Tag Archives: ssl

[Solved] Error: unable to verify the first certificate

Many options have been set on win10, but the error is still reported: unable to verify the first certificate

$ yarn config list
yarn config v1.22.4
info yarn config
{
  'version-tag-prefix': 'v',
  'version-git-tag': true,
  'version-commit-hooks': true,
  'version-git-sign': false,
  'version-git-message': 'v%s',
  'init-version': '1.0.0',
  'init-license': 'MIT',
  'save-prefix': '^',
  'bin-links': true,
  'ignore-scripts': false,
  'ignore-optional': false,
  registry: 'http://npm.xxxxx.com',
  'strict-ssl': false,
  'user-agent': 'yarn/1.22.4 npm/?node/v12.22.1 win32 x64',
  NODE_TLS_REJECT_UNAUTHORIZED: 0,
  lastUpdateCheck: 1629361331003
}
info npm config
{
  registry: 'http://npm.xxxxx.com',
  CYPRESS_INSTALL_BINARY: 'https://npm.taobao.org/mirrors/cypress/5.6.0/darwin-x64/cypress.zip',
  '//arch': 'ia32',
  '//registry': 'https://registry.npm.taobao.org',
  electron_mirror: 'https://npm.taobao.org/mirrors/electron/',
  CHROMEDRIVER_CDNURL: 'http://npm.taobao.org/mirrors/chromedriver/',
  sass_binary_site: 'https://npm.taobao.org/mirrors/node-sass/',
  phantomjs_cdnurl: 'https://npm.taobao.org/mirrors/phantomjs',
  'strict-ssl': false,
  proxy: null,
  'https-proxy': null,
  '//npm.xxxxx.com/:_authToken': '8624c0fe-ea43-4f30-b113-617f22e9c6c6'
}

Solution:

NODE_TLS_REJECT_UNAUTHORIZED=0 yarn

[Solved] Docker ubuntu swoole fatal error: openssl/ssl.h: No such file or directory

Dockerfile

RUN apt-get update -y
RUN apt-get install -y libssl-dev
RUN cd /tmp/ && rm -rf ./swoole-src
&& curl -o ./swoole.tar.gz https://github.com/swoole/swoole-src/archive/master.tar.gz -L
&& tar zxvf ./swoole.tar.gz
&& mv swoole-src* swoole-src
&& cd swoole-src
&& phpize
&& ./configure –enable-openssl –with-openssl-dir=/usr/lib/ssl –enable-http2
&& make && make install
&& docker-php-ext-enable swoole

Although openssl has been installed, but the corresponding libs are missing, looking for half a day to know the need to install libssl-dev (centos is openssl-devel)

openssl version -a

Git command line configuration and configuration file to solve clone error libressl_ connect: SSL_ ERROR_ SYSCALL in connection to github. com:443

Intro

When clone comes from a GitHub warehouse, an error is reported as follows:

leung@wuyujin coderepo % git clone https://github.com/spring-guides/gs-consuming-web-service.git
Cloning into 'gs-consuming-web-service'...
fatal: unable to access 'https://github.com/spring-guides/gs-consuming-web-service.git/': LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443 
leung@wuyujin coderepo % git clone https://github.com/spring-guides/gs-consuming-web-service.git
Cloning into 'gs-consuming-web-service'...
fatal: unable to access 'https://github.com/spring-guides/gs-consuming-web-service.git/': LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to github.com:443 
leung@wuyujin coderepo %

Core error: libressl_ connect: SSL_ ERROR_ SYSCALL in connection to github. com:443

It’s about SSL authentication.

to configure

The GIT configuration of the current user will be written in the . Gitconfig configuration file in the current user directory (if there is no new touch ~ /. Gitconfig )
take user wuyujin as an example, the full path of GIT configuration file is:
windows: C:
linux: /home/wuyujin /. Gitconfig
MacBook: /users/wuyujin /. Gitconfig

Git can be configured in two ways:
through the command line setting, the corresponding configuration items will be automatically written to the configuration file (premise: you know how to write the command)
directly modify the configuration file (premise: you know the format/rules of the configuration file)

Command required:

git config --global http.sslVerify false
git config --global https.sslVerify false

The effect is that the configuration file is written as follows:

[http]
        sslVerify = false
[https]
        sslVerify = false

In addition, user. Name user. Email and other parameters can be set (not necessary here).

shell


leung@wuyujin coderepo % git config --global http.sslVerify false
leung@wuyujin coderepo % git config --global https.sslVerify false

leung@wuyujin coderepo % more ~/.gitconfig 

[http]
        sslVerify = false
[https]
        sslVerify = false
leung@wuyujin coderepo %

Once again, clone, success.

