LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 02-10-2009, 01:57 AM   #1
acummings
Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 615

Rep: Reputation: 49
openssl ssl error code 14090086 verify the CA cert is ok / certificate verify failed


Bypass next drivel by going to here:

http://www.linuxquestions.org/questi...3/#post3459043

Hi,

BTW I've a Slackware 11.0 box that this (app) es<snipped>niper (less the <snipped>) works just fine on, no prob., no error.

The prob. that I post about here happens on my Slack 12.2 box.

Slackware 12.2 with the (latest official) the patched ssl .tgz package and the patched lib package.

Using the (open source app.) es<snipped>niper (less the <snipped>) which b i d s to the https e<snipped>bay (less the <snipped>) au<snipped>ction site.

The above app uses curl and openssl.

I'm not sure if this is a curl or an openssl problem. (but I think it's ssl prob.).

curl can download to STDOUT the html markup -- that part is working.

I added (to no avail) an env var for curl to find where the CA certs.

al@P5Q:~$ env | grep CU
CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

root@P5Q:/etc/ssl/certs# pwd
/etc/ssl/certs
root@P5Q:/etc/ssl/certs# ls -la
total 8
drwxr-xr-x 2 root root 4096 2009-02-09 21:56 ./
drwxr-xr-x 5 root root 4096 2009-02-09 20:38 ../
lrwxrwxrwx 1 root root 24 2009-02-09 21:56 ca-certificates.crt -> /home/al/.ssh/cacert.pem

I saw the verify openssl man page which listed options. I googled for some verify example command lines but didn't find any.

user and password (for my_e<snipped>bay) are a go but then the error quickly returns (both as root also as user)

Next is the error in its entirety

Code:
al@P5Q:~$ es<snipped>niper auc_tion_# $_amount
Auction auc_tion_#: Cannot connect to URL : Peer certificate cannot be authenticated with known CA certificates: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Retrying...
Auction auc_tion_#: Cannot connect to URL : Peer certificate cannot be authenticated with known CA certificates: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Retrying...
Auction auc_tion_#: Cannot connect to URL : Peer certificate cannot be authenticated with known CA certificates: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Auction auc_tion_#: Cannot connect to URL : Peer certificate cannot be authenticated with known CA certificates: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Alan.http://www.linuxquestions.org/questi...3/#post3459043

Last edited by acummings; 02-27-2009 at 03:05 AM. Reason: Bypass my drivel (apologies), go directly to url link at top of this post.
 
Old 02-11-2009, 01:29 PM   #2
raskin
Senior Member
 
Registered: Sep 2005
Location: Russia
Distribution: NixOS (http://nixos.org)
Posts: 1,893

Rep: Reputation: 68
I hope you know what host and port it connects to. Try to get verbose information from openssl s_client -host host -port port. Also note, that it may be that your program doesn't use curl, and needs some special options to tune certificate validation.
 
Old 02-23-2009, 04:58 PM   #3
acummings
Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 615

Original Poster
Rep: Reputation: 49
Bug in Slack 12.2 openssl config? Or? Attn. Slackware development team members

Hi,

Please see at the next url/thread for the specifics of the openssl error:

[MODERATED:this thread] (please don't crosspost, otherwise post duplicates or attn:redirects).

Two, patched up to date, Slackware 12.2 boxes now do this very same SSL error. OTOH a slackware 11.0 box openssl works fine, without any error.

Is this due to a bug in the 12.2 openssl config? Or, instead, is it that a Slackware 11.0 box openssl works OK without this error due to an insecureness inherent in its earlier version of openssl?

BTW if I get some time, I can run NMAP and/or wireshark so as to find out what port(s) the 12.2 openssl runs on so as for me to pursue the one reply to my above listed thread.

Thanks much! Slack rocks!

--
Alan.

Last edited by unSpawn; 02-23-2009 at 05:56 PM. Reason: merge threads
 
Old 02-23-2009, 05:04 PM   #4
acummings
Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 615

Original Poster
Rep: Reputation: 49
Hi,

esniper does use curl.

Forget esniper.

I get the same openssl error using curl to logon to https my ebay.

While doing that, I get prompted for my username and password which goes fine.

The listed openssl error returns just after my password is sent. And, logon does not happen due to the error.

Thanks. Alan.
 
Old 02-23-2009, 05:14 PM   #5
raskin
Senior Member
 
Registered: Sep 2005
Location: Russia
Distribution: NixOS (http://nixos.org)
Posts: 1,893

Rep: Reputation: 68
Looks like login form is sent via unencrypted http (which makes it vulnerable to interception and redirection to another URL, but that's another story). Did you try the command I specified? It could help you to get the certificate you need to feed to curl. Or you can use -k flag to curl for not verifying SSL certificate..
 
