Tag Archives: ssl

error: \*1035 connect() failed (111: Connection refused) while connecting to upstream, client…..

error:1035 connect() failed (111: Connection refused) while connecting to upstream, client: …217, server: .com, request: “POST /api/userLogin HTTP/1.1”, upstream: “http://.1:8443/userLogin”, host: “*.com”

1. Cause

The deployment of the project is on Tencent cloud server, http upgraded to https, using Tencent ssl certificate, Ali’s domain name, during the nginx.conf configuration process, there is a front-end to back-end send request failure problem. The following error occurs.

The nginx.conf configuration is as follows:

server{
	#SSL The default access port number is 443
    listen 443 ssl;
    server_name domain;
    default_type text/html;
    ssl_certificate certificate file path (.crt/.pem);
    ssl_certificate_key private key file path (.key);
    ssl_session_timeout 5m;
    # Please configure according to the following protocols
    ssl_protocols TLSv1.2 TLSv1.3;
    s#Please configure the encryption suite according to the following suite configuration, written following the openssl standard.
     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;

    location/{
        root /usr/share/nginx/html/dist/;
        try_files $uri $uri/ /index.html;
        index index.html;
    }

    location /api/ {
        default_type application/json;
        proxy_pass http://localhost:8443/;
    }
}

2. Solutions

Add a clause to the nginx.conf configuration: proxy_set_header Host $http_host;

server{
	#SSL The default access port number is 443
    listen 443 ssl;
    server_name domain;
    default_type text/html;
    ssl_certificate certificate file path (.crt/.pem);
    ssl_certificate_key private key file path (.key);
    ssl_session_timeout 5m;
    # Please configure according to the following protocols
    ssl_protocols TLSv1.2 TLSv1.3;
    s#Please configure the encryption suite according to the following suite configuration, written following the openssl standard.
     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;

    location/{
        root /usr/share/nginx/html/dist/;
        try_files $uri $uri/ /index.html;
        index index.html;
    }

    location /api/ {
    	# nginx reverse proxy rewrites the host field attribute in the request header
        proxy_set_header Host $http_host;
        default_type application/json;
        proxy_pass http://localhost:8443/;
    }
}

[Solved] Ubuntu Compile Rust Program Error: failed to run custom build command for openssl-sys v0.9.39

Compiling Rust program in Ubuntu environment reports an error:

failed to run custom build command for openssl sys v0.9.39

Ubuntu version: 20.04

Refer to GitHub’s discussion and there are two possible solutions:

  1. sudo apt install pkg-config
  2. sudo apt install libssl-dev

I use the second method to solve this problem.

[Solved] svn Error: E230001: Server SSL certificate verification failed: certificate issued

svn: E230001: Server SSL certificate verification failed: certificate issued

means that the server’s SSL certificate verification failed.

Solution:

In the terminal, Execute svn ls https://*/svn/ (my project address)

Then the terminal will ask you to choose R, t, or p, p for accept

We enter p and press Enter,then you will be prompted to enter the computer user’s password and svn account password,just follow the prompts

After all input is complete, Press Enter

python minio client Error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certific

Built minio service, support https, python call reported error.

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='xx.xx.xx.xxx', port=9000): Max retries exceeded with url: /allstruct?location= (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1108)')))

Ignore the certificate error issue and try out the demo script


import os
from minio import Minio
import urllib3
from urllib.parse import urlparse
import certifi
from minio.commonconfig import REPLACE, CopySource
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


minio_endpoint = os.getenv("MINIO_ENDPOINT", "https://xxx.xxx.xxx.xxx:9000")
secure = True

minio_endpoint = urlparse(minio_endpoint)


if minio_endpoint.scheme == 'https':
    secure = True

ok_http_client=urllib3.PoolManager(
            timeout=urllib3.util.Timeout(connect=10, read=10),
            maxsize=10,
            cert_reqs='CERT_NONE',
            ca_certs= os.environ.get('SSL_CERT_FILE') or certifi.where(),
            retries=urllib3.Retry(
                total=5,
                backoff_factor=0.2,
                status_forcelist=[500, 502, 503, 504]
            )
        )


minioClient = Minio(minio_endpoint.netloc,
                    access_key='username',
                    secret_key='password',
                    http_client=ok_http_client,
                    secure=secure)

print(minioClient.list_buckets())

