Skip to main content

Cert Info

 

If customer is saying all the certs are showing the correct ones, maybe the error message is valid.  And based on this page  http://curl.haxx.se/docs/sslcerts.html, which is outlined in the error message, maybe the cert used with curl is out of sync.  (i.e. If curl was built with Schannel or Secure Transport support, then curl uses the system native CA store for verification. All other TLS libraries use a file based CA store by default.)

 A process of copying your certificates inside /etc/pki/ca-trust/source/anchors/ then running the following command “update-ca-trust”, may help the issue along. 

 We don’t have access to prod so I did a comparison in lab and the certis in /etc/pki/ca-trust/source/anchors/ seem to be updated and it doesn’t get the error. 

 Some things researched or to check on prod maybe: not sure if it was done already but following the error message…..


  • The error seems to say it has accessed the NSS database, which is used to store system-level defaults for root certificates.  Then it gets the NSS error -8181 (SEC_ERROR_EXPIRED_CERTIFICATE). 
    • I did notice in RH docs it says for Importing an Intermediate Certificate Chain “Ensure that your web service is offline (stopped, disabled, etc.) while performing these steps and ensure no concurrent access to the NSS DB by other processes (such as a browser). Doing so may corrupt the NSS DB or result in improper usage of these certificates.
  • From /etc/pki/tls/certs  à  openssl crl2pkcs7 -nocrl -certfile ca-bundle.crt | openssl pkcs7 -print_certs -text -noout
    • Should give the full chain
    • ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
  • Verification based on http://curl.haxx.se/docs/sslcerts.html
    • Use a custom CA store in the curl command to force it off the native nssdb
      • Maybe something such as “curl –cacert [file] “https://vnnycacadm01v.wnsnet.attws.com:5003/events/?since=300%20seconds%20ago -vv
      • --cacert [file] à the location of our store /opt/baes/certs
      • Details on this command from the MAN pages:
        • --cacert <CA certificate>
          • (SSL)  Tells  curl  to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. Normally curl is built to use a default file for this, so this option is typically used to alter that default file.
          • curl  recognizes  the  environment  variable named 'CURL_CA_BUNDLE' if it is set, and uses the given path as a path to a CA cert bundle. This option overrides that variable.
          • The windows version of curl will automatically look for a CA certs file named ´curl-ca-bundle.crt´, either  in the same directory as curl.exe, or in the Current Working Directory, or in any folder along your PATH.
          • If  curl is built against the NSS SSL library, the NSS PEM PKCS#11 module (libnsspem.so) needs to be available for this option to work properly.
          • If this option is used several times, the last one will be used.
      • Or curl --capath /opt/baes/certs "https://primary-vadmin.eng.mobilephone.net:5003/events/?since=300%20seconds%20ago" -vv
        • --capath <CA certificate directory>
          • (SSL) Tells curl to use the specified certificate directory to verify the peer.

  

REFERENCE:

* NSS error -8181 (SEC_ERROR_EXPIRED_CERTIFICATE)

* Peer's Certificate has expired.
* Closing connection 0
curl: (60) Peer's Certificate has expired.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).

If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Comments

Post a Comment

Popular posts from this blog

2 - Dell Open Networking Switch OS10

Managed Object Procedure (MOP) for Upgrading Dell Open Networking Switch OS10 to Latest Firmware on an Air-Gapped System Purpose: This MOP outlines the steps to upgrade the firmware on a Dell Open Networking (OS10) switch to the latest version on an air-gapped system (no internet connection). The upgrade will be performed by transferring the firmware image using Secure Copy (SCP) from a laptop directly connected to the switch's dedicated management interface. Service Impact Summary: The switch's management interface will be unavailable during the upgrade process, which can range from a few minutes to half an hour depending on the switch model and firmware size. Depending on the firmware version being upgraded from, there might be brief service interruptions on data plane ports while the switch reboots after the upgrade. Backup Procedure: Configuration Backup: Connect to the switch using the command-line interface (CLI). Enter the following command to capture the runnin...
Post a Comment
Read more

Swagger

Subject: Next Steps for Troubleshooting Your Filter Issue - Test Scenario with Swagger Subject: Next Steps for Troubleshooting Your Filter Issue - Test Scenario with Swagger Hi [Customer Name], Thank you for your patience as we continue to troubleshoot the filter deletion issue you're experiencing. To further investigate the cause, we'd like your help running a quick test scenario using the Swagger software. Here's what we need you to do: Access Swagger: Open Swagger for our application. You can usually access it through [link to Swagger documentation/interface - replace with specific instructions]. Target Selection: Locate the endpoint related to retrieving filters. This might be named something like "GET /filters". "Try it Out": Click the "Try it out" button associated with the endpoint. Filter Criteria: In the request body section, locate the field for filtering results. Set the criteria to retrieve only filters with an "active...
Post a Comment
Read more

Closure

Closure Criteria: Issue Resolved : The underlying problem has been successfully resolved. Workaround Provided : A temporary solution has been provided, and the user has been informed of the permanent resolution timeline. Issue is Deferred : The customer has agreed to defer resolution to a future release or update. Additional Considerations: Knowledge Base Update : If applicable, the resolution should be documented in the knowledge base for future reference. Follow-up : If necessary, schedule a follow-up ticket to ensure the resolution is holding. Escalation : If the issue cannot be resolved, escalate to BES team.
Post a Comment
Read more