Tag Archives: ssl

[Solved] Git Clone Error: error setting certificate verify locations

Description

When using git clone to clone an item on GitHub or gitee, the following error is reported:

error setting certificate verify locations:

CAfile: E:/Git/mingw64/ssl/certs/ca-bundle. crt

CApath: none

analysis

According to the error prompt, there is an error in setting the certificate verification location, that is, the certificate file path is wrong.

When cloning a remote project, the security certificate will be verified first. If the local security certificate file cannot be found, an error will be reported.

This is why this error will not be reported when cloning projects on gitlab, because gitlab is generally built on the intranet and does not need to verify the security certificate.

Path errors often occur because the local Git is installed green, that is, it is directly extracted and used.

In this way, the path of the certificate file is still the path on the original machine. If the path of the new machine is inconsistent, the path error will be caused.

Solution:

For the above analysis, there are two solutions:

  • Modify certificate file path (recommended)
  • Turn off certificate verification

Turning off certificate verification may cause security problems. It is recommended to modify the certificate file path.

Modify certificate file path

There are two ways:

  • Execute the configuration command (recommended)
  • Modify the configuration file

The essence of these two methods is to modify the configuration file. However, some misoperations may occur when modifying the file, and the operation is more cumbersome. It is recommended to execute the configuration command.

Execute configuration command

git config --system http.sslcainfo "Git安装路径/mingw64/ssl/certs/ca-bundle.crt"

Modify profile

Git’s system configuration files are located at: git installation path \etc\gitconfig

Modify the path in the file as shown in the figure to git installation path /mingw64/ssl/certs/ca-bundle.crt save again.

Turn off certificate verification

git config --system http.sslverify false

This method may cause git security problems and is not recommended.

[Solved] ffmpeg Enable https Error: “ERROR: openssl not found”

ffmpeg can use libssl.so libcrypto.so dynamic library, or libssl.a libcrypto.a static library, the next is to say that obviously the inventory is there, but the compiler still can not find openssl.

Search the ffmpeg source code, and you can find that the prompt is printed in the configure file. The source code is as follows:

enabled openssl           && { use_pkg_config openssl openssl/ssl.h OPENSSL_init_ssl ||
                               check_lib openssl/ssl.h OPENSSL_init_ssl -lssl -lcrypto ||
                               use_pkg_config openssl openssl/ssl.h SSL_library_init ||
                               check_lib openssl/ssl.h SSL_library_init -lssl -lcrypto ||
                               check_lib openssl/ssl.h SSL_library_init -lssl32 -leay32 ||
                               check_lib openssl/ssl.h SSL_library_init -lssl -lcrypto -lws2_32 -lgdi32 ||
                               die "ERROR: openssl not found"; }

You can find that ffmpeg is trying OpenSSL one by one. My config The log shows that the last one has been checked, but OpenSSL is still not found.

The reason is that I am using a newer openssl library, the old openssl library uses ‘SSL_library_init’ to initialize, the newer openssl version uses ‘OPENSSL_init_ssl’ to initialize. The new version of openssl uses ‘OPENSSL_init_ssl’ to initialize, and because it does not pass the check, this error is reported here.

Solution:

Add a line to check ‘check_lib openssl/ssl.h OPENSSL_init_ssl -lssl -lcrypto ‘ and it will pass, above is what I have added.

 

[Solved] OpenSSL Error messages: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

In these two days, the service has been reporting when calling Baidu’s addressing and positioning interface and reverse address resolution:

file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

The query results of the interface are affected, and finally the curl call problem is solved:

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
curl_setopt($ch, CURLOPT_FAILONERROR, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSLVERSION, 4);
$reponse = curl_exec($ch);

CURLOPT_SSLVERSION Fetch value and meaning
CURL_SSLVERSION_TLSv1_2 requires php version >= 5.5.19
TLS 1.1 and TLS 1.2 are supported since OpenSSL 1.0.1

CURL_SSLVERSION_DEFAULT (0)
CURL_SSLVERSION_TLSv1 (1),
CURL_SSLVERSION_SSLv2 (2), 
CURL_SSLVERSION_SSLv3 (3),
CURL_SSLVERSION_TLSv1_0 (4),
CURL_SSLVERSION_TLSv1_1 (5),
CURL_SSLVERSION_TLSv1_2 (6).

[Solved] mosquitto log Error: SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error

Problem description

The following errors occurred in the TLS/SSL of mosquitto during the test today, indicating that the error occurred in the TLS version:

I know that the default tls version of mosquitto_pub and mosquitto_sub is tlsv1.2, however, the version of openssl in my virtual machine is 1.1.1, and the tls_version tlsv1.1 is configured in mosquitto.conf (one-way authentication is configured here, two-way authentication is also (here the configuration is one-way authentication, two-way authentication is also applicable), so there will be tls version error.


