AW: Unable to get local issuer certificate

2023-09-21 Thread Thomas Hoffmann (Speed4Trade GmbH) 
Helo Andy,

> -Ursprüngliche Nachricht-
> Von: Andy Pont 
> Gesendet: Montag, 18. September 2023 19:48
> An: Tomcat Users List 
> Betreff: Re: Unable to get local issuer certificate
> 
> Thomas wrote…
> 
> >This means, the calling program can't verify the certificate.
> >Check whether all the intermediates are delivered by tomcat.
> >Furthermore, the calling program must know the root-certificate of your
> webserver certificate.
> 
> If I look at a random website using 'openssl s_client -showcerts -connect’
> then I get the server certificate plus two others:
> 
> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1
> depth=0 CN = xxx.mydomain.com
> 
> If I use the same command with the Tomcat servlet then it gives the
> following:
> 
> verify error:num=20:unable to get local issuer certificate verify return:1 
> verify
> error:num=21:unable to verify the first certificate verify return:1
> 
> The chain should be “Go Daddy Secure Certificate Authority - G2” and “Go
> Daddy Root Certificate Authority - G2” according to the browser.
> 
> My guess is that the .pfx file that Tomcat is using doesn’t include them.
> 
> -Andy.
> 
> -

You can check the pfx file via:
keytool -list -v -storetype pkcs12 -keystore server.p12 

If the file doesn’t contain the intermediate certificates, you have to add them.
Don’t add the root certificate because the client has to have it anyway.

You might also consider using PEM files instead of pfx files. 
In my opinion they are easier to handle and you don’t need additional tools to 
modify them.

Greetings, Thomas

AW: Unable to get local issuer certificate

2023-09-18 Thread Thomas Hoffmann (Speed4Trade GmbH) 
Hello Andy,

> -Ursprüngliche Nachricht-
> Von: Andy Pont 
> Gesendet: Montag, 18. September 2023 19:08
> An: users@tomcat.apache.org
> Betreff: Unable to get local issuer certificate
> 
> Hello,
> 
> I am receiving the above error when a GitLab webhook tries to call my
> servlet.  The full text of the error states:
> 
> SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable
> to get local issuer certificate).
> 
> If I try to access any of the servlets running in the same Tomcat server from 
> a
> web browser then the certificate is OK and the padlock icon appears as
> expected.  The certificate that is used by Tomcat is a domain wildcard
> certificate issued by Go-Daddy.
> 
> Any ideas on what isn’t being correctly sent in response to the GitLab
> webhook?
> 
> Thanks,
> 
> Andy.
> 
> -

This means, the calling program can't verify the certificate.
Check whether all the intermediates are delivered by tomcat.
Furthermore, the calling program must know the root-certificate of your 
webserver certificate.

Maybe you can post the certificate chain.
You might use openssl for this, or https://github.com/rbsec/sslscan for example.
Don’t use the browser because it doesn’t show what the server delivers.

Greetings,
Thomas



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org