Another possibility

When you clone a warehouse, open a new window clone another window. report errors.

One clone at a time will not report an error.

That is: parallel clone -- & gt; Serial clone

Configure HTTPS and self signed certificate for nginx

1、 Get the certificate ready.

The steps are similar to those described in using OpenSSL to self issue the server’s HTTPS certificate. Again here.

Making CA certificate:
1 ca.key CA private key:
OpenSSL gensa - DES3 - out ca.key 2048
making the decrypted CA private key (generally unnecessary):
OpenSSL RSA - in ca.key -out ca_ decrypted.key
ca.crt CA root certificate (public key):
OpenSSL req - New - x509 - days 7305 - key ca.key -out ca.crt make and generate the certificate of the website and use CA signature for authentication. Here, assume that the website domain name is blog.creke.net generate blog.creke.net Certificate private key: OpenSSL genrsa - DES3 - out blog.creke.net .pem 1024 Making the decrypted blog.creke.net Certificate private key: OpenSSL RSA - in blog.creke.net .pem -out blog.creke.net . key generate signature request: OpenSSL req - New - key blog.creke.net .pem -out blog.creke.net . CSR in common Fill in the website domain name in the name, such as blog.creke.net Can generate a certificate to change the site, but also can use the pan domain name, such as * creke.net To generate site certificates available for all secondary domain names. Sign with Ca:

openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in blog.creke.net.csr -out blog.creke.net.crt

Among them, the policy parameter allows the signed Ca and website certificate to have different country, place name and other information, and the days parameter is the signature time limit. If "I am unable to access the /… /Ca/newcerts directory/etc/PKI/TLS/ openssl.cnf Then: MKDIR - P Ca/newcerts touch CA/ index.txt Touch Ca/serial echo "01" & gt; then re execute the signature command. Finally, put ca.crt Paste the contents of to blog.creke.net . CRT. This is more important! If not, some browsers may not support it. OK, now you need the private key of the website blog.creke.net . key and website certificate blog.creke.net . CRT is ready. Next, start to configure the server.

2、 Configure nginx

Open a new virtual host and set it in the server {} section

listen 443;

ssl on;

ssl_certificate /path/to/blog.creke.net.crt;

ssl_certificate_key /path/to/blog.creke.net.key;

The path is the path of the website certificate just generated. Then use the following command to detect configuration and reload nginx: detect configuration: nginx - T reload: nginx - s reload

3、 Optimize nginx configuration

    optimize nginx performance by adding:

    ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

    According to the official documents, the 1m cache can store 4000 sessions. Add: keep alive to the virtual host server {} configured with HTTPS_ Timeout 70; sometimes, you will find that after the program such as phpMyAdmin logs in, it will jump to HTTP by mistake. The solution is to locate "location ~. * (PHP | PHP5)?${}" in include fcgi.conf ; or in fastcgi_ Add after param configuration:

    fastcgi_param HTTPS on;

fastcgi_param HTTP_SCHEME https;

    Here is the official document of nginx about HTTPS, which can be used as a reference.

Note: transferred from http://blog.creke.net/762.html

(20210301 solved) can’t connect to HTTPS URL because the SSL module is not available

Overview uses requests to send a message with the following error:

Can’t connect to HTTPS URL because the SSL module is not available.

there is no problem with the requested URL, and the Linux side is running normally. Only Anaconda under Windows runs abnormally. In the solution reference, 3, 4 and 5 are common explanations, which have no effect on my situation. In my case, I use the second answer in reference 1:

# copy the files
libcrypto-1_1-x64.*
libssl-1_1-x64.*
# from ~\anaconda3\Library\bin to ~\anaconda2\DLLs

This can solve the problem, the specific reason is still not understand, mainly for the SSL network transmission level understanding is not deep enough. References

    requests (caused by sslerror (“can’t connect to HTTPS URL because the SSL module is not available.”) error in pychar requesting websitecan’t connect to HTTPS URL because the SSL module is not available ⁑ python3 sends an HTTPS request using the requests module, indicating caused by SSL error, can’t connect to HTTPS URL because the SSL module is not available When using the requests library, python reports an error when visiting the website of HTTPS. SSL module is not available. Python encounters can’t connect to HTTPS URL because the SSL module is not available.

