lpwevers |
02-09-2017 03:47 AM |
Quote:
Originally Posted by r3sistance
(Post 5667097)
What does "curl -v -k https://digs107" return from the Apache Proxy box? First thing to verify is that the box itself can connect. If that works, drop the insecure flag (-k) and try again, if the first works and second doesn't then it's an issue verifying the certificate on digs107.
|
Hi,
Thanks for the tip. Indeed there seems to be an issue with the certificate on the digs107 server:
Code:
curl -v -k https://digs107
* Rebuilt URL to: https://digs107/
* Hostname was NOT found in DNS cache
* Trying 172.29.38.107...
* Connected to digs107 (172.29.38.107) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-SHA256
* Server certificate:
* subject: emailAddress=sales@xxxxxx.nl; C=NL; ST=Noord-Brabant; L=Eindhoven; O=xxxxx - DEMO; OU=Operations; CN=xandria.xxxxx.nl
* start date: 2016-12-15 12:36:03 GMT
* expire date: 2025-10-29 13:36:03 GMT
* issuer: emailAddress=sales@xxxxx.nl; C=NL; L=Eindhoven; O=xxxxx; OU=Operations; CN=xxxxx Demo Signing CA
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.37.0
> Host: digs107
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Thu, 09 Feb 2017 09:44:49 GMT
< Strict-Transport-Security: max-age=2000; includeSubDomains
< Location: https://digs107/xn/xangui/rtm/rtm.zul
< Content-Length: 0
<
* Connection #0 to host digs107 left intact
Code:
curl -v https://digs107
* Rebuilt URL to: https://digs107/
* Hostname was NOT found in DNS cache
* Trying 172.29.38.107...
* Connected to digs107 (172.29.38.107) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
I'll see if I can find a way to fix this.
Oh, if I provide the CA on the command line using the --cacert option it actually works:
Code:
curl -v --cacert ../ssl.crt/xxxxx-CAconcatenated.pem https://xandria.xxxxx.nl
* Rebuilt URL to: https://xandria.xxxxx.nl/
* Hostname was NOT found in DNS cache
* Trying 172.29.38.107...
* Connected to xandria.xxxxxx.nl (172.29.38.107) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: ../ssl.crt/xxxxx-CAconcatenated.pem
CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-SHA256
* Server certificate:
* subject: emailAddress=sales@xxxxx.nl; C=NL; ST=Noord-Brabant; L=Eindhoven; O=xxxxx - DEMO; OU=Operations; CN=xandria.xxxxx.nl
* start date: 2016-12-15 12:36:03 GMT
* expire date: 2025-10-29 13:36:03 GMT
* common name: xandria.xxxxx.nl (matched)
* issuer: emailAddress=sales@xxxxx.nl; C=NL; L=Eindhoven; O=xxxxx; OU=Operations; CN=xxxxx Demo Signing CA
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.37.0
> Host: xandria.xxxxx.nl
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Thu, 09 Feb 2017 09:56:19 GMT
< Strict-Transport-Security: max-age=2000; includeSubDomains
< Location: https://xandria.xxxxx.nl/xn/xangui/rtm/rtm.zul
< Content-Length: 0
<
* Connection #0 to host xandria.xxxxx.nl left intact
Note that I did change the name from digs107 to the full name xandria.xxxxx.nl. I've added this to the hosts file to match te correct IP address. If I used the digs107 name, I'd get a name mismatch on certificate. I've also updated this in the apache configuration, but alas, that did not fix it.
|