Details
-
Type:
extRequest
-
Status: Closed
-
Priority:
Major
-
Resolution: Done
-
Fix Version/s: 2021
-
Component/s: FIWARE-TECH-HELP
-
Labels:None
-
Sender Email:
-
HD-Chapter:Data
-
HD-Enabler:CKAN
Description
Dear Sir/Madam.
The CA chain is not included on the SSL configuration, so when making
queries using python the certificate is not validated, throwing an SSL
validation error.
Best regards,
Alejandro.
Since January 1st, old domains won't be supported and messages sent to any domain different to @lists.fiware.org will be lost.
Please, send your messages using the new domain (Fiware-tech-help@lists.fiware.org) instead of the old one.
_______________________________________________
Fiware-tech-help mailing list
Fiware-tech-help@lists.fiware.org
https://lists.fiware.org/listinfo/fiware-tech-help
[Created via e-mail received from: Alejandro Rodriguez <alex.mognom@gmail.com>]
Activity
We are not the correct people to be assigned this ticket. We don't control the domain or certs, and we didn't install them.
Also Backlog Manager please note that i have not received a reply to the email outlining the support we are able to contribute. It was agreed with Santiago Martinez García that a new chanel would be created for issues related to the Open Data portal in FIWARE LAB. I am availible to talk about this at any point.
Jo
Dear Alejandro,
Our FIWARE LAB colleagues have worked to solve this. Could you verify it is ok now?
Many thanks,
Santiago
De: Alejandro Rodriguez alex.mognom@gmail.com
Enviado el: martes, 8 de noviembre de 2016 10:02
Para: fiware-tech-help@lists.fiware.org
Asunto: Re: [Fiware-tech-help] CA chain not included in data portal
Dear tech support,
Regarding the CA chain problem, it can be reproduced using curl:
$ curl -v https://data.lab.fiware.org/api/3/action/package_search?rows\=20\&start\=0<https://data.lab.fiware.org/api/3/action/package_search/?rows\=20\&start\=0>
- Trying 130.206.84.9...
- Connected to data.lab.fiware.org<http://data.lab.fiware.org> (130.206.84.9) port 443 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
- successfully set certificate verify locations:
- CAfile: /usr/local/etc/openssl/cert.pem
CApath: none - TLSv1.2 (OUT), TLS header, Certificate Status (22):
- TLSv1.2 (OUT), TLS handshake, Client hello (1):
- TLSv1.2 (IN), TLS handshake, Server hello (2):
- TLSv1.2 (IN), TLS handshake, Certificate (11):
- TLSv1.2 (OUT), TLS alert, Server hello (2):
- SSL certificate problem: unable to get local issuer certificate
- Closing connection 0
- TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Also you can see that quality assurance tools like the one provided by ssllabs
https://www.ssllabs.com/ssltest/analyze.html?d=data.lab.fiware.org&s=2001%3a720%3a1514%3a5400%3a0%3a0%3a0%3a9&latest<https://www.google.com/url?q=https%3A%2F%2Fwww.ssllabs.com%2Fssltest%2Fanalyze.html%3Fd%3Ddata.lab.fiware.org%26s%3D2001%253a720%253a1514%253a5400%253a0%253a0%253a0%253a9%26latest&sa=D&sntz=1&usg=AFQjCNHEXRsMD9OhZQ8oyYtnUky8UlqzXQ>
also complains about the CA chain:
"This server's certificate chain is incomplete. Grade capped to B."
Best regards,
Alejandro.
On Mon, Nov 7, 2016 at 1:24 PM, Alejandro Rodriguez <alex.mognom@gmail.com<alex.mognom@gmail.com>> wrote:
Dear Sir/Madam.
The CA chain is not included on the SSL configuration, so when making queries using python the certificate is not validated, throwing an SSL validation error.
Best regards,
Alejandro.
Since January 1st, old domains won't be supported and messages sent to any domain different to @lists.fiware.org will be lost.
Please, send your messages using the new domain (Fiware-tech-help@lists.fiware.org) instead of the old one.
Comment by alex.mognom@gmail.com :
Dear tech support,
Regarding the CA chain problem, it can be reproduced using curl:
$ curl -v
> https://data.lab.fiware.org/api/3/action/package_search?rows\=20\&start\=0
> * Trying 130.206.84.9...
> * Connected to data.lab.fiware.org (130.206.84.9) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * Cipher selection:
> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> * CAfile: /usr/local/etc/openssl/cert.pem
> CApath: none
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (OUT), TLS alert, Server hello (2):
> * SSL certificate problem: unable to get local issuer certificate
> * Closing connection 0
> * TLSv1.2 (OUT), TLS alert, Client hello (1):
> curl: (60) SSL certificate problem: unable to get local issuer certificate
> More details here: https://curl.haxx.se/docs/sslcerts.html
>
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
>
Also you can see that quality assurance tools like the one provided by
ssllabs
https://www.ssllabs.com/ssltest/analyze.html?d=data.lab.fiware.org&s=2001%3a720%3a1514%3a5400%3a0%3a0%3a0%3a9&latest
<https://www.google.com/url?q=https%3A%2F%2Fwww.ssllabs.com%2Fssltest%2Fanalyze.html%3Fd%3Ddata.lab.fiware.org%26s%3D2001%253a720%253a1514%253a5400%253a0%253a0%253a0%253a9%26latest&sa=D&sntz=1&usg=AFQjCNHEXRsMD9OhZQ8oyYtnUky8UlqzXQ>
also complains about the CA chain:
"This server's certificate chain is incomplete. Grade capped to B."
>
Best regards,
Alejandro.
On Mon, Nov 7, 2016 at 1:24 PM, Alejandro Rodriguez <alex.mognom@gmail.com>
wrote:
> Dear Sir/Madam.
>
> The CA chain is not included on the SSL configuration, so when making
> queries using python the certificate is not validated, throwing an SSL
> validation error.
>
> Best regards,
> Alejandro.
>
Since January 1st, old domains won't be supported and messages sent to any domain different to @lists.fiware.org will be lost.
Please, send your messages using the new domain (Fiware-tech-help@lists.fiware.org) instead of the old one.