recentpopularlog in

kme : cacert   16

Fixing SSL CA certificates with OpenSSL from MacPorts - andatche.com
MacPorts now offers a Methode that syncs certificates from the system keychain:
<code class="language-bash">sudo port install certsync
sudo port load certsync</code>
As for the missing dependency, consider filing a bug.
openssl  macports  macos  ca  cacert  certificate  curl  maybesolution 
september 2019 by kme
LFTP FTPS and Certificate Verification » Versatile Web Solutions | https://www.versatilewebsolutions.com/
<code class="language-bash">
openssl s_client -showcerts -connect example.com:21 -starttls ftp
</code>
lftp  cryto  cacert  certificate  woes  maybesolution  troubleshooting 
april 2019 by kme
The Monkeysphere Project | http://web.monkeysphere.info/
Frequent users of ssh are familiar with the prompt given the first time you log in to a new server, asking if you want to trust the server's key by verifying the key fingerprint. Unfortunately, unless you have access to the server's key fingerprint through a secure out-of-band channel, there is no way to verify that the fingerprint you are presented with is in fact that of the server you're really trying to connect to.
pki  gpg  ssh  cacert  security  crypto 
february 2019 by kme
DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them | https://support.ssl.com/
Microsofty things use the '.cer' extension (which is interchangeable with '.crt'), and are often DER-encoded. PEM-encoded certs are "ASCII (Base64) armored data" prefixed with a "-----BEGIN CERTIFICATE-----" line.

Here's how to "cat" a DER-encoded certificate:
<code class="language-bash">
openssl x509 -in certificate.der -inform der -text -noout
</code>

And here's how to convert one in that format to the format expected on a Debian GNU/Linux system:
<code class="language-bash">
openssl x509 -in cert.crt -inform der -outform pem -out cert.crt
</code>

NB: the '.crt' extension seems to be important, otherwise 'sudo update-ca-certificates' doesn't pick up on new ones that you've added to /usr/local/share/ca-certificates.
ssl  certs  cacert  certificates  openssl  sysadmin  webmaster  crypto  fuckina  solution  importexport  conversion 
january 2019 by kme
curl - ERROR: The certificate of `raw.githubusercontent.com' is not trusted - Stack Overflow | https://stackoverflow.com/
In my case, 'wget' gave a better error message than 'curl', and it told me that my organization was using a fake root CA, and 'wget' didn't recognize *its* issuer.

Solution for a Debian system at https://pinboard.in/u:kme/b:c57651a965b4 (convert issuer CA to PEM-encoded .crt, put in /usr/local/share/ca-certificates, and run 'sudo update-ca-certificates)
github  errormessage  ssl  cacert  certificates  crypto  headache 
january 2019 by kme
python - urllib and "SSL: CERTIFICATE_VERIFY_FAILED" Error - Stack Overflow | https://stackoverflow.com/
My solution was actually to install the ISSUER certificate for our organizations root CA (which hijacks GitHub, and others) into /usr/local/share/ca-certificates, then run 'sudo update-ca-certificates'.

If the certificate is available in DER format (might be the case if you got it from somewhere Microsofty), you can convert using 'openssl'.
<code class="language-bash">
openssl x509 -in YourOrgRootCA.der -inform der -outform pem -out YourOrgRootCA.crt
</code>

The '.crt' extension seems to be required, otherwise 'update-ca-certificates' won't pick up the new certificates.
python  seaborn  ssl  cacert  certificates  headache  maybesolution 
january 2019 by kme
ssl - How to add an enterprise certificate authority (CA) to git on cygwin (and some linux distros) - Stack Overflow
git-remote-https will read the following files for ca certificates:
<code>/etc/ssl/certs/ca-bundle.crt
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
</code>

If you edit these files, they will be overwritten each time the Cygwin setup is run and there is an update for the ca-certificates package.

The correct/proper solution is to add the certificate to the pick up directory and run the pickup script, update-ca-trust:
<code class="language-bash">curl -sL http://ca.pdinc.us > /etc/pki/ca-trust/source/anchors/ca.pdinc.us.pem \
&& update-ca-trust
</code>

The post install script for the ca-certificates package will automatically rerun the update-ca-trust script on every upgrade. For more information:
<code class="language-bash">man update-ca-trust</code>
cacert  certificate  openssl  curl  cygwin  sysadmin  solution 
january 2018 by kme
How to View a Certificate Fingerprint as SHA-256, SHA-1 or MD5 using OpenSSL | Symantec | https://knowledge.symantec.com/
Seems to work, even though '-fingerprint' doesn't seem to be in the 'openssl' man page:
<code class="language-bash">
# SHA-256
openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt]

# SHA-1
openssl x509 -noout -fingerprint -sha1 -inform pem -in [certificate-file.crt]

# MD5
openssl x509 -noout -fingerprint -md5 -inform pem -in [certificate-file.crt]</code>

If they came from Windows (in .cer) format, use '-inform der' (DER = Distinguished Encoding Rule). Der!
<code class="language-bash">
openssl x509 -inform der -in SomeIssuer.cer -fingerprint -sha1 -noout
</code>
ssl  openssl  cacert  ca  certificate  fingerprint  commandline  cli  solution 
january 2018 by kme
openssl s_client using a proxy - Stack Overflow | https://stackoverflow.com/


You can use proxytunnel:

proxytunnel -p yourproxy:8080 -d www.google.com:443 -a 7000

and then you can do this:

openssl s_client -connect localhost:7000 -showcerts

Hope this can help you!
proxy  debugging  http  https  webdevel  sysadmin  webmaster  ssl  cert  cacert  solution 
december 2017 by kme
git - SSL certificate rejected trying to access GitHub over HTTPS behind firewall - Stack Overflow
See below for 'configure' flags that were necessary to get 'curl' to look in the right place for the PEM certficate bundle.
Actually install root certificates. Curl guys extracted for you certificates from Mozilla.

cacert.pem file is what you are looking for. This file contains > 250 CA certs (don't know how to trust this number of ppl). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.

Here is how to do it. With cygwin setup.exe install curl and openssl packages execute:

$ cd /usr/ssl/certs
$ curl https://curl.haxx.se/ca/cacert.pem |
awk '{print > "cert" (1+n) ".pem"} /-----END CERTIFICATE-----/ {n++}'
$ c_rehash


I actually used this script:
wget -O - http://curl.haxx.se/ca/cacert.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ".pem"}'


Then I cheated off of the MacPorts Portfile for 'curl' (source: https://trac.macports.org/browser/trunk/dports/net/curl/Portfile) to discover the "--with-ca-bundle=/path/to/curl-ca-bundle.crt" 'configure' flag which seems to have done the trick.

Also useful, in extreme circumstances, how to get Git to ignore SSL certs altogether:
$ env GIT_SSL_NO_VERIFY=true git clone https://github...
git  github  curl  ssl  cacert  castore  certificates  cs  openssl  solution  fuckina 
march 2016 by kme

Copy this bookmark:





to read