[erlang-questions] ssl: Bad Certficate using file generated using mkcert.org
Benoit Chesneau
bchesneau@REDACTED
Sun Apr 1 22:06:49 CEST 2018
heh OK, no problem :)
To be complete the chain retuned by openssl is :
OpenSSL> s_client -connect airbrake.io:443 -showcerts
CONNECTED(00000006)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.airbrake.io
i:/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
-----BEGIN CERTIFICATE-----
MIIEwTCCA6mgAwIBAgIRAKLxH0P8s499IyC7Gi9P0e8wDQYJKoZIhvcNAQELBQAw
TTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB1NTTC5jb20xFDASBgNVBAsTC3d3dy5z
c2wuY29tMRYwFAYDVQQDEw1TU0wuY29tIERWIENBMB4XDTE2MTEwNDAwMDAwMFoX
DTE4MTEyODIzNTk1OVowWzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMR4wHAYDVQQLExVFc3NlbnRpYWxTU0wgV2lsZGNhcmQxFjAUBgNVBAMMDSou
YWlyYnJha2UuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXWXkQ
kM5+hdRdZhWC3G+wjwpSF2GNLzEf27+3CQvZA8J7trZ/JdHTwIt6TPnq4igmE/XA
Ej2mOEu2crzO+mVignSSPDItHVB8UenwNphguUskZPSDgVEi5a7rBscFWKkvWMEH
W6vhbrpur+G1j0awhTn6hh++DYUUUl03hUPh6qNN+GQ/wPn+Tbgzw3obX4sE7Iel
UePxeMpzv4rG9nZznStoXYlRFws3BaL8wTkL3G8wLVJndlIKTzMdfDCinvGpkV85
rdfm7UfsvFCdYKosOpbt5iRCJGTJvckFX4ih2MAC8mMP+bwzrNrNkPjuY8To+pVC
F2rNvjRWJn+yTDdVAgMBAAGjggGMMIIBiDAfBgNVHSMEGDAWgBRGmv38UV58VFNS
4pnjszLvkxp/VjAdBgNVHQ4EFgQUkQAJSPUocFTrnPm4af+i76JscKkwDgYDVR0P
AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMEoGA1UdIARDMEEwNQYKKwYBBAGCqTABATAnMCUGCCsGAQUFBwIBFhlo
dHRwczovL2Nwcy51c2VydHJ1c3QuY29tMAgGBmeBDAECATA0BgNVHR8ELTArMCmg
J6AlhiNodHRwOi8vY3JsLnNzbC5jb20vU1NMY29tRFZDQV8yLmNybDBgBggrBgEF
BQcBAQRUMFIwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jcnQuc3NsLmNvbS9TU0xjb21E
VkNBXzIuY3J0MB8GCCsGAQUFBzABhhNodHRwOi8vb2NzcC5zc2wuY29tMCUGA1Ud
EQQeMByCDSouYWlyYnJha2UuaW+CC2FpcmJyYWtlLmlvMA0GCSqGSIb3DQEBCwUA
A4IBAQBWDuO6czF5/CGPCuySdo9UGy7/Rj/oONzEPSJJcRZ1o6ix+RV7+dQBNBO0
SPuAkgH4k/Qbs75htpduWq+5hIfgYwSWvTW+2kcEZKgkPrg53n7cMT10MTg7I7oS
qNvIpNh+2e6JwaFnM9pYSOSx01zh2HnCi8l+AQmVRdhxVDgOT+9SNcLC3+j/IuY6
iGnse7X4Q3diIMNxtPTdqfPsewLuWH7RJutwuLTIP5qL1R+AH0RmOGeX2K16rPLr
1GczOm5WnRyikYMjGW6llzS7RXgPfvdeU8mt4wK7fvZ9chMLNR7fpmEsWoejmN5P
nqzjN5AKKgED5AjJ+DNtKzzEJqW0
-----END CERTIFICATE-----
1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust
RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
0fKtirOMxyHNwu8=
-----END CERTIFICATE-----
3 s:/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust
RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIF5jCCA86gAwIBAgIQEQDFvydYwZlp/Gjtcp381zANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQw
NzA0MDAwMDAwWhcNMjQwNzAzMjM1OTU5WjBNMQswCQYDVQQGEwJVUzEQMA4GA1UE
ChMHU1NMLmNvbTEUMBIGA1UECxMLd3d3LnNzbC5jb20xFjAUBgNVBAMTDVNTTC5j
b20gRFYgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAJEcVY7NR
2qmRMLzC17tObKov3Jf1AQLOfZRfCi26JM4lYzJoW7uMO6RSwBJeP6pSBYthSWLc
R+zd0bsQW5xKGITX51HYBH3daGWQEJIWVfL59cw3qhRsMQ5XP/IMZ15BOUxqGRVV
7NnCBBVcrWVhrEqSZbM6o61lMBU3sQQlYep/Ie3Ce6ca8oWfX5h4hrWtxuRCiBB4
EjxMB5KYOKJnQaOLEXaRhgr8cNHhzjl2KrKx/tCMtR/9pqy/+dOCKDiQWkg+hBoT
D/hGc/B3x7KfHAbdLJTPrRdJrFnSwMWwPcrWGIrrud3w5VxzXBjPAzQn7Dg/hpGB
NHEHBwKsLER3AgMBAAGjggGEMIIBgDAfBgNVHSMEGDAWgBRTeb9aqitKz1SA4dib
wJ3ysgNmyzAdBgNVHQ4EFgQURpr9/FFefFRTUuKZ47My75Maf1YwDgYDVR0PAQH/
BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMCEGA1UdIAQaMBgwDAYKKwYBBAGCqTABATAIBgZngQwBAgEwVQYD
VR0fBE4wTDBKoEigRoZEaHR0cDovL2NybC50cnVzdC1wcm92aWRlci5jb20vVVNF
UlRydXN0UlNBQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwgYAGCCsGAQUFBwEB
BHQwcjBEBggrBgEFBQcwAoY4aHR0cDovL2NydC50cnVzdC1wcm92aWRlci5jb20v
VVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9v
Y3NwLnRydXN0LXByb3ZpZGVyLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAB1RJZUdF
d05ZN1SYdTZsDj9Rq9De097SCCWi0E97Ehc2MRQag98VqlZPrC2WM9q+C7Z5MvcM
