All geek questions in one place

SSL certificate issue: "self-signed certificate in certificate chain"

I am using a self-generated SSL substitution certificate, and I would like to know if the next problem is, and if so, what can I do to fix it. Certificate for my Ruby application on Rails 3 running on a local hosting.

I am using Mac OS running "Snow Leopard" 1.6.6. Entry to the terminal

<my_user_name>$ openssl s_client -connect localhost.com:443

I get the following:

 CONNECTED(00000003) depth=1 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = My Name\Surname verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=*localhost.com i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=My Name\Surname 1 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=My Name\Surname i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=My Name\Surname --- Server certificate -----BEGIN CERTIFICATE----- MIICJDCCAY0CAQEwDQYJKoZIhvcNAQEEBQAwWTELMAkGA1UEBhMCQVUxEzARBgNV BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0 ZDESMBAGA1UEAwwJU2VyZ2lvIEwuMB4XDTExMDIxODIwMDAwOFoXDTEyMDIxODIw MDAwOFowXDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNV BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEVMBMGA1UEAwwMKnBqdG5hbWUu Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDM46dH9rWKy5sNKBwJ7oo wytsjw8fFLRskJGE0QqgKpz5ZtYK8yC/kifI4gpWZYVySePmVqHR6+wpv8Ry1KVx Bl2qhF6ssLBbc5bvOK4eF2Rx9LNAZ/ndy+0q07DVsnAMMCxhNmegltCG1JZhazCG g7elPm2pIQLAQvKlFSJwkQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBADO7XJbOASZM Bm/XElq1AuVU1dR6/wkowLOxCn8+KWsUmyIdZj1yL8+83nhhG/yekzOr25n/I0SQ zN1aUi3oX5vXlx8vp2xQsnug2BM/InfQxOn+90JjhZYPbCokH9ifzYsNj7fvGg57 KZ4et2jSfchxFMRqqoPutdOp/gNKw3me -----END CERTIFICATE----- subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=*localhost.com issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=My Name\Surname --- No client certificate CA names sent --- SSL handshake has read 1944 bytes and written 409 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 63BE474E62950D542BCBE30F72F80C28851EE23EA15BA34AE3E3E46AB5615505 Session-ID-ctx: Master-Key: 9E8A8F7F4E824A2B251D5A28E3A133AC761BA8EDB237073973D2B1AE0AE0A31ADDADA2315F33B443B3F29D382070FC6C Key-Arg : None PSK identity: None PSK identity hint: None TLS session ticket: 0000 - 10 b0 f3 4d 96 90 d3 65-22 d4 bf 09 27 8c a0 af ...M...e"...'... 0010 - d3 79 5c 9a cf d9 5b e1-3f aa 46 56 55 9b 55 50 .y\...[.?.FVU.UP 0020 - 8b 49 99 07 bc 35 e0 bc-e1 1d 4e 61 f0 aa 33 57 .I...5....Na..3W 0030 - 1d 37 0b dd 51 ae 81 ea-df 8e 6e 25 ff f7 2b ff .7..Q.....n%..+. 0040 - e9 88 79 e4 57 2a b2 f2-61 22 df 86 f0 24 57 a7 ..yW*..a"...$W. 0050 - 06 13 b5 71 47 dc d5 ac-c2 61 89 75 6e 03 45 cc ...qG....a.un.E. 0060 - 14 69 0c 72 3a 4a 00 b3-4f d8 8d 44 2d 66 cb 40 .ir: J..O..D-f.@ 0070 - 80 c8 9b e2 12 9f 0d b4-58 6e a1 c7 bb fe 92 6d ........Xn.....m 0080 - b8 b7 b7 f0 dc 1c ab fd-44 a4 25 96 c6 09 09 a1 ........D.%..... 0090 - aa ff c0 dc 53 6b 30 13-30 f3 44 f6 78 b1 43 c7 ....Sk0.0.DxC 00a0 - ca 88 9d 63 41 d3 c1 a1-af fa 36 e2 9c fd 0e 62 ...cA.....6....b 00b0 - c4 44 6b 5c 74 da ff be-a8 98 3f 54 f9 fa 59 15 .Dk\t.....?T..Y. Compression: 1 (zlib compression) Start Time: 1298072476 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain)

The problem may be on line 3: verify error:num=19:self signed certificate in certificate chain . What does it mean? Does my certificate work for localhost.com ?

UPDATE

In the browser, I accepted my sel-signed certificate (I explicitly added my certificate to the list of private certificates in the system), so even I get verify error:num=19:self signed certificate in certificate chain , and in my application I use the following code for making HTTP requests over SSL

 require 'uri' require 'net/https' host = "https://<subdomain>.localhost.com" path = "/users/1.json" uri = URI.parse("#{host}#{path}") http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE # I think here is necessary to verify connections using 'http.verify_mode = OpenSSL::SSL::VERIFY_PEER': # in localhost using that the connection will fault, but in production mode # (when I will deploy the application) I think I MUST use 'VERIFY_PEER' http.ca_file = File.join(File.dirname("<certificate_folder>/wildcard.certificate/ca.db.certs/"), "01.pem") http.start do response = http.get("#{host}#{path}") @test_response = JSON(response.body)["profile"] end

Is the connection really through SSL? Does "VERIFY_PEER" mean something?

+4
source share
2 answers

SSL validates the host by checking the host certificate.

Each certificate:

  • Self-signed
  • Signed by another certificate.

If it is signed by another certificate, it verifies the certificate that signed it.

Now, at some point, to check whether the certificate is valid or not, it must map this certificate to the repository of "valid" certificates that it has in the system (for example: Firefox supports its own store, Windows has its own store and etc.). If it matches some certificate in the hierarchy for the store, it considers this certificate to be valid, and therefore all the certificates signed by it are valid.

However, if the certificate is self-signed and is not in the store, it will reject it or warn that it cannot verify the certificate.

If the certificate is intended for testing the application or for a very limited scale, where you can ask people to add their certificate to their store, everything is in order. However, if you plan to transfer your application to a production site on somedomain.com, you will probably need to buy a certificate for this domain.

Note: in any case, the self-signed certificate that you have for localhost is only valid for "localhost", even if it is available on the intranet via IP

+4
source

The purpose of certificates [in SSL] is to prove that the host is the one it claims to be, and not a fake one. To this end, certificates are issued by certification bodies, which [must duly] verify the identity of the person or organization requesting the certificate. Therefore, a self-signed certificate does not reliably identify the host (even if it is a local host). Therefore, most applications report a validation error when they see a self-signed certificate in the certificate chain. The only exception is [usually] when the certificate is explicitly added to the list of private certificates in the system - in this case it is accepted as valid.

Therefore, if you created your self-signed certificate for testing purposes on your computer, you can add it to the trusted list. Otherwise (if you need a certificate for a public host), you will need to buy a certificate from one of the certification authorities.

+2
source

Source: https://habr.com/ru/post/1340399/

More articles:


All Articles