Tag Archives: ssl

cURL error 60: SSL certificate problem: self signed certificate in certificate chain

1、 Question

Curl error 60: SSL certificate problem: self signed certificate in certificate chain – server http302 this is generally a problem with self signed certificates

2、 Settle

Scheme 1. Directly use the domain name with HTTPS on the online server

Solution 2. Windows local development environment solution

a) Download certificate:
https://github.com/china-li-shuo/ca-cert

b) Put the downloaded Certificate in your PHP path:

D: \ wamp64 \ bin \ PHP \ php7.3.21 \ extras \ SSL this is your local PHP version path

c) Modify the php.ini file

curl.cainfo ="D:\wamp64\bin\php\php7.3.21\extras\ssl\ca-cert.crt"
openssl.cafile="D:\wamp64\bin\php\php7.3.21\extras\ssl\ca-cert.crt"

d) Just restart PHP

[Solved] Android7 8 Jack server SSL error: Jack server failed to (re)start, try ‘jack-diagnose’ or see Jack server log

The following error message appears when compiling Android 7 8 code
Jack server failed to (re)start, try ‘jack-diagnose’ or see Jack server log
SSL error when connecting to the Jack server. Try ‘jack-diagnose’
SSL error when connecting to the Jack server. Try ‘jack-diagnose’
It is due to the updated version of JDK
https://java.com/en/download/help/release_changes.html
According to the JDK Release Highlights, we can find that this update disables TLSv1.0 and TLSv1.1 in jdk.tls.disabledAlgorithms

Solution:
sudo vim /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/java.security

Change to:

Restart the server or restart jack server to compile after the modification

Keytool: How to solve javax.net.ssl.SSLHandshakeException Error?

A java microservice function exception in the environment, look at the logs reporting errors.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Reason: The self-signed certificate used by the customer is not trusted by jdk.

Import the customer domain SSL certificate into jdk library.

# export LANG=”en_US.UTF-8″
# openssl s_client -connect www.example.com:443 < /dev/null | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > www.example.com.crt
# keytool -import  -file  www.example.com.crt  -alias  www.example.com  -keystore $JAVA_HOME/jre/lib/security/cacerts  –storepass “changeit” –noprompt   -trustcacerts

Restart the relevant java application and solve it.

[Solved] getObject: FAILED RequestCoreException: cURL resource: Resource id #78; cURL error: SSL certificate

Reason:

The reason for this problem is that curl.cainfo is not configured, which is located in php.ini.

Solution:

Since the reasons for the errors are stated, it is much easier to solve them, as follows:

1. Download cacert

Download address: https://curl.haxx.se/ca/cacert.pem

2. Modify php.ini and restart

curl.cainfo="real_path/cacert.pem"

matters needing attention:

Needs to be turned on php_curl、php_openSSL extension;

[Solved] /sockjs-node/info?t= net::ERR_SSL_PROTOCOL_ERROR

  Error: as shown in the following figure

After many ideological struggles, he began to solve the problem after admitting that it was his own problem:

{
  "apiUrl": "http://192.168.56.101:5000/",
  "port":  "8080",
  "host": "127.0.0.1",
  "socketHost": "172.16.0.26:443"//Add this line to the json file to configure public (no comments can be written in the json)
}

In reference https://github.com/vuejs/vue-cli/issues/1472

After the discussion, the following solutions are found:

webpack.dev.conf.js file:

Import

const URL = require('../static/config.json');
const socketHost = URL.socketHost;

Add content in devServer: {}:

public: socketHost,
disableHostCheck: true

Fortunately, the problem is solved!

Flutter upgrade upgrade SDK SSL_ERROR_Syscall error [How to Solve]

Execute the following commands when upgrading the flutter

Flutter upgrade

Unfortunately, for some reason, it cannot be accessed. The following error is reported

Standard error: fatal: unable to access
'https://github.com/flutter/flutter.git/': LibreSSL SSL_connect:
SSL_ERROR_SYSCALL in connection to github.com:443

You can set the routing agent. The command is as follows:

git config --global http.proxy http://127.0.0.1:1080
git config --global https.proxy http://127.0.0.1:1080

Note that the port can be modified according to its own configuration. Set or not set HTTPS according to your needs
if you want to cancel the proxy setting, you can use the following command:

git config --global --unset http.proxy 
git config --global --unset https.proxy

After setting, test OK

Git config — the global command will add the following configuration in the ~ /. Gitconfig file

[http]
	proxy = http://127.0.0.1:1080
[https]
	proxy = https://127.0.0.1:1080

Note:
there is another way to use this command. It has not been tested yet. Save it first

git config --global --add remote.origin.proxy

FIX: SSL error when connecting to the Jack server. [How to Solve]

FIX: SSL error when connecting to the Jack server.
##Background
unbuntu16.04 compiles android 8 source code and suddenly reports an error.

