[erlang-questions] bad certificate if trying to verify StartSsl certificate

Alex Hudich alttagil@REDACTED
Thu Jul 16 19:54:20 CEST 2015


Hi,

It doesn’t help. Still  {bad_cert,invalid_issuer}



> 16 июля 2015 г., в 20:29, Éric Pailleau <eric.pailleau@REDACTED> написал(а):
> 
> Hi, try with depth = 3.   Depth 0 to depth 2 is 3.
> Regards
> 
> Le 16 juil. 2015 15:15, Alex Hudich <alttagil@REDACTED> a écrit :
>> 
>> When I tried to check connection with openssl command I’ve got w/o cacert.pem file:
>> 
>> $ openssl s_client -connect nicemine.ru:443 -verify 99 
>> verify depth is 99
>> CONNECTED(00000003)
>> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
>> verify error:num=19:self signed certificate in certificate chain
>> verify return:1
>> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
>> verify return:1
>> depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
>> verify return:1
>> depth=0 /C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@REDACTED
>> verify return:1
>> 
>> 
>> and with it
>> 
>> $ openssl s_client -connect nicemine.ru:443 -verify 99 -CAfile cacert.pem
>> verify depth is 99
>> CONNECTED(00000003)
>> depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
>> verify return:1
>> depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
>> verify return:1
>> depth=0 /C=KZ/CN=www.nicefiles.ru/emailAddress=webmaster@REDACTED
>> verify return:1
>> 
>> so cacert.pem file contains enough info for StartCom certificates to be checked as valid.
>> 
>> 
>> Also I’ve tried to dig it more in erlang and I’ve found that I get error in OTP 18 too.
>> 
>> And the reason for bad certificate error is {bad_cert,invalid_issuer}
>> 
>> 
>> 
>> I also tried to add  https://www.startssl.com/certs/sub.class1.server.ca.pem file to cacert.pem but with no luck.
>> 
>> 
>> 
>> 
>> 
>>> 16 июля 2015 г., в 12:16, Alex Hudich <alttagil@REDACTED> написал(а):
>>> 
>>> Hi!
>>> 
>>> 
>>> 
>>> wget http://curl.haxx.se/ca/cacert.pem
>>> 
>>> and then 
>>> 
>>> ssl:connect( "www.nicemine.ru", 443, [{verify,verify_peer},{server_name_indication,"www.nicemine.ru"},{depth,2},{cacertfile,"cacert.pem"}] ).
>>> 
>>> gives me {error,{tls_alert,"bad certificate"}}
>>> 
>>> 
>>> 
>>> Why? Site can be opened ok in the browser.
>>> 
>>> Erlang/OTP 17 [erts-6.3] 
>>> 
>>> 
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150716/0dad5508/attachment.htm>


More information about the erlang-questions mailing list