[WLUG] Which CA does my ssl certificate belong to on the file system

Robert Steckroth robertsteckroth at gmail.com
Sun Jun 12 17:16:21 EDT 2016 

This is the bottom line here.
git pull origin master
fatal: unable to access 'https://*******.com/repository/test.git/': server
certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt
CRLfile: none

The thing is, other https sites (github.com) do not have this problem. Why
is my certificate not found on the file system but github.com's is?


On Sun, Jun 12, 2016 at 1:45 PM, James Stroehmann <jaymz at jaymz.org> wrote:

> Can you include the git command you are running and the error you see?
>
>
> ------
>
> On Jun 12, 2016, at 12:01 PM, Robert Steckroth <robertsteckroth at gmail.com>
> wrote:
>
>
> corollarily ;)
> It seems that git is not using the Comodo CA chain in its internal
> workings. I need to switch registrars maybe..
>
>
> On Sun, Jun 12, 2016 at 7:50 AM, Carl T. Miller <carl at carltm.com> wrote:
>
>> Any certificate that is created for use on a server
>> contains the info about the CA that can verify it.
>> And if there is a chain, it will have info for each
>> of the CAs.
>>
>> If you want, just a copy of the certificate and I'll
>> run the commands and show you the output.
>>
>> c
>>
>>
>> Robert Steckroth wrote:
>> > Well, the Certificate Authority made the certificate and I would like to
>> > know which chain it belongs with the local CA certificates. Maybe it
>> > requires many commands??
>> >
>> > On Sat, Jun 11, 2016 at 8:59 PM, Carl T. Miller <carl at carltm.com>
>> wrote:
>> >
>> >> If I understand correctly, you're saying you want to
>> >> know which installed CA certificate is used to verify
>> >> the certificates which you create.  Is that it?  If
>> >> so, just take a certificate that you created and run
>> >> the commands on it.
>> >>
>> >> (create a file for each cert including the "BEGIN
>> >> CERTIFICATE" and "END CERTIFICATE" lines)
>> >> openssl x509 -noout -text -purpose -in onecert
>> >>
>> >> c
>> >>
>> >>
>> >> Robert Steckroth wrote:
>> >> > Yes, thank you for the response Carl. I need to know what certificate
>> >> > corresponds with the installed CA certificates. It is not just the
>> >> > browsers
>> >> > which verify certificates with a CA-certificate, it is every platform
>> >> that
>> >> > uses https. Therefore, in order to manually verify a remotely served
>> >> > certificate is trusted, I need to know which CA-certificate it was
>> >> created
>> >> > from on the local file system. It just seems like a simple terminal
>> >> > command
>> >> > would locate the CA-certificate for any given certificate, but
>> >> research
>> >> > has
>> >> > proved time consuming.
>> >> >
>> >> > On Sat, Jun 11, 2016 at 4:58 PM, Carl T. Miller <carl at carltm.com>
>> >> wrote:
>> >> >
>> >> >> When you connect to a website with a browser (or the
>> >> >> openssl client) you get a copy of the certificate
>> >> >> directly from the webserver.  If you want to know where
>> >> >> the certificate is stored locally, you'd have to look
>> >> >> at the configuration of the webserver.
>> >> >>
>> >> >> You also mentioned a CA hosted through namecheap.  That
>> >> >> would give you the ability to create certificates.
>> >> >> You should be able to access the secret key file and
>> >> >> the certificate file for any certificate you have created.
>> >> >>
>> >> >> In addition to this, it is common for your browser to
>> >> >> use certificates to verify well-known CAs.  Look in your
>> >> >> browser's configuration to manage to view and, perhaps,
>> >> >> delete these certificates.
>> >> >>
>> >> >> So...the first paragraph describes a certificate in use.
>> >> >> The second describes a certificate which may or may not
>> >> >> be in use.  The third describes certificates which have
>> >> >> been installed, and can verify a certificate in use.
>> >> >>
>> >> >> My question to you...what certificate is it that you
>> >> >> want to find?  One you use currently, one that you
>> >> >> created, or one that has been installed?
>> >> >>
>> >> >> c
>> >> >>
>> >> >>
>> >> >> Robert Steckroth wrote:
>> >> >> > Well, I don't know then.. I am under the impression that when a
>> >> remote
>> >> >> > server sends a certificate, it needs to be verified against the
>> >> >> > certificates in the local file system to ensure that there is no
>> >> >> > middleman.
>> >> >> > So, shouldn't openssl be able to return the local path the any
>> >> certs
>> >> >> which
>> >> >> > correspond to the one sent by the remote?
>> >> >> >
>> >> >> > On Sat, Jun 11, 2016 at 10:18 AM, Carl T. Miller <carl at carltm.com
>> >
>> >> >> wrote:
>> >> >> >
>> >> >> >> Hi Robert,
>> >> >> >>