FAILED: setup-jack-server 
/bin/bash -c "(prebuilts/sdk/tools/jack-admin install-server prebuilts/sdk/tools/jack-launcher.jar prebuilts/sdk/tools/jack-server-4.11.ALPHA.jar  2>&1 || (exit 0) ) && (JACK_SERVER_VM_ARGUMENTS=\"-Dfile.encoding=UTF-8 -XX:+TieredCompilation\" prebuilts/sdk/tools/jack-admin start-server 2>&1 || exit 0 ) && (prebuilts/sdk/tools/jack-admin update server prebuilts/sdk/tools/jack-server-4.11.ALPHA.jar 4.11.ALPHA 2>&1 || exit 0 ) && (prebuilts/sdk/tools/jack-admin update jack prebuilts/sdk/tools/jacks/jack-4.32.CANDIDATE.jar 4.32.CANDIDATE || exit 47 )"
Jack server already installed in ".jack-server"
Communication error with Jack server (35), try 'jack-diagnose' or see Jack server log
SSL error when connecting to the Jack server. Try 'jack-diagnose'
SSL error when connecting to the Jack server. Try 'jack-diagnose'

Solution

Try according to the prompt:

$ jack-diagnose
error: process ID list syntax error

Usage:
 ps [options]

 Try 'ps --help <simple|list|output|threads|misc|all>'
  or 'ps --help <s|l|o|t|m|a>'
 for additional help text.

For more details see ps(1).
Port 8077 is used by another process (pid=), please ensure to free the port or change port configuration in '/.jack-settings' and 'jack-server/config.properties'
error: process ID list syntax error

Usage:
 ps [options]

 Try 'ps --help <simple|list|output|threads|misc|all>'
  or 'ps --help <s|l|o|t|m|a>'
 for additional help text.

For more details see ps(1).
Port 8076 is used by another process (pid=), please ensure to free the port or change port configuration in '.jack-settings' and '/.jack-server/config.properties'
SSL error when connecting to the Jack server. Try 'jack-diagnose'

The problem remains the same, so the focus is still on SSL communication:
finally, it is solved by the following methods:

1. Edit/etc/java-8-openjdk/security/java.security 
#
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing
#
# In some environments, certain algorithms or key lengths may be undesirable
# when using SSL/TLS.  This section describes the mechanism for disabling
# algorithms during SSL/TLS security parameters negotiation, including
# protocol version negotiation, cipher suites selection, peer authentication
# and key exchange mechanisms.
#
# Disabled algorithms will not be negotiated for SSL/TLS connections, even
# if they are enabled explicitly in an application.
#
# For PKI-based peer authentication and key exchange mechanisms, this list
# of disabled algorithms will also be checked during certification path
# building and validation, including algorithms used in certificates, as
# well as revocation information such as CRLs and signed OCSP Responses.
# This is in addition to the jdk.certpath.disabledAlgorithms property above.
#
# See the specification of "jdk.certpath.disabledAlgorithms" for the
# syntax of the disabled algorithm string.
#
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves




2. Find the line of TLSv1, delete TLSv1, TLSv1.1, and save it.

3. switch to the Android compiled source project directory: prebuilts/sdk/tools/

4. Run.

./jack-admin kill-server 

./jack-admin start-server

Apache Cannot Start: SSL Library Error: -8181 Certificate has expired

After the server restarts one day, Apache cannot start. Check the Apache error log:

cat /var/log/httpd/error_log

The following errors are found:

[Wed Aug 25 18:49:00.134257 2021] [:error] [pid 1607] SSL Library Error: -8181 Certificate has expired
[Wed Aug 25 18:49:00.134318 2021] [:error] [pid 1607] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

Use the following command to view the certificate information and find that the certificate has expired:

certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4 (0x4)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Shack,O=example.com,C=US"
        Validity:
            Not Before: Fri Jan 24 15:03:11 2017
            Not After : Wed Jan 24 15:03:11 2021

You can use temporary methods to solve this problem:
first set the certificate inspection prohibition, and then cancel this setting after the certificate is updated. Operation method:
add the nssenforcevalidcerts off setting in the/etc/httpd/conf.d/nss.conf file to temporarily cancel the certificate inspection.