Solution:

For C programs of mosquitto library
Use the API mosquitto_tls_set() before attaching mosquitto_tls_opts_set(), this API can set the corresponding tls version of the client, note that the tls version defaults to tlsv1.2.

The code is as follows:

int    rc = -1;

rc = mosquitto_tls_opts_set(mosq, 1, "tlsv1.1", NULL);
if( rc != MOSQ_ERR_SUCCESS )
{
    printf("mosquitto_tls_opts_set failure.\n");
    exit(1);
}

rc = mosquitto_tls_set(mosq, CAFILE, CAPATH, CERTFILE, KEYFILE, NULL);
if( rc != MOSQ_ERR_SUCCESS )
{
    printf("mosquitto_tls_set failure.\n");
    exit(1);
}

On the mosquitto command line

The following is the test of one-way authentication (in case of two-way authentication, add the certificate and key by yourself)

mosquitto_ pub -h 192.168.222.130 -p 8884 -t “hello” -m “hi sub” –tls-version tlsv1. 1 –cafile ./ ca/ca.crt

mosquitto_ sub -h 192.168.222.130 -p 8884 -t “hello” –tls-version tlsv1. 1 –cafile ./ ca/ca.crt

If the problem is solved successfully, it can be connected normally:

[Solved] svn: OPTIONS of ‘https://xxx/svn/xxx’: SSL handshake failed: SSL error: Key usage violation in certificate has been detected.

svn SSL handshake failed: SSL error

Use the SVN server for version management, and suddenly use the version browser to report an error. svn: OPTIONS of ‘ https://xxx/svn/xxx ’: SSL handshake failed: SSL error: Key usage violation in certificate has been detected. (https://xxx), Then you cannot export or import files

 

Solution:

1. My is win2012 32-bit English version system. First modify the registry and add a value
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VisualSVN\VisualSVN Server] "CreateGnuTLSCompatibleCertificate"=dword:00000001

2. VisualSVN Server Manager

Action -> Properties -> Certificate-> Change certificate, and then go to the next step

if it still doesn’t work, change the login method, check HTTPS and then http. Then log in and you can solve the problem

[Solved] LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443

There is an error when using git to pull the GitHub code base

LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443

The solution is as follows:
1 Cancel global proxy first:

git config --global --unset https.proxy
git config --global --unset http.proxy

2. Configure global agent:

git config --global http.https://github.com.proxy socks5://127.0.0.1:1080 
git config --global https.https://github.com.proxy socks5://127.0.0.1:1080

Note that 1080 is changed to the port number of its own proxy service

Repo init Error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

Repo init reports an error [SSL: certificate_verify_failed] certificate verify failed

The complete error information is shown in the figure below:

According to the online method, I tried export pythonhttsverify = 0 and still reported an error

Try the following method to set the environment variable SSL_CERT_Dir, problem solving, you might as well try it.

$ sudo update-ca-certificates --fresh
$ export SSL_CERT_DIR=/etc/ssl/certs

Ansible Use yum module to install rpm Error: Request failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate v

Project scenario:

Today I used Ansible to install postgresql-13 and wrote the following test script from the official installation tutorial.

- hosts: postgresql
  gather_facts: false
  tasks:
    - name: install pg repo
      yum:
        name: https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm
        state: present
    - name: install pg
      yum:
        name: postgresql13-server
        state: present
    - name:
      stat:
        path: "/var/lib/pgsql/data/pg_hba.conf"
      register: postgres_data
    - name:
      shell: "/usr/pgsql-13/bin/postgresql-13-setup initdb"
      when: not postgres_data.stat.exists
    - name:
      systemd:
        name: postgresql-13
        enabled: yes
        daemon_reload: yes
        state: started

Problem Description:

the following error occurs when running the script:

fatal: [172.17.200.2]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "msg": "Failure downloading https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm, Request failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)>"}

Solution:

Just modify https to http in https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm

[Solved] PostgreSQL configure: error: readline library not found

preface

An error occurs when installing PostgreSQL, as shown below

configure: error: readline library not found
If you have readline already installed, see config.log for details on the
failure.  It is possible the compiler isn't looking in the proper directory.
Use --without-readline to disable readline support.

Solution:

Check whether the readLine package is installed in the system

rpm -qa | grep readline

Install readline-devel pack

yum -y install -y readline-devel

Execute configure again successfully

The explanation of readLine comes from the official website

--without-readline
Prevents use of the Readline library (and libedit as well). Thisoption disables command-line
editing and history in psql, so it is notrecommended.

Note: when you execute configure, you can add “– without readLine” to avoid this error, but PostgreSQL officials do not recommend it