Solutions to the failure of importing Python 3.7 SSL module

There are a lot of articles on the Internet about how to solve the failure of Python3.7 import _SSL module, but most of the actual operation is not successful. The following method can be used in a practical test.
First, install dependencies
OpenSSL or Libressl (either optional) is required to install the SSL module. OpenSSL is installed in version 1.0.1, which does not meet the requirements of Python3.7. The version requirements for the SSL library are as follows:
openssl > = 1.0.2 libressl & gt; = 2.6.4
My working environment:
14.04 Python3.7.3 Ubutun download link: https://www.python.org/ftp/python/3.7.3/Python-3.7.3.tgz
Download and install Libressl
Website: https://www.libressl.org/, download link: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.9.1.tar.gz./config – prefix =/usr/local/SSL make sudo make intallmv/usr/bin/openssl/usr/bin/openssl. Bak (if not installed SSL before, /usr/include/openssl.bak /usr/include/openssl.bak This step can be skipped) ln -s/usr/local/SSL/bin/openssl/usr/bin/openssl ln -s/usr/local/SSL/include/openssl/usr/include/openssl in/etc/ld. So. Conf., d directory to create libressl – 2.9.1. Conf file, add/usr/local/SSL/libsudo ldconfig
Install Python3.7
Configure environment variables
Export LDFLAGS = “-l/usr/local/SSL/lib”
export CPPFLAGS = “-i/usr/local/SSL/include”
export PKG_CONFIG_PATH = “/ usr/local/SSL/lib/pkgconfig”
Unzip the Python installation package and execute the configure file:
./configure — enable – Shared
Check that the SSL configuration is working

Verifies that the SSL module was successfully installed in /usr/local/bin/python3.7

3. Other errors
Failed to compile the SSL module

Solutions:
Go to the libressl compilation directory libressl-2.9.1
Sudo cp SSL/libs/libssl. So the 47.0.5 – gnu/Linux/lib/x86_64 –
sudo cp crypto/libs/libcrypto. So the 45.0.4/lib/x86_64 – – the gnu/Linux
Sudo ln-s /lib/x86_64-linux-gnu/libcrypto.so.47.0.5 /lib/x86_64-linux-gnu/libcrypto.so.47
sudo ln-s /lib/x86_64-linux-gnu/libcrypto.so.45.0.4 /lib/x86_64-linux-gnu/libcrypto.so.45
recompile
Failed to compile the _ctypes module

Sudo apt-get install libffi-dev, install libffi-dev, install libffi-dev
 

cURL error 35:error:140770FC:SSL routines:SSL_23_GET_SERVER_HELLO:unknown protocol

A problem occurred during the SSL/TLS handshake. You do need error buffering and reading messages there, because it hints at the problem. This can be a certificate (file format, path, permission), password, and so on.

Bug tip :cURL Error 35: Error :140770FC:SSL :SSL_23_GET_SERVER_HELLO: Unknown Protocol

Solutions:
1. Modify SSL version

Curl_setopt ($ch, CURLOPT_SSLVERSION, 3); // Set SSL version,1-3 switch

Curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, false); //
Do not check certificates

If this doesn’t work, see below

2. Modify the file permissions to 777
If this doesn’t work, see below
3. Remove the requested https://
Example: change https://www.360kan.com to www.360kan.com

SELinux solution to Apache SSL failure

The blogger today plans to configure a multi-certificate Apache so that multiple domain names can be accessed via https://***. According to the online tutorial, just add multiple < VirtualHost *:443> You can do that. But restarting HTTPD always prompts:

Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

Journalctl-xe examines with the command:

systemd[1]: Unit httpd.service entered failed state.
systemd[1]: httpd.service failed.
polkitd[475]: Registered Authentication Agent for unix-process:7076:2357584 (system bus name :1.219 [/usr/bin/pkttyagent -.....

It’s hard to see what’s wrong (at this point the blogger doesn’t know that HTTPD has an error_log, face-covering)
After a long time, I finally opened /var/log/ HTTPD /error_log

AH02312: Fatal error initialising mod_ssl, exiting.
SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
Permission denied: AH02201: Init: Can't open server certificate file

When the blogger saw this error message, he immediately understood that it was SELinux!! A lot of potholes on the SELinux before. So the first thing that comes to mind is that the SSL certificate file, the private key file, is not in the right context. Turning SELinux off directly would certainly solve the problem. But this is just a once-and-for-all approach that will cause more problems.
The solution
Three files are required to configure SSL:
2_domain.com.crt
3_domain.com.key
1_root_bundle.crt
Let’s say they’re all under /usr/local/apache/conf/

cd /usr/local/apache/conf/

Displays the current context of each file

ll -Z

Change context

chcon -u system_u -r object_r -t cert_t 1_root_bundle.crt
chcon -u system_u -r object_r -t cert_t 2_domain.com.crt
chcon -u system_u -r object_r -t cert_t 3_domain.com.key

The context configuration is not unique. If this setting doesn’t work, try something else.