1njs15p55YRJbHjjECgiabKEPsx3xXH+oTb4kKzQjqMZV5CNC7K+5H4OaCtNcFEZ
E2vWRI9hunFjTfTJ9VrKjGIwcYz30VtdB1vtk0Jaf0lnC4H1GOAdw3IwJgbygOeu
ACY/1RH5U0ai2e9wWXsiADjBtHbiFPEzt5Cmu2wag9fPrX663Xs5TqjDNCPAgCLm
ijzyrCQmlCaug332cwnYI5dA0Oa/eIV6lYZTev143bZWs+A6dQhXDJUQzfSvPsQS
Pu/W3QAkw4vuZ97mVvgzK5LiDWps2N9Fw9b5Et4Op+cuy27I48fG3bRH0dROJwYs
w+MrMc5Sy/TOl9a5UUmtq2jEJbEv7xU5x1bvhaFfBtxoF36sLLuPf19Aev4n2Y46
Fou4Aup1eWVyS+XYKiaTGzxL5b4fbwhKItk8NptdrJ26YmdCl6cFNaabXHHak24W
I0cF4+u8ATOxkdFkuLyWusWzfmfIMHX1ZHD3giYavooNnupzxnju58Tpc9AsCgyL
rRxTbur5AscjOsHHfzeeTqflKtslTvJ9AvNkPLizR2cMk4+1h+6yDBHggsm0bZn0
AeY5kXGfjIimFcd00xvjkVn41em3We1sghs=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.
airbrake.io
issuer=/C=US/O=SSL.com/OU=www.ssl.com/CN=SSL.com DV CA
---
No client certificate CA names sent
---
SSL handshake has read 5736 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
62BF8A905F9DF278347423E70D100144AEB17B41C4BEB41FE8BC83512D8AE5C7
Session-ID-ctx:
Master-Key:
D3F6811B769DE3E5045BB386AE6CA561C272F44014A3F1DB8F8786B599D11015CE44AF5B8351CDD466EA7A02E764F78A
Start Time: 1522613090
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed
On Sun, Apr 1, 2018 at 9:23 PM, Luke Bakken <luke@REDACTED> wrote:
> Oh, never mind, I thought you were responsible for the airbrake.io cert.
>
> I have seen the same behavior you report when using different CA
> certificate bundles. Using the default OS X bundle usually works,
> while recent Mozilla CA bundles don't. I did a bunch of diagnosis but
> never came to a definitive conclusion. I'll re-visit what I did and
> will see if I can figure out what exactly works and what doesn't.
>
> Luke
>
> On Sun, Apr 1, 2018 at 12:13 PM, Benoit Chesneau <bchesneau@REDACTED>
> wrote:
> > hrm not sure i understand. You mean to the cacerts file or to the cert of
> > airbrake? I’m not responsible of the last one.
> >
> > Benoît
> >
> >
> > On Sunday, April 1, 2018, Luke Bakken <luke@REDACTED> wrote:
> >>
> >> Try adding "digitalSignature" to the keyUsage field for the cert.
> >>
> >> Luke
> >>
> >> On Sun, Apr 1, 2018, 10:55 AM Benoit Chesneau <bchesneau@REDACTED>
> wrote:
> >>>
> >>> I'm trying to connect to airbrake.io via ssl using the certificates
> >>> generated by the website mkcert: https://mkcert.org/ which get the
> >>> certificates from Mozilla but I get a "Bad certificat" error on latest
> >>> release of erlang:
> >>>
> >>> 9> ssl:connect("airbrake.io", 443, [{cacertfile, CaCertFile}, {verify,
> >>> verify_peer}, {depth, 99}]).
> >>>
> >>> =INFO REPORT==== 1-Apr-2018::19:45:51 ===
> >>> TLS client: In state certify at ssl_handshake.erl:1271 generated CLIENT
> >>> ALERT: Fatal - Bad Certificate
> >>>
> >>> {error,{tls_alert,"bad certificate"}}
> >>>
> >>>
> >>> where with google it worked:
> >>>
> >>> 10> ssl:connect("google.com", 443, [{cacertfile, CaCertFile}, {verify,
> >>> verify_peer}, {depth, 99}]).
> >>> {ok,{sslsocket,{gen_tcp,#Port<0.9355>,tls_connection,
> >>> undefined},
> >>> <0.224.0>}}
> >>>
> >>>
> >>>
> >>> It used to work with previous versions of Erlang, did something changed
> >>> in the validation in 20.x?
> >>>
> >>> Also how can I check what is the exact issue in the certificate that
> >>> cause this error? According sslabs there are no issue in checking the
> >>> certificate:
> >>>
> >>> https://www.ssllabs.com/ssltest/analyze.html?d=airbrake.io
> >>>
> >>>
> >>> _______________________________________________
> >>> erlang-questions mailing list
> >>> erlang-questions@REDACTED
> >>> http://erlang.org/mailman/listinfo/erlang-questions
> >
> >
> >
> > --
> > Sent from my Mobile
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180401/ae4d8d26/attachment.htm>
More information about the erlang-questions
mailing list