Comment by alex.mognom@gmail.com :
Dear tech support,
Regarding the CA chain problem, it can be reproduced using curl:
$ curl -v
> https://data.lab.fiware.org/api/3/action/package_search?rows\=20\&start\=0
> * Trying 130.206.84.9...
> * Connected to data.lab.fiware.org (130.206.84.9) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * Cipher selection:
> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> * CAfile: /usr/local/etc/openssl/cert.pem
> CApath: none
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (OUT), TLS alert, Server hello (2):
> * SSL certificate problem: unable to get local issuer certificate
> * Closing connection 0
> * TLSv1.2 (OUT), TLS alert, Client hello (1):
> curl: (60) SSL certificate problem: unable to get local issuer certificate
> More details here: https://curl.haxx.se/docs/sslcerts.html
>
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
>
Also you can see that quality assurance tools like the one provided by
ssllabs
https://www.ssllabs.com/ssltest/analyze.html?d=data.lab.fiware.org&s=2001%3a720%3a1514%3a5400%3a0%3a0%3a0%3a9&latest
<https://www.google.com/url?q=https%3A%2F%2Fwww.ssllabs.com%2Fssltest%2Fanalyze.html%3Fd%3Ddata.lab.fiware.org%26s%3D2001%253a720%253a1514%253a5400%253a0%253a0%253a0%253a9%26latest&sa=D&sntz=1&usg=AFQjCNHEXRsMD9OhZQ8oyYtnUky8UlqzXQ>
also complains about the CA chain:
"This server's certificate chain is incomplete. Grade capped to B."
>
Best regards,
Alejandro.
On Mon, Nov 7, 2016 at 1:24 PM, Alejandro Rodriguez <alex.mognom@gmail.com>
wrote:
> Dear Sir/Madam.
>
> The CA chain is not included on the SSL configuration, so when making
> queries using python the certificate is not validated, throwing an SSL
> validation error.
>
> Best regards,
> Alejandro.
>
Since January 1st, old domains won't be supported and messages sent to any domain different to @lists.fiware.org will be lost.
Please, send your messages using the new domain (Fiware-tech-help@lists.fiware.org) instead of the old one.
Comment by alex.mognom@gmail.com :
Dear tech support,
Regarding the CA chain problem, it can be reproduced using curl:
$ curl -v
> https://data.lab.fiware.org/api/3/action/package_search?rows\=20\&start\=0
> * Trying 130.206.84.9...
> * Connected to data.lab.fiware.org (130.206.84.9) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * Cipher selection:
> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> * CAfile: /usr/local/etc/openssl/cert.pem
> CApath: none
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (OUT), TLS alert, Server hello (2):
> * SSL certificate problem: unable to get local issuer certificate
> * Closing connection 0
> * TLSv1.2 (OUT), TLS alert, Client hello (1):
> curl: (60) SSL certificate problem: unable to get local issuer certificate
> More details here: https://curl.haxx.se/docs/sslcerts.html
>
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
>
Also you can see that quality assurance tools like the one provided by
ssllabs
https://www.ssllabs.com/ssltest/analyze.html?d=data.lab.fiware.org&s=2001%3a720%3a1514%3a5400%3a0%3a0%3a0%3a9&latest
<https://www.google.com/url?q=https%3A%2F%2Fwww.ssllabs.com%2Fssltest%2Fanalyze.html%3Fd%3Ddata.lab.fiware.org%26s%3D2001%253a720%253a1514%253a5400%253a0%253a0%253a0%253a9%26latest&sa=D&sntz=1&usg=AFQjCNHEXRsMD9OhZQ8oyYtnUky8UlqzXQ>
also complains about the CA chain:
"This server's certificate chain is incomplete. Grade capped to B."
>
Best regards,
Alejandro.
On Mon, Nov 7, 2016 at 1:24 PM, Alejandro Rodriguez <alex.mognom@gmail.com>
wrote:
> Dear Sir/Madam.
>
> The CA chain is not included on the SSL configuration, so when making
> queries using python the certificate is not validated, throwing an SSL
> validation error.
>
> Best regards,
> Alejandro.
>
Since January 1st, old domains won't be supported and messages sent to any domain different to @lists.fiware.org will be lost.
Please, send your messages using the new domain (Fiware-tech-help@lists.fiware.org) instead of the old one.