Old 02-23-2009, 05:46 PM   #6
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,395

Rep: Reputation: Disabled
Why so secretive about the use of esniper? If you feel bad about using it, then don't.
The curl in Slackware is not configured to look for a CA certificate bundle in a default location (nor does the curl package ship with one). Also, curl uses openssl for the "https" part - without a CA certificate bundle, curl can not verify the correctness of the certificate chain.

You can however use one of the CA certificate bundles installed with KDE's "kdelibs" package (both KDE4 and KDE3). An example invocation:
Code:
curl --cacert /usr/share/apps/kssl/ca-bundle.crt -v https://www.mozilla.org/
If you do not have KDE installed or just want a recent CA cert bundle, download the one from the curl site (it is kept up to date with the CA pool from the Mozilla foundation): http://curl.haxx.se/ca/cacert.pem and install it in a sane place like /etc/ssl/certs/ .

I have no idea how esniper uses curl, so I can not comment on the use of a CURL_CA_BUNDLE environment variable. You may have to reconfigure/recompile curl and specify an explicit path for the CA certificate file (/etc/ssl/certs/ca-bundle.crt is a common name for that).

Eric
 
Old 02-23-2009, 05:50 PM   #7
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,395

Rep: Reputation: Disabled
It's not a bug, it is a feature. SSL certificates are not trusted by looking into their big blue eyes.

You are probably right that the old curl packages had a CA certificate bundle configured for use. My old 10.1 box comes with /usr/share/curl/curl-ca-bundle.crt and uses that too. You can email Pat about the missing ca-bundle.crt.

Eric
 
Old 02-23-2009, 07:29 PM   #8
acummings
Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 615

Original Poster
Rep: Reputation: 49
Well then, evidently it's a feature, as you said.

IOW, "let us be secure." (I wouldn't have it otherwise).

Yes, (see enclosed url, etc.) curl no longer ships with any cert bundle.

For now, at next, I'm sounding out what it appears that I need to do to get it to work (securely -- disabling the cert or secure check is not an option) on Slack 12.2

I've perhaps a few minutes this evening or else a few days will pass until I have more experimentation (hacking?) time.

http://curl.haxx.se/docs/faq.html#Wh...te_ca_bundle_c

(curl no longer ships with ca_bundle.cert)

http://curl.haxx.se/docs/sslcerts.html

(howto do it yourself, the ca_bundle.cert)

Quote:
4. If you're using the curl command line tool, you can specify your own CA
cert path by setting the environment variable CURL_CA_BUNDLE
Quote:
2. . . . With the curl command line tool: --cacert [file]
Hmm, since esniper calls curl, then, it appears that I need to:

1. intercept and alter the esniper command line that gets passed to openssl

2. alias my system curl so that when "curl" gets called, it also adds into the command the mentioned above pointers to my CA_cert bundle or whatever it's called that no longer ships with curl.

3. (?) Re compile myself a Slackware package of curl and openssl that includes a cert bundle so that the paths to the bundle are native ie not needed on curl's command line.

--
Alan.
 
Old 02-23-2009, 07:44 PM   #9
acummings
Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 615

Original Poster
Rep: Reputation: 49
Quote:
Did you try the command I specified? It could help you to get the certificate you need to feed to curl. Or you can use -k
(-k is not an option that I'll choose).

curl to https my ebay login page is attempting to do it securely. It just is "Unable to verify" some certificate. So it stops without logging on.

Not yet tried your specified command. I need to run NMAP and/or ethereal in order to find out what port(s) are being used.

You specified said port(s) are a part of your specified command.

Thanks. I'll report back here when I can, shouldn't be any longer than a couple or 3 days from now.

Meanwhile, until then, I've moments or precious few minutes.

So, I can watch here. And short experiment until a few days from now then I can get more extensive.

(it's probably a rather simple problem, ha ha) -- I just (don't yet) know enough about it all.

Alan.
 
Old 02-24-2009, 12:00 AM   #10
raskin
Senior Member
 
Registered: Sep 2005
Location: Russia
Distribution: NixOS (http://nixos.org)
Posts: 1,893

Rep: Reputation: 68
https uses port 443
 
Old 02-26-2009, 02:41 AM   #11
acummings
Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 615

Original Poster
Rep: Reputation: 49
I'm a dummy on this ssl stuff. The next don't work. What have I done wrong?

Code:
al@P5Q:~$ hig openssl
  470  openssl s_client -host 127.0.0.1 -port 443
  472  openssl s_client -host https://signin.ebay.com/ws/eBayISAPI.dll?SignIn -port 443
  473  openssl s_client -host https://signin.ebay.com/ws/eBayISAPI.dll?SignIn -port 443
  475  hig openssl
al@P5Q:~$
Alan.
 
