I have a Django website running Nginx on DigitalOcean. Now I have a certificate from Comodo. I have 4 files.
AAACertificateServices.crt
SectigoRSADomainValidationSecureServerCA.crt
USERTrustRSAAAACA.crt
mydomain.crt
How do I combine these files and what do I need to do next?
Because I get the error message: [emerg] 113128#113128: SSL_CTX_use_PrivateKey("/var/www/ssl/mydomain.key") failed (SSL: error:05800074:x509 certificate routines::key values mismatch)
Related
I'm trying to build the GraalVM compiler using the mx build tool. I've Python 3.10.4 and Java 17.0.2 in my PATH. However, when I run mx I get the following message:
Downloading COMMONS_MATH3_3_2 from ['https://repo1.maven.org/maven2/org/apache/commons/commons-math3/3.2/commons-math3-3.2.jar', 'https://search.maven.org/remotecontent?filepath=org/apache/commons/commons-math3/3.2/commons-math3-3.2.jar']
Error downloading from https://repo1.maven.org/maven2/jline/jline/2.14.6/jline-2.14.6.jar to /Users/cesarsv/.mx/cache/JLINE_c3aeac59c022bdc497c8c48ed86fa50450e4896a/jline.jar: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)>
WARNING: ** If behind a firewall without direct internet access, use the http_proxy environment variable (e.g. "env http_proxy=proxy.company.com:80 mx ...") or download manually with a web browser.
Error downloading from https://repo1.maven.org/maven2/org/scala-lang/scala-reflect/2.12.2/scala-reflect-2.12.2.jar to /Users/cesarsv/.mx/cache/SCALA_REFLECT_12_fa13c13351566738ff156ef8a56b869868f4b77e/scala-reflect-12.jar: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)>
...
The error seems to be related to an SSL certificate validation when downloading the dependencies necessary for the GraalVM build with mx. There is no clear solution for this issue in the GitHub repo of the used tools.
It seems that mx uses python to fetch the artifacts that it needs for the build from external repositories. Python 3.7 and above don't have any SSL certificates activated by default. Therefore, the scripts used by mx can't validate any SSL connections.
So I activate SSL in Python manually by creating and running the file install_certificates.command and it solved my problem.
I have a problem during adding facebook login button to my website at localhost.
I've already add mysite.com to hosts file and installed django-extensions, werkzeug, pyOpenSSL. By running command python manage.py runserver_plus --cert-file cert.crt my own-made sertificate was created. I imported this certificate to Trusted Chrome sertificates but safe connection doesn't establish. When i pass https://example.com:8000/account/login/ I hit an error NET::ERR_CERT_COMMON_NAME_INVALID,
Failed to confirm that this is the server example.com. Its safety certificate refers to *. The server may be configured incorrectly or someone is trying to intercept your data.
Please help me to solve this.
I have ocserv setup on a vm, but when trying to connect through openconnect app getting these errors,
it will be helpful if any solution, tried various ocserv config file modifications but non-sucessfull
Logs:
` Disconnected
STAT: attempt=O; first-NEVER; prev=NEVER
STAT: connect=o; first-NE-VER; prev=NEVER
STAT: cancel=o; first=NEVER; prev=NEVER
LIB: POST https://<IP/hostname>/
L1B: Attempting to connect to server <IP/hostname>
LIB: Connected to <IP :443/hostname>
LIB: SSL negotiation with <IP/hostname>
L1B: Server certificate verify failed: certificate does not match hostname CALLBACK: onValidatePeerCert
LIB: SSI- connection failure: The operation timed out
LIB: Failed to open HTTPS connection to <IP/hostname>
Error obtaining cookie
VPN terminated with errors`
Update::: after few changes this is the current error im getting,
setup description: Vm has debian 9 installed with ocserv installed, also certificates. trying to connect useing openconnect android app, device has mobile data enabled with low speed.