>> >> >> >> You can use openssl to retrieve and view the certificates on a
>> >> >> >> webserver.
>> >> >> >>
>> >> >> >> To retrieve all certs on a server:
>> >> >> >> openssl s_client -connect www.carltm.com:443 -showcerts | tee
>> >> >> allcerts
>> >> >> >>
>> >> >> >> To view each cert:
>> >> >> >> (create a file for each cert including the "BEGIN CERTIFICATE"
>> and
>> >> >> >> "END CERTIFICATE" lines)
>> >> >> >> openssl x509 -noout -text -purpose -in onecert
>> >> >> >>
>> >> >> >> I hope this helps with your investigation.
>> >> >> >>
>> >> >> >> c
>> >> >> >>
>> >> >> >>
>> >> >> >> Robert Steckroth wrote:
>> >> >> >> > Hello everyone, I have a interesting question for those of you
>> >> with
>> >> >> >> https
>> >> >> >> > experience.
>> >> >> >> > I have a certificate authority (through namecheap), chained to
>> >> my
>> >> >> ssl
>> >> >> >> > key/certificate which is distributed by a Ubuntu server. The
>> >> https
>> >> >> >> content
>> >> >> >> > server is nodejs and serves the ssl cert to three types of
>> >> >> platforms:
>> >> >> >> web
>> >> >> >> > browsers, git repositories, and a qt desktop application. The
>> >> https
>> >> >> >> server
>> >> >> >> > works find on browsers (with the green https uri text). The
>> >> problem
>> >> >> >> is, I
>> >> >> >> > need to know where the CA certificate is kept on my local
>> ubuntu
>> >> >> file
>> >> >> >> > system in order to add it to the qt application and to the git
>> >> >> config.
>> >> >> >> I
>> >> >> >> > think maybe it is a cheap CA sense git does not already know
>> >> about
>> >> >> the
>> >> >> >> CA
>> >> >> >> > on the file system (it works if I add it manually via git
>> config
>> >> >> >> > http.sslCAInfo). Anyways, I still would like to know if there
>> is
>> >> a
>> >> >> >> > terminal
>> >> >> >> > command to find which CA my cert belongs to on the file system.
>> >> It
>> >> >> >> seems
>> >> >> >> > that they are everywhere on it, jeesh.
>> >> >> >> > ______________________________________________________
>> >> >> >> > washlug mailing list    washlug web site
>> >> >> >> > washlug at washlug.org     www.washlug.org
>> >> >> >> > http://linux.marcdatabase.com/mailman/listinfo/washlug
>> >> >> >> >
>> >> >> >>
>> >> >> >>
>> >> >> >> ______________________________________________________
>> >> >> >> washlug mailing list    washlug web site
>> >> >> >> washlug at washlug.org     www.washlug.org
>> >> >> >> http://linux.marcdatabase.com/mailman/listinfo/washlug
>> >> >> >>
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > <surgemcgee>
>> >> >> > ______________________________________________________
>> >> >> > washlug mailing list    washlug web site
>> >> >> > washlug at washlug.org     www.washlug.org
>> >> >> > http://linux.marcdatabase.com/mailman/listinfo/washlug
>> >> >> >
>> >> >>
>> >> >>
>> >> >> ______________________________________________________
>> >> >> washlug mailing list    washlug web site
>> >> >> washlug at washlug.org     www.washlug.org
>> >> >> http://linux.marcdatabase.com/mailman/listinfo/washlug
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > <surgemcgee>
>> >> > ______________________________________________________
>> >> > washlug mailing list    washlug web site
>> >> > washlug at washlug.org     www.washlug.org
>> >> > http://linux.marcdatabase.com/mailman/listinfo/washlug
>> >> >
>> >>
>> >>
>> >> ______________________________________________________
>> >> washlug mailing list    washlug web site
>> >> washlug at washlug.org     www.washlug.org
>> >> http://linux.marcdatabase.com/mailman/listinfo/washlug
>> >>
>> >
>> >
>> >
>> > --
>> > <surgemcgee>
>> > ______________________________________________________
>> > washlug mailing list    washlug web site
>> > washlug at washlug.org     www.washlug.org
>> > http://linux.marcdatabase.com/mailman/listinfo/washlug
>> >
>>
>>
>> ______________________________________________________
>> washlug mailing list    washlug web site
>> washlug at washlug.org     www.washlug.org
>> http://linux.marcdatabase.com/mailman/listinfo/washlug
>>
>
>
>
> --
> <surgemcgee>
>
>
>
> ______________________________________________________
> washlug mailing list    washlug web site
> washlug at washlug.org     www.washlug.org
> http://linux.marcdatabase.com/mailman/listinfo/washlug
>
>
> ______________________________________________________
> washlug mailing list    washlug web site
> washlug at washlug.org     www.washlug.org
> http://linux.marcdatabase.com/mailman/listinfo/washlug
>
>


-- 
<surgemcgee>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linux.marcdatabase.com/pipermail/washlug/attachments/20160612/a7079029/attachment.html

More information about the washlug mailing list