Old 02-26-2009, 03:22 AM   #12
raskin
Senior Member
 
Registered: Sep 2005
Location: Russia
Distribution: NixOS (http://nixos.org)
Posts: 1,893

Rep: Reputation: 68
Wrong. "openssl s_client -host signin.ebay.com -port 443". It should print out server certificate.
 
Old 02-26-2009, 03:32 AM   #13
acummings
Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 615

Original Poster
Rep: Reputation: 49
Quote:
It should print out server certificate.
It did! Cool.

Am I the client? ie "no client certificate sent" or similar.

What next?

Alan.
 
Old 02-26-2009, 03:45 AM   #14
raskin
Senior Member
 
Registered: Sep 2005
Location: Russia
Distribution: NixOS (http://nixos.org)
Posts: 1,893

Rep: Reputation: 68
Yes you are. But I guess you didn't plan to use client certificate for authentication anyway. OpenSSL said you what top-level certificate is used. You could export that root certificate from Firefox and specify it with "--cacert some.cert" option to curl.
 
Old 02-27-2009, 02:51 AM   #15
acummings
Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 615

Original Poster
Rep: Reputation: 49
I got it working!!

I used the next. Ran it

http://curl.haxx.se/lxr/source/lib/mk-ca-bundle.pl

And, doing so, created: ca-bundle.crt

al@P5Q:~/.ssh$ pwd
/home/al/.ssh
al@P5Q:~/.ssh$ ls
ca-bundle.crt


root@P5Q:~# removepkg curl-7.19.2-i486-1


From a Slackware mirror, I downloaded the "curl" source folder of files (source for curl)

I added one line into the configure section of the slackbuild, thus:

./configure \
--prefix=/usr \
--mandir=/usr/man \
--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt \
$SSLOPT

The added 1 liner is above $SSLOPT (permanently points it to the cert bundle).

Then I built my _ac package of curl:

root@P5Q:~# sh ./curl_ac.SlackBuild

Then I installed this new curl:

root@P5Q:~# installpkg curl-7.19.2-i486-1_ac.tgz

Next it can be seen that I sym linked from where it is this new curl looks for the cert bundle to the nice newly created cert bundle, created from the Perl script listed above.

root@P5Q:/etc/ssl/certs# pwd
/etc/ssl/certs
root@P5Q:/etc/ssl/certs# ls -la
total 12
drwxr-xr-x 2 root root 4096 2009-02-26 22:22 ./
drwxr-xr-x 5 root root 4096 2009-02-26 01:06 ../
lrwxrwxrwx 1 root root 27 2009-02-26 22:22 ca-certificates.crt -> /home/al/.ssh/ca-bundle.crt

al@P5Q:/var/log/packages$ lsg curl
curl-7.19.2-i486-1_ac

al@P5Q:/var/log/packages$ lsg esn
esniper-2-19-0-i486-1

It all works superbly now!!

What I don't know is if there's any .config or .rc file for curl (set the path there to the cert bundle instead of doing so in the ./configure).

A second thing I don't know is if there still was a default path in curl for the cert bundle or if they also took this (said default path) out since they have discontinued shipping a cert bundle with curl.

BTW I do not know why I munged ebay and esniper in my very first post -- it was rather late that night -- things that howl at the moon sometimes come out late at night . . .

OTOH, *sometimes* some of the best creativity shows its head late at night ("The Raven" by Edgar Allen Poe, for some reason, I know not why, comes to mind).

I did not ask anyone to read my drivel. I only had pointed to this thread in reference to ***the relevant openssl error message is in this thread***

That directive would have put me in "scan" mode -- ie quickly scan up and down until I quickly found "error". No reading of drivel. Done. Over with.

Well, burning the late lamp hour and all . . . this has been good. I know way much more now on curl and openssl than I did before all of this started.

--
Alan.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
curl error setting certificate verify locations polo76 Linux - Newbie 3 02-12-2008 07:08 PM
am_pkcs11 Couldn't verify Cert: Peer's Certificate issuer is not recognized. redhawk1973 Linux - Security 1 11-09-2007 11:47 AM
Openssl certificate verify failure while using Xsupplicant Sparrowhawk Linux - Networking 0 06-27-2006 11:31 PM
Openssl - verify wheather certificate is revoked djgerbavore Linux - Security 1 11-21-2005 08:20 AM
debs downloading unsigned, verify error Likosin Debian 2 04-03-2004 01:02 PM


All times are GMT -5. The time now is 08:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration