Comments (3)
Well... it took a while to debug, but the cause was the way the certificates are extracted from the Windows certificate store using certutil, extracting the key and certs from it. It only exctracted the key and main cert and not the root/intermediate ca certs. I have added extracting those as well, concate the two extracted files (main cert first, root/intermediate after it) and now it seems to work fine 👍
Thanks again @growse !
from android.
Curl doesn't like your server response:
$ curl https://openhab.gersonlohman.nl/gpstracker/owntracks
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Openssl doesn't like it either:
$ </dev/null openssl s_client -connect openhab.gersonlohman.nl:443 -showcerts 2>/dev/null
CONNECTED(00000003)
---
Certificate chain
0 s:CN = gersonlohman.com
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Oct 20 07:09:34 2022 GMT; NotAfter: Jan 18 07:09:33 2023 GMT
-----BEGIN CERTIFICATE-----
MII[...]Q==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = gersonlohman.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2365 bytes and written 418 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: A086E3F56D522C3382B414C8F9FA9D93FC08AE9D9276D10ABF344308F73F03EA
Session-ID-ctx:
Master-Key: 33EAFCE430A8A914E87DE15D996403314EA5D9C9F8443A20B74E528D31136EEFDEA44C4A717703CF5E5FB1AA892B0C49
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - c1 0b 1c c7 c4 49 b7 6e-66 e5 64 20 d2 a7 78 d5 .....I.nf.d ..x.
0010 - 59 14 bb c5 7c 8d a1 80-4d e2 4e ba 6b c1 c2 0b Y...|...M.N.k...
0020 - 02 9c e0 18 ff b6 06 f9-1e c8 0c 5b 07 94 59 35 ...........[..Y5
0030 - 1f 19 f5 e5 22 3d d4 13-1e 7a 4f c8 e2 2d ee 4e ...."=...zO..-.N
0040 - 6b 08 43 75 0b 53 03 62-18 f5 5f 0b 5f b8 81 78 k.Cu.S.b.._._..x
0050 - 9e 01 35 3b 91 e6 1b 23-97 f7 ad 70 1a e9 83 98 ..5;...#...p....
0060 - 8d ef a8 ce 98 2e 38 0f-c5 ef 99 06 a7 8f 3a 42 ......8.......:B
0070 - bb 83 8d 68 b5 1b 0c 31-c2 82 ee bf 31 1d 7d cf ...h...1....1.}.
0080 - 6f 25 bb a7 4e 4e df 35-b7 30 b1 76 1d 13 ad f5 o%..NN.5.0.v....
0090 - 8c c8 33 2d d9 cd 2c c9-6c 79 cf 27 02 a5 fc a6 ..3-..,.ly.'....
00a0 - 15 f7 4b d1 41 73 e2 65-fc f5 78 10 42 45 b5 d9 ..K.As.e..x.BE..
00b0 - 82 2d a5 85 80 48 4d 16-2c fc 97 ff 4c 51 a2 02 .-...HM.,...LQ..
00c0 - 97 47 2c 1b cf ef a5 e1-56 6f f0 ba ff ad 94 3c .G,.....Vo.....<
00d0 - aa a4 55 a4 ca 77 19 95-b6 36 ff 98 72 be 24 47 ..U..w...6..r.$G
Start Time: 1666377396
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes
---
The key bit here is Verification error: unable to verify the first certificate
. The webserver is only sending a single certificate, where it actually needs to be sending the whole chain. Compare the openssl output with what you get if you query example.com
, where you see both the leaf cert (for example.com
) and the DigiCert Global Root CA cert that signed it.
from android.
Superb Andrew, absolutely appreciate the help (great troubleshooting steps which will help me with any SSL issues in near future). Will investigate why apache is only sending the main cert and not the whole chain. Might be the way I generate the certificate (with Certify the web) or the way the certificate is used in httpd-ssl.conf. Will close the issue (as it seems to be my tooling, not owntracks) but will update here when I figure it out to make sure the solution is still tracked.
from android.
Related Issues (20)
- Reverse-geo ratelimit pauses location publishes HOT 5
- Add ACCESS_BACKGROUND_LOCATION permission in order to give "Always" location permission
- [Feature Request] HOT 2
- OwnTracks reporting old location to server HOT 8
- Fix: sync iOS `rid` and Android `id` in the `waypoint` payload HOT 2
- V2.5.0 constantly crashing HOT 11
- Processed MessageCard message has no topic, preventing image cards from linking to Friends. HOT 10
- Transition messages fail to send until the device stops moving HOT 4
- App won't even start HOT 2
- [Feature Request] Switch mode based on charging or battery HOT 4
- Way point circles do not appear on the map HOT 5
- TLS connection doesn't work - SSLPeerUnverifiedException HOT 8
- No Datatransfer in Mobile Phone network HOT 20
- [Feature] Support for PoI HOT 2
- Support for navigating with Organic Maps
- 'locatorPriority' setting no longer exposed in the configurations
- . HOT 1
- Unable to connect to HTTP endpoint using TLS HOT 11
- Cannot use "mock location" HOT 11
- Failing to connect to MQTT server with TLS (but Recorder succeeds) [Trust anchor for certification path not found] HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from android.