You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Andy Pont <an...@wonksw.tech> on 2023/09/18 17:07:36 UTC
Unable to get local issuer certificate
Hello,
I am receiving the above error when a GitLab webhook tries to call my
servlet. The full text of the error states:
SSL_connect returned=1 errno=0 state=error: certificate verify failed
(unable to get local issuer certificate).
If I try to access any of the servlets running in the same Tomcat server
from a web browser then the certificate is OK and the padlock icon
appears as expected. The certificate that is used by Tomcat is a domain
wildcard certificate issued by Go-Daddy.
Any ideas on what isn’t being correctly sent in response to the GitLab
webhook?
Thanks,
Andy.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: Unable to get local issuer certificate
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
Helo Andy,
> -----Ursprüngliche Nachricht-----
> Von: Andy Pont <an...@wonksw.tech>
> Gesendet: Montag, 18. September 2023 19:48
> An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: Re: Unable to get local issuer certificate
>
> Thomas wrote…
>
> >This means, the calling program can't verify the certificate.
> >Check whether all the intermediates are delivered by tomcat.
> >Furthermore, the calling program must know the root-certificate of your
> webserver certificate.
>
> If I look at a random website using 'openssl s_client -showcerts -connect’
> then I get the server certificate plus two others:
>
> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1
> depth=0 CN = xxx.mydomain.com
>
> If I use the same command with the Tomcat servlet then it gives the
> following:
>
> verify error:num=20:unable to get local issuer certificate verify return:1 verify
> error:num=21:unable to verify the first certificate verify return:1
>
> The chain should be “Go Daddy Secure Certificate Authority - G2” and “Go
> Daddy Root Certificate Authority - G2” according to the browser.
>
> My guess is that the .pfx file that Tomcat is using doesn’t include them.
>
> -Andy.
>
> ---------------------------------------------------------------------
You can check the pfx file via:
keytool -list -v -storetype pkcs12 -keystore server.p12
If the file doesn’t contain the intermediate certificates, you have to add them.
Don’t add the root certificate because the client has to have it anyway.
You might also consider using PEM files instead of pfx files.
In my opinion they are easier to handle and you don’t need additional tools to modify them.
Greetings, Thomas
Re: Unable to get local issuer certificate
Posted by Andy Pont <an...@wonksw.tech>.
Thomas wrote…
>This means, the calling program can't verify the certificate.
>Check whether all the intermediates are delivered by tomcat.
>Furthermore, the calling program must know the root-certificate of your webserver certificate.
If I look at a random website using 'openssl s_client -showcerts
-connect’ then I get the server certificate plus two others:
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = xxx.mydomain.com
If I use the same command with the Tomcat servlet then it gives the
following:
verify error:num=20:unable to get local issuer certificate
verify return:1
verify error:num=21:unable to verify the first certificate
verify return:1
The chain should be “Go Daddy Secure Certificate Authority - G2” and “Go
Daddy Root Certificate Authority - G2” according to the browser.
My guess is that the .pfx file that Tomcat is using doesn’t include
them.
-Andy.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: Unable to get local issuer certificate
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
Hello Andy,
> -----Ursprüngliche Nachricht-----
> Von: Andy Pont <an...@wonksw.tech>
> Gesendet: Montag, 18. September 2023 19:08
> An: users@tomcat.apache.org
> Betreff: Unable to get local issuer certificate
>
> Hello,
>
> I am receiving the above error when a GitLab webhook tries to call my
> servlet. The full text of the error states:
>
> SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable
> to get local issuer certificate).
>
> If I try to access any of the servlets running in the same Tomcat server from a
> web browser then the certificate is OK and the padlock icon appears as
> expected. The certificate that is used by Tomcat is a domain wildcard
> certificate issued by Go-Daddy.
>
> Any ideas on what isn’t being correctly sent in response to the GitLab
> webhook?
>
> Thanks,
>
> Andy.
>
> ---------------------------------------------------------------------
This means, the calling program can't verify the certificate.
Check whether all the intermediates are delivered by tomcat.
Furthermore, the calling program must know the root-certificate of your webserver certificate.
Maybe you can post the certificate chain.
You might use openssl for this, or https://github.com/rbsec/sslscan for example.
Don’t use the browser because it doesn’t show what the server delivers.
Greetings,
Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org