The permanent solution is to regenerate the certificate. The command is as follows:

yum install httpd mod_nss
certutil -d /etc/httpd/alias -L -n Server-Cert
cd /etc/httpd/alias
rm -f *.db
/usr/sbin/gencert /etc/httpd/alias > /etc/httpd/alias/install.log 2>&1

Then check that the certificate expiration date is normal.

certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4 (0x4)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Shack,O=example.com,C=US"
        Validity:
            Not Before: Fri Aug 27 07:27:30 2021
            Not After : Wed Aug 27 07:27:30 2025

Try to start Apache and find that it still can’t be started. Check the error log again and find a new error report:

[Fri Aug 27 15:38:17.483837 2021] [:error] [pid 15043] Server user apache lacks read access to NSS key database /etc/httpd/alias/key3.db.

It should be that the Apache user does not have permission to the key3.db file
let’s check the file attributes:

ls -l /etc/httpd/alias/
total 88
-rw-------. 1 root root 65536 Oct 26 17:26 cert8.db
-rw-------. 1 root root    5872 Oct 26 17:26 install.log
-rw-------. 1 root root 16384 Oct 26 17:26 key3.db
lrwxrwxrwx. 1 root root      24 Nov 15 10:58 libnssckbi.so -> /usr/lib64/libnssckbi.so
-rw-------. 1 root root 16384 Oct 26 17:26 secmod.db

Then modify the attributes of all DB files in the/etc/httpd/alias/Directory:

chown :apache /etc/httpd/alias/*.db 
chmod u=rw,g=r  *.db

The effect is the same with the following two commands:

chown root.apache /etc/httpd/alias/*.db
chmod 0640 /etc/httpd/alias/*.db

After modification, check the properties of the DB file:

ls -l /etc/httpd/alias/
total 88
-rw-r-----. 1 root apache 65536 Oct 26 17:26 cert8.db
-rw-------. 1 root root    5872 Oct 26 17:26 install.log
-rw-r-----. 1 root apache 16384 Oct 26 17:26 key3.db
lrwxrwxrwx. 1 root root      24 Nov 15 10:58 libnssckbi.so -> /usr/lib64/libnssckbi.so
-rw-r-----. 1 root apache 16384 Oct 26 17:26 secmod.db

Finally, start Apache:

systemctl start httpd

Start successfully!

Android Compile Error: “SSL error when connecting to the Jack server. Try ‘jack-diagnose‘”

The code compilation of 8909 A7 has never been a problem before. Suddenly, one day, the compilation encountered SSL-related errors. The specific errors are as follows:

[  0% 12/6140] Ensure Jack server is installed and started
FAILED: /bin/bash -c "(prebuilts/sdk/tools/jack-admin install-server prebuilts/sdk/tools/jack-launcher.jar prebuilts/sdk/tools/jack-server-4.8.ALPHA.jar  2>&1 || (exit 0) ) && (JACK_SERVER_VM_ARGUMENTS=\"-Dfile.encoding=UTF-8 -XX:+TieredCompilation\" prebuilts/sdk/tools/jack-admin start-server 2>&1 || exit 0 ) && (prebuilts/sdk/tools/jack-admin update server prebuilts/sdk/tools/jack-server-4.8.ALPHA.jar 4.8.ALPHA 2>&1 || exit 0 ) && (prebuilts/sdk/tools/jack-admin update jack prebuilts/sdk/tools/jacks/jack-2.28.RELEASE.jar 2.28.RELEASE || exit 47; prebuilts/sdk/tools/jack-admin update jack prebuilts/sdk/tools/jacks/jack-3.36.CANDIDATE.jar 3.36.CANDIDATE || exit 47; prebuilts/sdk/tools/jack-admin update jack prebuilts/sdk/tools/jacks/jack-4.7.BETA.jar 4.7.BETA || exit 47 )"
Jack server already installed in "/fwork1/yuwl/.jack-server"
Communication error with Jack server (35), try 'jack-diagnose' or see Jack server log
SSL error when connecting to the Jack server. Try 'jack-diagnose'
SSL error when connecting to the Jack server. Try 'jack-diagnose'
[  0% 12/6140] target R.java/Manifest.java: SnapdragonCamera (out/target/common/obj/APPS/SnapdragonCamera_intermediates/src/R.stamp)

Judging from the error log, it was an SSL exception when connecting to the jack server. At first, it was considered to be a jack server problem. The processing process included restarting the jack server service and configuring the jack server port number. It was ineffective. Finally, it was found that many people encountered the same problem through the network. The solutions are as follows. The personal test is effective

Solution:
delete the tlsv1 and tlsv1.1 configurations of the jdk.tls.disabledalgorithms parameter in the/etc/java-8-openjdk/security/java.security file