Comment by alex.mognom@gmail.com :
Dear tech support,
Regarding the CA chain problem, it can be reproduced using curl:
$ curl -v
> https://data.lab.fiware.org/api/3/action/package_search?rows\=20\&start\=0
> * Trying 130.206.84.9...
> * Connected to data.lab.fiware.org (130.206.84.9) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * Cipher selection:
> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
> * successfully set certificate verify locations:
> * CAfile: /usr/local/etc/openssl/cert.pem
> CApath: none
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (OUT), TLS alert, Server hello (2):
> * SSL certificate problem: unable to get local issuer certificate
> * Closing connection 0
> * TLSv1.2 (OUT), TLS alert, Client hello (1):
> curl: (60) SSL certificate problem: unable to get local issuer certificate
> More details here: https://curl.haxx.se/docs/sslcerts.html
>
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
>
Also you can see that quality assurance tools like the one provided by
ssllabs
https://www.ssllabs.com/ssltest/analyze.html?d=data.lab.fiware.org&s=2001%3a720%3a1514%3a5400%3a0%3a0%3a0%3a9&latest
<https://www.google.com/url?q=https%3A%2F%2Fwww.ssllabs.com%2Fssltest%2Fanalyze.html%3Fd%3Ddata.lab.fiware.org%26s%3D2001%253a720%253a1514%253a5400%253a0%253a0%253a0%253a9%26latest&sa=D&sntz=1&usg=AFQjCNHEXRsMD9OhZQ8oyYtnUky8UlqzXQ>
also complains about the CA chain:
"This server's certificate chain is incomplete. Grade capped to B."
>
Best regards,
Alejandro.
On Mon, Nov 7, 2016 at 1:24 PM, Alejandro Rodriguez <alex.mognom@gmail.com>
wrote:
> Dear Sir/Madam.
>
> The CA chain is not included on the SSL configuration, so when making
> queries using python the certificate is not validated, throwing an SSL
> validation error.
>
> Best regards,
> Alejandro.
>
Since January 1st, old domains won't be supported and messages sent to any domain different to @lists.fiware.org will be lost.
Please, send your messages using the new domain (Fiware-tech-help@lists.fiware.org) instead of the old one.
Dear Alejandro,
Our FIWARE LAB colleagues have worked to solve this. Could you verify it is ok now?
Many thanks,
Santiago
De: Alejandro Rodriguez alex.mognom@gmail.com
Enviado el: martes, 8 de noviembre de 2016 10:02
Para: fiware-tech-help@lists.fiware.org
Asunto: Re: [Fiware-tech-help] CA chain not included in data portal
Dear tech support,
Regarding the CA chain problem, it can be reproduced using curl:
$ curl -v https://data.lab.fiware.org/api/3/action/package_search?rows\=20\&start\=0<https://data.lab.fiware.org/api/3/action/package_search/?rows\=20\&start\=0>
CApath: none
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Also you can see that quality assurance tools like the one provided by ssllabs
https://www.ssllabs.com/ssltest/analyze.html?d=data.lab.fiware.org&s=2001%3a720%3a1514%3a5400%3a0%3a0%3a0%3a9&latest<https://www.google.com/url?q=https%3A%2F%2Fwww.ssllabs.com%2Fssltest%2Fanalyze.html%3Fd%3Ddata.lab.fiware.org%26s%3D2001%253a720%253a1514%253a5400%253a0%253a0%253a0%253a9%26latest&sa=D&sntz=1&usg=AFQjCNHEXRsMD9OhZQ8oyYtnUky8UlqzXQ>
also complains about the CA chain:
"This server's certificate chain is incomplete. Grade capped to B."
Best regards,
Alejandro.
On Mon, Nov 7, 2016 at 1:24 PM, Alejandro Rodriguez <alex.mognom@gmail.com<alex.mognom@gmail.com>> wrote:
Dear Sir/Madam.
The CA chain is not included on the SSL configuration, so when making queries using python the certificate is not validated, throwing an SSL validation error.
Best regards,
Alejandro.
Since January 1st, old domains won't be supported and messages sent to any domain different to @lists.fiware.org will be lost.
Please, send your messages using the new domain (Fiware-tech-help@lists.fiware.org) instead of the old one.