Pycharm WebSocket Error: Error: Connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

Problem description

Pycharm encountered SSL error while running websocket

Error: Connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

Problem-solving

Since I use Anaconda environment in pycharm, I need to configure it in the environment corresponding to anaconda

python -m certifi

Get certificate path

conda config --set ssl_verify <your-path>

Save the certificate path so that websocket can be opened normally

[Solved] zabbix Error: Cannot perform request: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

zabbix 6.0 (Ubuntu 20.04) reports an error when using https to monitor the server hardware (redfish protocol), Cannot perform request: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small.

I am using curl to test and also report the error

curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

After checking the resource online, it is because openssl disables the low security encryption method. Just change the openssl parameters, restart the zabbix related services or reboot the system after the change.

Solution:

Edit the OpenSSL.conf file:

sudo nano /etc/ssl/openssl.cnf

Add this line at the top:

openssl_conf = openssl_init

And add these lines at the end:

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=1

Restart the server, it will be OK!

[Solved] Git Clone Error: error setting certificate verify locations

Description

When using git clone to clone an item on GitHub or gitee, the following error is reported:

error setting certificate verify locations:

CAfile: E:/Git/mingw64/ssl/certs/ca-bundle. crt

CApath: none

analysis

According to the error prompt, there is an error in setting the certificate verification location, that is, the certificate file path is wrong.

When cloning a remote project, the security certificate will be verified first. If the local security certificate file cannot be found, an error will be reported.

This is why this error will not be reported when cloning projects on gitlab, because gitlab is generally built on the intranet and does not need to verify the security certificate.

Path errors often occur because the local Git is installed green, that is, it is directly extracted and used.

In this way, the path of the certificate file is still the path on the original machine. If the path of the new machine is inconsistent, the path error will be caused.

Solution:

For the above analysis, there are two solutions:

  • Modify certificate file path (recommended)
  • Turn off certificate verification

Turning off certificate verification may cause security problems. It is recommended to modify the certificate file path.

Modify certificate file path

There are two ways:

  • Execute the configuration command (recommended)
  • Modify the configuration file

The essence of these two methods is to modify the configuration file. However, some misoperations may occur when modifying the file, and the operation is more cumbersome. It is recommended to execute the configuration command.

Execute configuration command

git config --system http.sslcainfo "Git安装路径/mingw64/ssl/certs/ca-bundle.crt"

Modify profile

Git’s system configuration files are located at: git installation path \etc\gitconfig

Modify the path in the file as shown in the figure to git installation path /mingw64/ssl/certs/ca-bundle.crt save again.

Turn off certificate verification

git config --system http.sslverify false

This method may cause git security problems and is not recommended.

[Solved] ffmpeg Enable https Error: “ERROR: openssl not found”

ffmpeg can use libssl.so libcrypto.so dynamic library, or libssl.a libcrypto.a static library, the next is to say that obviously the inventory is there, but the compiler still can not find openssl.

Search the ffmpeg source code, and you can find that the prompt is printed in the configure file. The source code is as follows:

enabled openssl           && { use_pkg_config openssl openssl/ssl.h OPENSSL_init_ssl ||
                               check_lib openssl/ssl.h OPENSSL_init_ssl -lssl -lcrypto ||
                               use_pkg_config openssl openssl/ssl.h SSL_library_init ||
                               check_lib openssl/ssl.h SSL_library_init -lssl -lcrypto ||
                               check_lib openssl/ssl.h SSL_library_init -lssl32 -leay32 ||
                               check_lib openssl/ssl.h SSL_library_init -lssl -lcrypto -lws2_32 -lgdi32 ||
                               die "ERROR: openssl not found"; }

You can find that ffmpeg is trying OpenSSL one by one. My config The log shows that the last one has been checked, but OpenSSL is still not found.

