You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "kotigundapaneni@yahoo.com.INVALID" <ko...@yahoo.com.INVALID> on 2023/09/25 04:45:24 UTC

Re: users Digest 20 Sep 2023 19:28:18 -0000 Issue 14664

 the attached files are not able to read please help further on this part    



    On Wednesday, September 20, 2023 at 12:29:29 PM PDT, users-digest-help@tomcat.apache.org <us...@tomcat.apache.org> wrote:  
 
 
users Digest 20 Sep 2023 19:28:18 -0000 Issue 14664

Topics (messages 277707 through 277710)

Unable to get local issuer certificate
    277707 by: Andy Pont
    277708 by: Thomas Hoffmann (Speed4Trade GmbH)
    277709 by: Andy Pont

[ANN] Community Over Code Conference NA 2023 in Halifax, Canada, 7-10 Oct 2023
    277710 by: Christopher Schultz

Administrivia:

---------------------------------------------------------------------
To post to the list, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-digest-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-digest-help@tomcat.apache.org

----------------------------------------------------------------------

I am receiving the above error when a GitLab webhook tries to call my=20
servlet.  The full text of the error states:

SSL_connect returned=3D1 errno=3D0 state=3Derror: certificate verify failed=
=20
(unable to get local issuer certificate).

If I try to access any of the servlets running in the same Tomcat server=20
from a web browser then the certificate is OK and the padlock icon=20
appears as expected.  The certificate that is used by Tomcat is a domain=20
wildcard certificate issued by Go-Daddy.

Any ideas on what isn=E2=80=99t being correctly sent in response to the Git=
Lab=20
webhook?

Thanks,

Andy.

>This means, the calling program can't verify the certificate.
>Check whether all the intermediates are delivered by tomcat.
>Furthermore, the calling program must know the root-certificate of your we=
bserver certificate.

If I look at a random website using 'openssl s_client -showcerts=20
-connect=E2=80=99 then I get the server certificate plus two others:

depth=3D2 C =3D US, O =3D Internet Security Research Group, CN =3D ISRG Roo=
t X1
verify return:1
depth=3D1 C =3D US, O =3D Let's Encrypt, CN =3D R3
verify return:1
depth=3D0 CN =3D xxx.mydomain.com

If I use the same command with the Tomcat servlet then it gives the=20
following:

verify error:num=3D20:unable to get local issuer certificate
verify return:1
verify error:num=3D21:unable to verify the first certificate
verify return:1

The chain should be =E2=80=9CGo Daddy Secure Certificate Authority - G2=E2=
=80=9D and =E2=80=9CGo=20
Daddy Root Certificate Authority - G2=E2=80=9D according to the browser.

My guess is that the .pfx file that Tomcat is using doesn=E2=80=99t include=
=20
them.

-Andy.

Please join us in Halifax in 2½ weeks for Community Over Code, the ASF 
Conference.

The Tomcat and httpd tracks are combined for this conference, being held 
on the second of the four-day conference featuring a wide variety of 
presentations and panel-led discussions about wide-ranging topics 
related to the ASF and the projects you care about.

And of source, the Hallway Track is always a great opportunity to meet 
other developers, users, and committers to chat about whatever is on 
your mind.

The full schedule can be found here: https://communityovercode.org/schedule/

-chris