Log:
Disconnected
STAT: attempt=O; first-NEVER; prev=NEVER
STAT: connect=o; first-NE-VER; prev=NEVER
STAT: cancel=o; first=NEVER; prev=NEVER
LIB: POST https://<IP/hostname>/
L1B: Attempting to connect to server <IP/hostname>
LIB: Connected to <IP :443/hostname>
L1B: SSL_negotiation with <IP/hostname>
L1B: SSL_connection failure: The operation timed out
L1B: Failed to open HTTPS connection to <IP/hostname>
Error obtaining cookie
VPN terminated with errors
Is their any SSL issue? or do I need to give 3rd party SSL to ocserv, if so how to install 3rd party SSL to ocserv.
Thanks in advance
The error message states that the server's certificate did not match its hostname. As your client checks this, you need to use a certificate that matches the hostname that you use to access the server.
I have a google appengine project running in localhost. Everything works fine until i go to the 'login' page. When i go there i get the following error:
This site can’t provide a secure connection 127.0.0.1 sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR
the appengine command i use to run the project is dev_appserver.py" --host 127.0.0.1 . This is run pycharm. This only occurs in the 'login' endpoint and no other endpoint.
The console error i get is:
default: "GET /signin HTTP/1.1" 301 -
to connect over HTTPS you need a valid SSL certificate on your server here is you local server as I understand from the message. you can get a certificate for your local server but I don't think it's worth the trouble while working locally. On the other hand when you deploy to Google App Engine, you get SSL certificate automatically and it's managed by Google, that's why your code works without any problem in the deployment.
I'm trying to get Ejabberd to work with letsencrypt certificates on centos7.
I keep getting errors about the certificates not being signed by a known CA.
I have created the certificates by certbot, and I joined the privkey and fullchain files to single file.
All c2s connections work fine, but s2s connections don't.
When starting Ejabberd I see the following relevant log entries:
[warning] <0.606.0>#ejabberd_pkix:check_ca_dir:386 CA directory /etc/ssl/certs doesn't contain hashed certificate files; configuring 'ca_path' option might help
[warning] <0.606.0>#ejabberd_pkix:mk_cert_state:240 certificate from /opt/ejabberd/conf/xxxx.pem is invalid: certificate is signed by unknown CA
Connections to for example draugr.de generate the following entries:
[info] <0.793.0>#ejabberd_s2s_in:handle_auth_failure:206 (tls|<0.792.0>) Failed inbound s2s EXTERNAL authentication draugr.de -> XXXXX.net (::FFFF:89.163.212.45): unable to get local issuer certificate
I hope someone can help me out, thanks!
[EDIT 2020 may]
It looks like ejabberd now has automatic acme support (meaning it can request the certificate on its own from letsencrypt). So what you read below is obsolete.
As of 2018 november,
Merely installing letsencrypt using certbot is enough click here to see how. Ejabberd uses the provided certificates.
Note that you may need to register multiple subdomains for some strict jabber clients to work properly.
conference.yourjabberdomain.com
pubsub.yourjabberdomain.com
upload.yourjabberdomain.com
yourjabberdomain.com
or install a wildcard certificate from letsencrypt
sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d *.yourjabberdomain.com
I think there is a rule in the ejabberd config file ejabberd.yml that allows this to happen
certfiles:
- "/etc/letsencrypt/live/*/*.pem"
I was able to solve it myself finally but i am out of office the next few days and can't get you the exact configuration to solve it.
But if I recall correctly I downloaded the CA bundle here https://curl.haxx.se/docs/caextract.html and there was some configuration parameter for ejabberd to use this CA bundle in stead of the default one.
Hope it helps you.
If it is working for c2s and not working for s2s then it looks like the s2s block in configuration file is not updated with certfile. I believe you have something like this for c2s:
port: 5222
ip: "::"
module: ejabberd_c2s
starttls: true
certfile: 'CERTFILE'
protocol_options: 'TLSOPTS'
Similarly your s2s block should have:
port: 5269
ip: "::"
module: ejabberd_s2s_in
starttls: true
certfile: 'CERTFILE'
protocol_options: 'TLSOPTS'
max_stanza_size: 131072
shaper: s2s_shaper