The reason is that I am using a newer openssl library, the old openssl library uses ‘SSL_library_init’ to initialize, the newer openssl version uses ‘OPENSSL_init_ssl’ to initialize. The new version of openssl uses ‘OPENSSL_init_ssl’ to initialize, and because it does not pass the check, this error is reported here.

Solution:

Add a line to check ‘check_lib openssl/ssl.h OPENSSL_init_ssl -lssl -lcrypto ‘ and it will pass, above is what I have added.

 

[Solved] OpenSSL Error messages: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

In these two days, the service has been reporting when calling Baidu’s addressing and positioning interface and reverse address resolution:

file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

The query results of the interface are affected, and finally the curl call problem is solved:

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
curl_setopt($ch, CURLOPT_FAILONERROR, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSLVERSION, 4);
$reponse = curl_exec($ch);

CURLOPT_SSLVERSION Fetch value and meaning
CURL_SSLVERSION_TLSv1_2 requires php version >= 5.5.19
TLS 1.1 and TLS 1.2 are supported since OpenSSL 1.0.1

CURL_SSLVERSION_DEFAULT (0)
CURL_SSLVERSION_TLSv1 (1),
CURL_SSLVERSION_SSLv2 (2), 
CURL_SSLVERSION_SSLv3 (3),
CURL_SSLVERSION_TLSv1_0 (4),
CURL_SSLVERSION_TLSv1_1 (5),
CURL_SSLVERSION_TLSv1_2 (6).

[Solved] mosquitto log Error: SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error

Problem description

The following errors occurred in the TLS/SSL of mosquitto during the test today, indicating that the error occurred in the TLS version:

I know that the default tls version of mosquitto_pub and mosquitto_sub is tlsv1.2, however, the version of openssl in my virtual machine is 1.1.1, and the tls_version tlsv1.1 is configured in mosquitto.conf (one-way authentication is configured here, two-way authentication is also (here the configuration is one-way authentication, two-way authentication is also applicable), so there will be tls version error.


Solution:

For C programs of mosquitto library
Use the API mosquitto_tls_set() before attaching mosquitto_tls_opts_set(), this API can set the corresponding tls version of the client, note that the tls version defaults to tlsv1.2.

The code is as follows:

int    rc = -1;

rc = mosquitto_tls_opts_set(mosq, 1, "tlsv1.1", NULL);
if( rc != MOSQ_ERR_SUCCESS )
{
    printf("mosquitto_tls_opts_set failure.\n");
    exit(1);
}

rc = mosquitto_tls_set(mosq, CAFILE, CAPATH, CERTFILE, KEYFILE, NULL);
if( rc != MOSQ_ERR_SUCCESS )
{
    printf("mosquitto_tls_set failure.\n");
    exit(1);
}

On the mosquitto command line

The following is the test of one-way authentication (in case of two-way authentication, add the certificate and key by yourself)

mosquitto_ pub -h 192.168.222.130 -p 8884 -t “hello” -m “hi sub” –tls-version tlsv1. 1 –cafile ./ ca/ca.crt

mosquitto_ sub -h 192.168.222.130 -p 8884 -t “hello” –tls-version tlsv1. 1 –cafile ./ ca/ca.crt

If the problem is solved successfully, it can be connected normally:

[Solved] svn: OPTIONS of ‘https://xxx/svn/xxx’: SSL handshake failed: SSL error: Key usage violation in certificate has been detected.

svn SSL handshake failed: SSL error

Use the SVN server for version management, and suddenly use the version browser to report an error. svn: OPTIONS of ‘ https://xxx/svn/xxx ’: SSL handshake failed: SSL error: Key usage violation in certificate has been detected. (https://xxx), Then you cannot export or import files

 

Solution:

1. My is win2012 32-bit English version system. First modify the registry and add a value
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VisualSVN\VisualSVN Server] "CreateGnuTLSCompatibleCertificate"=dword:00000001

2. VisualSVN Server Manager

Action -> Properties -> Certificate-> Change certificate, and then go to the next step

if it still doesn’t work, change the login method, check HTTPS and then http. Then log in and you can solve the problem