VeriSign Class 3 International Server CA -
G3" cert and specify it at your command line:
curl [previous options] --cacert verisign.pem
--
users mailing list
users(a)lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
3:12 p.m.
bruce wrote:
I tried to extract the pem as you suggested, placed it in a diff
dir..
it works...
So I've got a couple of questions... How did you know which cert/pem
file to extract? Why didn't my attempt at getting the cert from the
"lock" of the url/address for the smc.edu site not work?
I read the "Issued By" line:
* Peer's certificate issuer is not recognized: 'CN=VeriSign Class 3
International Server CA - G3,OU=Terms of use at
https://www.verisign.com/rpa (c)10,OU=VeriSign Trust
Network,O="VeriSign, Inc.",C=US'
You downloaded the client certificate that is signed by the CA certificate. In
order for curl/NSS to validate the client certificate it needs the CA
certificate and not the client certificate.
Also, any idea what I can do regarding the access/path errors I mentioned...
In regards to your private mail, I do not know why you are seeing errors. You
may have damanged the cert databases in /etc/pki/nssdb, which are empty by
default, but are still used during CA checking.
You can verify the ca-bundle is unharmed by running "rpm -qV ca-certificates".
Nothing should print to your terminal if it verifies successfully.
3:30 p.m.
ooopps...
when I run rpm -qV ca-certificates
I get
rpm -qV ca-certificates
S.5....T. c /etc/pki/tls/certs/ca-bundle.crt
when I try to do yum erase ca-certificates.. yum offers to remove a
bunch of things!!
[root@dell-1 parseapp2]# rpm -e ca-certificates
error: Failed dependencies:
ca-certificates is needed by (installed) qt-1:4.6.3-10.fc13.x86_64
ca-certificates is needed by (installed) neon-0.29.3-1.fc13.x86_64
ca-certificates is needed by (installed)
java-1.6.0-openjdk-1:1.6.0.0-51.1.8.8.fc13.x86_64
ca-certificates is needed by (installed) qt-1:4.6.3-10.fc13.i686
ca-certificates is needed by (installed) libpurple-2.7.11-1.fc13.x86_64
ca-certificates >= 2008-5 is needed by (installed)
openssl-1.0.0d-1.fc13.x86_64
ca-certificates >= 2008-5 is needed by (installed)
openssl-1.0.0d-1.fc13.i686
thoughts??
thanks
On Fri, Nov 1, 2013 at 4:12 PM, Michael Cronenworth <mike(a)cchtml.com> wrote:
bruce wrote:
>
> I tried to extract the pem as you suggested, placed it in a diff dir..
> it works...
>
> So I've got a couple of questions... How did you know which cert/pem
> file to extract? Why didn't my attempt at getting the cert from the
> "lock" of the url/address for the smc.edu site not work?
I read the "Issued By" line:
* Peer's certificate issuer is not recognized: 'CN=VeriSign Class 3
International Server CA - G3,OU=Terms of use at
https://www.verisign.com/rpa (c)10,OU=VeriSign Trust
Network,O="VeriSign, Inc.",C=US'
You downloaded the client certificate that is signed by the CA certificate.
In order for curl/NSS to validate the client certificate it needs the CA
certificate and not the client certificate.
>
> Also, any idea what I can do regarding the access/path errors I
> mentioned...
In regards to your private mail, I do not know why you are seeing errors.
You may have damanged the cert databases in /etc/pki/nssdb, which are empty
by default, but are still used during CA checking.
You can verify the ca-bundle is unharmed by running "rpm -qV
ca-certificates". Nothing should print to your terminal if it verifies
successfully.
--
users mailing list
users(a)lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
3:33 p.m.
why in the world would anybody want to remove it?
this has clearly dependency impact
"yum reinstall ca-certificates" is your friend
Am 01.11.2013 21:30, schrieb bruce:
ooopps...
when I run rpm -qV ca-certificates
I get
rpm -qV ca-certificates
S.5....T. c /etc/pki/tls/certs/ca-bundle.crt
when I try to do yum erase ca-certificates.. yum offers to remove a
bunch of things!!
[root@dell-1 parseapp2]# rpm -e ca-certificates
error: Failed dependencies:
ca-certificates is needed by (installed) qt-1:4.6.3-10.fc13.x86_64
ca-certificates is needed by (installed) neon-0.29.3-1.fc13.x86_64
ca-certificates is needed by (installed)
java-1.6.0-openjdk-1:1.6.0.0-51.1.8.8.fc13.x86_64
ca-certificates is needed by (installed) qt-1:4.6.3-10.fc13.i686
ca-certificates is needed by (installed) libpurple-2.7.11-1.fc13.x86_64
ca-certificates >= 2008-5 is needed by (installed)
openssl-1.0.0d-1.fc13.x86_64
ca-certificates >= 2008-5 is needed by (installed)
openssl-1.0.0d-1.fc13.i686
thoughts??
thanks
On Fri, Nov 1, 2013 at 4:12 PM, Michael Cronenworth <mike(a)cchtml.com> wrote:
> bruce wrote:
>>
>> I tried to extract the pem as you suggested, placed it in a diff dir..
>> it works...
>>
>> So I've got a couple of questions... How did you know which cert/pem
>> file to extract? Why didn't my attempt at getting the cert from the
>> "lock" of the url/address for the smc.edu site not work?
>
>
> I read the "Issued By" line:
>
> * Peer's certificate issuer is not recognized: 'CN=VeriSign Class 3
> International Server CA - G3,OU=Terms of use at
> https://www.verisign.com/rpa (c)10,OU=VeriSign Trust
> Network,O="VeriSign, Inc.",C=US'
>
> You downloaded the client certificate that is signed by the CA certificate.
> In order for curl/NSS to validate the client certificate it needs the CA
> certificate and not the client certificate.
>
>
>>
>> Also, any idea what I can do regarding the access/path errors I
>> mentioned...
>
>
> In regards to your private mail, I do not know why you are seeing errors.
> You may have damanged the cert databases in /etc/pki/nssdb, which are empty
> by default, but are still used during CA checking.
>
> You can verify the ca-bundle is unharmed by running "rpm -qV
> ca-certificates". Nothing should print to your terminal if it verifies
> successfully.
3827
days inactive
3827
days old
8 comments
4 participants
participants (4)
-
bruce -
Chris Adams -
Michael Cronenworth -
Reindl Harald