You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "kotigundapaneni@yahoo.com.INVALID" <ko...@yahoo.com.INVALID> on 2023/09/25 04:45:24 UTC
Re: users Digest 20 Sep 2023 19:28:18 -0000 Issue 14664
the attached files are not able to read please help further on this part
On Wednesday, September 20, 2023 at 12:29:29 PM PDT, users-digest-help@tomcat.apache.org <us...@tomcat.apache.org> wrote:
users Digest 20 Sep 2023 19:28:18 -0000 Issue 14664
Topics (messages 277707 through 277710)
Unable to get local issuer certificate
277707 by: Andy Pont
277708 by: Thomas Hoffmann (Speed4Trade GmbH)
277709 by: Andy Pont
[ANN] Community Over Code Conference NA 2023 in Halifax, Canada, 7-10 Oct 2023
277710 by: Christopher Schultz
Administrivia:
---------------------------------------------------------------------
To post to the list, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-digest-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-digest-help@tomcat.apache.org
----------------------------------------------------------------------
I am receiving the above error when a GitLab webhook tries to call my=20
servlet. The full text of the error states:
SSL_connect returned=3D1 errno=3D0 state=3Derror: certificate verify failed=
=20
(unable to get local issuer certificate).
If I try to access any of the servlets running in the same Tomcat server=20
from a web browser then the certificate is OK and the padlock icon=20
appears as expected. The certificate that is used by Tomcat is a domain=20
wildcard certificate issued by Go-Daddy.
Any ideas on what isn=E2=80=99t being correctly sent in response to the Git=
Lab=20
webhook?
Thanks,
Andy.
>This means, the calling program can't verify the certificate.
>Check whether all the intermediates are delivered by tomcat.
>Furthermore, the calling program must know the root-certificate of your we=
bserver certificate.
If I look at a random website using 'openssl s_client -showcerts=20
-connect=E2=80=99 then I get the server certificate plus two others:
depth=3D2 C =3D US, O =3D Internet Security Research Group, CN =3D ISRG Roo=
t X1
verify return:1
depth=3D1 C =3D US, O =3D Let's Encrypt, CN =3D R3
verify return:1
depth=3D0 CN =3D xxx.mydomain.com
If I use the same command with the Tomcat servlet then it gives the=20
following:
verify error:num=3D20:unable to get local issuer certificate
verify return:1
verify error:num=3D21:unable to verify the first certificate
verify return:1
The chain should be =E2=80=9CGo Daddy Secure Certificate Authority - G2=E2=
=80=9D and =E2=80=9CGo=20
Daddy Root Certificate Authority - G2=E2=80=9D according to the browser.
My guess is that the .pfx file that Tomcat is using doesn=E2=80=99t include=
=20
them.
-Andy.
Please join us in Halifax in 2½ weeks for Community Over Code, the ASF
Conference.
The Tomcat and httpd tracks are combined for this conference, being held
on the second of the four-day conference featuring a wide variety of
presentations and panel-led discussions about wide-ranging topics
related to the ASF and the projects you care about.
And of source, the Hallway Track is always a great opportunity to meet
other developers, users, and committers to chat about whatever is on
your mind.
The full schedule can be found here: https://communityovercode.org/schedule/
-chris