An error is reported when you open HTTPS with the following error code: SSL_ error_ ssl_ Disabled) (solved)

To connect to Oracle’s EM console recently, use the Firefox browser.
It always fails to connect:
https://124.13.23.23:1158/em
 
Error: Unable to secure connection because SSL protocol is disabled. (SSL_error_sSL_disabled)
 
Check on the AIX system that the EM service has been started:
 
Hgsdfe01 :[/oracle]$emctl status dbconsole
oracle Enterprise Manager 11g Database Control Release 11.2.0.1.0
Copyright (c) 1996, 2009 Oracle Corporation. All rights reserved.

https://hgdss01:1158/em/console/aboutApplication Oracle Enterprise Manager 11 g is running.
——————————————————————
Logs are generated in directory /oracle/app/oracle/product/11g/db/hgdsfe01_sfedev/sysman/log
 
Em has been started.
 
Solutions:
1: Download the latest Firefox browser: 3.6.12
2: Tools — options — Advanced — encryption
3: Check: Use TLS1.0
4: Click OK
5: Turn off Firefox from now on.
 

To the brothers who encountered simple bind failed 192.168.1.×××: 636

Last time I wrote an article about changing passwords for LDAP users (mainly referring to the other two articles), I noticed a strange phenomenon. The AD server I developed and used is three in one with my own WEB server and certificate server. The password can be successfully changed as described above. The program was packaged into a WAR package and tested on the servers on the 6th floor, 15th floor and 16th floor. They both used a single AD, WEB server and certificate server in one. Both the 6th and 15th floors could normally change the user password of the CONNECTED AD, but the 16th floor did not work. The IP:636 error of simple Bind failed AD was reported all the time, which depressed me very much. Had to search on the net, in the middle because of other task intermittent for a period of time, looked for a few weeks on and off, there is no enable SSL, there is said to be “do not support SSL”, there is said to be your simple binding error (this is nonsense), is not a definite answer. Join several communication groups of LDAP, waffled for a long time, also no solution. During this period, the AD configured by the WEB application on the 15th floor was replaced by another one, but this error also occurred. I found another machine to configure again, but the same error occurred. Xj installed WIN2003 machine, let me test, the same mistake, original WEB applications can be installed on your machine normal change passwords, then even sometimes can’t change, can change sometimes, fifteenth floor originally that one cannot change the password, suddenly can change the password again yesterday afternoon, I asked others, making sure that no one is changed AD or WEB set, same application, the same configuration, perform the same function, can downs about it, that day is my most depressing day. This morning on a sudden impulse, the certificate again guided, the result changed the password successfully. Steps (omit the installation of the certificate service, see the previous section) : 1. Select “Start -& GT; “Run”, enter MMC, enter the console, select “Add Certificate Management Unit” menu item, as before, select “Personal -& GT; After “Certificates”, select the certificate you previously created in the Certificate Services section, and then “All Tasks -& GT; Export “, re-export to a new CER file, and then “start-run-& gt; CMD “into the console, use the CD command to switch to the WEB application under JDK bin directory, enter the command:” the keytool – import – keystore certificate. The keystore file – cer file path “, and to import a new certificate, when we enter the JDK bin directory to be able to see your new name the name extension keystore file, and then set the change password when the certificate path of change to just generate the certificate file path. After restarting the server, test the password change function again, and you’re done. Then I followed suit and did the same on the 14 machine, and the 14 machine was able to change the password successfully. Is too great. I don’t know if this is the exact solution to the simple Bind failure (or did it just happen to cause me to change a setting on my system?). But if any of your brothers have the same problem, try reimporting the certificate and you might be able to fix the problem.

keytool error: java.lang.Exception: Failed to establish chain from reply

During the process of CDH cluster encryption, the following error occurred when the signed certificate information was imported into the secret key library
keytool error: java.lang.Exception: Failed to establish chain from reply
Didn’t solve the problem, find a lot of articles, baidu search to an article in English https://www.veritas.com/support/en_US/article.000021204 later
The following is mentioned:

Problem
When importing an SSL certificate to Clearwell’s keystore, an error is encountered.
Error Message
keytool error: java.lang.Exception: Failed to establish chain from reply
Cause
Root and/or Intermediate certificates have not been imported order.

I checked that I commented out the original step and did not execute it
That is, import the self-signed certificate (that is, my root certificate) information into the server secret key library
Modify the following, perform this step first, then perform normal.
Summary: The order in which certificates are imported into the secret key library is important, and if there is a root certificate or a multi-level certificate authority, they must be imported level by level from top to bottom.