recentpopularlog in

kme : certificates   19

DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them | https://support.ssl.com/
Microsofty things use the '.cer' extension (which is interchangeable with '.crt'), and are often DER-encoded. PEM-encoded certs are "ASCII (Base64) armored data" prefixed with a "-----BEGIN CERTIFICATE-----" line.

Here's how to "cat" a DER-encoded certificate:
<code class="language-bash">
openssl x509 -in certificate.der -inform der -text -noout
</code>

And here's how to convert one in that format to the format expected on a Debian GNU/Linux system:
<code class="language-bash">
openssl x509 -in cert.crt -inform der -outform pem -out cert.crt
</code>

NB: the '.crt' extension seems to be important, otherwise 'sudo update-ca-certificates' doesn't pick up on new ones that you've added to /usr/local/share/ca-certificates.
ssl  certs  cacert  certificates  openssl  sysadmin  webmaster  crypto  fuckina  solution  importexport  conversion 
january 2019 by kme
curl - ERROR: The certificate of `raw.githubusercontent.com' is not trusted - Stack Overflow | https://stackoverflow.com/
In my case, 'wget' gave a better error message than 'curl', and it told me that my organization was using a fake root CA, and 'wget' didn't recognize *its* issuer.

Solution for a Debian system at https://pinboard.in/u:kme/b:c57651a965b4 (convert issuer CA to PEM-encoded .crt, put in /usr/local/share/ca-certificates, and run 'sudo update-ca-certificates)
github  errormessage  ssl  cacert  certificates  crypto  headache 
january 2019 by kme
python - urllib and "SSL: CERTIFICATE_VERIFY_FAILED" Error - Stack Overflow | https://stackoverflow.com/
My solution was actually to install the ISSUER certificate for our organizations root CA (which hijacks GitHub, and others) into /usr/local/share/ca-certificates, then run 'sudo update-ca-certificates'.

If the certificate is available in DER format (might be the case if you got it from somewhere Microsofty), you can convert using 'openssl'.
<code class="language-bash">
openssl x509 -in YourOrgRootCA.der -inform der -outform pem -out YourOrgRootCA.crt
</code>

The '.crt' extension seems to be required, otherwise 'update-ca-certificates' won't pick up the new certificates.
python  seaborn  ssl  cacert  certificates  headache  maybesolution 
january 2019 by kme
How to install certificates for command line - Ask Ubuntu
For everything to work and not only your browser, you need to add that CA certificate to the system's trusted CA repository.

In ubuntu:

Go to /usr/share/ca-certificates/
Create a new folder, i.e. "sudo mkdir school"
Copy the .crt file into the school folder
Make sure the permissions are OK (755 for the folder, 644 for the file)
Run "sudo update-ca-certificates"
sysadmin  ubuntu  linux  ca  certificates  ssl  github  mitm  solution 
june 2017 by kme
Error:The Private Key for this Client Certificate is missing or invalid. · Issue #579 · jlund/streisand · GitHub
I had this problem importing root CAs into Chrome, but I was on the "Your Certificates" tab; just switch to "Servers" or "Authorities" and try again. You might need to manually check "Trust this certificate for identifying web sites," too.
Error:The Private Key for this Client Certificate is missing or invalid. #579
errormessage  chromium  chrome  certificates  rootcertificates  ca  solution 
april 2017 by kme
docker - Does Alpine Linux handle certs differently than Busybox? - Stack Overflow
Just to be sure the CA certificates are created/updated where they are supposed to, try and add (after this answer) update-ca-certificates:

apk add ca-certificates
update-ca-certificates

In your case:

RUN apk --update upgrade && \
apk add curl ca-certificates && \
update-ca-certificates && \
rm -rf /var/cache/apk/*
alpinelinux  linux  alpine  cacerts  certificates  maybesolution 
march 2017 by kme
mk-ca-bundle
This script lives in lib/mk-ca-bundle.pl in current curl distributions.
ssl  certs  curl  certificates  ca  solution 
march 2016 by kme
linux - git clone: fatal: Unable to find remote helper for 'https' - Stack Overflow
In my case, I need to compile 'libcurl' from source, and then also provide a PEM-format CA bundle so that I wouldn't get the "unable to get local issuer certificate" error. Have a look at bookmarks tagged openssl+curl+solution, or the Portfile for MacPorts' curl-ca-bundle.
git  ssl  https  certificates  curl  solution 
march 2016 by kme
curl: SSL certificate problem: unable to get local issuer certificate · Issue #2 · torch/ezinstall · GitHub
See: http://stackoverflow.com/questions/3777075/ssl-certificate-rejected-trying-to-access-github-over-https-behind-firewall

Solution 2 in Post#3 is the correct and secure way to do it.
2. Actually install root certificates. Curl guys extracted for you certificates from mozilla:

http://curl.haxx.se/docs/caextract.html

cacert.pem file is what you are looking for. This file contains > 250 CA certs (don't know how to trust this number of ppl). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.
solution  curl  ssl  ca  castore  certificates  openssl  git 
march 2016 by kme
git - SSL certificate rejected trying to access GitHub over HTTPS behind firewall - Stack Overflow
See below for 'configure' flags that were necessary to get 'curl' to look in the right place for the PEM certficate bundle.
Actually install root certificates. Curl guys extracted for you certificates from Mozilla.

cacert.pem file is what you are looking for. This file contains > 250 CA certs (don't know how to trust this number of ppl). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.

Here is how to do it. With cygwin setup.exe install curl and openssl packages execute:

$ cd /usr/ssl/certs
$ curl https://curl.haxx.se/ca/cacert.pem |
awk '{print > "cert" (1+n) ".pem"} /-----END CERTIFICATE-----/ {n++}'
$ c_rehash


I actually used this script:
wget -O - http://curl.haxx.se/ca/cacert.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ".pem"}'


Then I cheated off of the MacPorts Portfile for 'curl' (source: https://trac.macports.org/browser/trunk/dports/net/curl/Portfile) to discover the "--with-ca-bundle=/path/to/curl-ca-bundle.crt" 'configure' flag which seems to have done the trick.

Also useful, in extreme circumstances, how to get Git to ignore SSL certs altogether:
$ env GIT_SSL_NO_VERIFY=true git clone https://github...
git  github  curl  ssl  cacert  castore  certificates  cs  openssl  solution  fuckina 
march 2016 by kme
Certificate Installation with OpenSSL - Other People's Certificates
(Partial) solution to verifying a CA certificate using 'certtool' and a "trusted" MD5 fingerprint.

Used this on 1/1/2010 to verify the SPI (Software in the Public Interest) CA for getting the Debian 'apt' keys.
openssl  webmaster  sysadmin  solution  certificates  castore  ca  ssl 
january 2010 by kme

Copy this bookmark:





to read