Bug 102060 - certificate verify failed
certificate verify failed
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: up2date (Show other bugs)
4.0
All Linux
high Severity high
: ---
: ---
Assigned To: Adrian Likins
Red Hat Satellite QA List
https://xmlrpc.rhn.redhat.com/XMLRPC
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-08-10 01:42 EDT by Jerry Foster
Modified: 2009-11-13 11:23 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-13 11:23:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jerry Foster 2003-08-10 01:42:52 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030208
Netscape/7.02

Description of problem:
Certificate expired on 08/09/03 11:05PM
https://xmlrpc.rhn.redhat.com/XMLRPC

rhn-applet displays message "Error connecting to RHN...".

up2date fails to run or display any error message.

up2date-config displays the following error message:

There was an SSL error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE',
'certificate verify failed')]


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Run rhn-applet or up2date or up2date-config
2.
3.
    

Actual Results:  Errors as described above.

Expected Results:  It should have worked.

Additional info:

Selecting High severity since this apparently is affecting the entire RHN website.
Comment 1 Adrian Likins 2003-08-13 20:50:13 EDT
what version of up2date?
Comment 2 Adrian Likins 2003-08-13 21:27:41 EDT
Oh, and the ssl certs on the server have since been updated.
Comment 3 Jerry Foster 2003-08-14 03:04:13 EDT
When the fixed the certificate issue, everything worked fine...
Comment 4 Michael J. Cohen 2003-09-08 05:25:02 EDT
using Severn marked on the FTP as August 18th, 2003:

[root@dvdburner root]# up2date --register
Traceback (most recent call last):
  File "/usr/share/rhn/up2date_client/gui.py", line 419, in onPrivacyPagePrepare
   text = rhnreg.privacyText()
  File "/usr/share/rhn/up2date_client/rhnreg.py", line 176, in privacyText
    return rpcServer.doCall(s.registration.privacy_statement)
  File "/usr/share/rhn/up2date_client/rpcServer.py", line 114, in doCall
    ret = apply(method, args, kwargs)
  File "/usr/lib/python2.2/xmlrpclib.py", line 821, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib/python2.2/site-packages/rhn/rpclib.py", line 191, in _request
    verbose=self._verbose
  File "/usr/lib/python2.2/site-packages/rhn/transports.py", line 162, in request
    headers, fd = req.send_http(host, handler)
  File "/usr/lib/python2.2/site-packages/rhn/transports.py", line 667, in send_http
    headers=self.headers)
  File "/usr/lib/python2.2/httplib.py", line 701, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.2/httplib.py", line 723, in _send_request
    self.endheaders()
  File "/usr/lib/python2.2/httplib.py", line 695, in endheaders
    self._send_output()
  File "/usr/lib/python2.2/httplib.py", line 581, in _send_output
    self.send(msg)
  File "/usr/lib/python2.2/httplib.py", line 560, in send
    self.sock.sendall(str)
  File "/usr/lib/python2.2/site-packages/rhn/SSL.py", line 191, in write
    sent = self._connection.send(data)
SSL.Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify
failed')]
[root@dvdburner root]# openssl s_client -connect xmlrpc.rhn.redhat.com:443 -CAfile
usage: s_client args
 
 -host host     - use -connect instead
 -port port     - use -connect instead
 -connect host:port - who to connect to (default is localhost:4433)
 -verify arg   - turn on peer certificate verification
 -cert arg     - certificate file to use, PEM format assumed
 -key arg      - Private key file to use, PEM format assumed, in cert file if
                 not specified but cert file is.
 -CApath arg   - PEM format directory of CA's
 -CAfile arg   - PEM format file of CA's
 -reconnect    - Drop and re-make the connection with the same Session-ID
 -pause        - sleep(1) after each read(2) and write(2) system call
 -showcerts    - show all certificates in the chain
 -debug        - extra output
 -msg          - Show protocol messages
 -nbio_test    - more ssl protocol testing
 -state        - print the 'ssl' states
 -nbio         - Run with non-blocking IO
 -crlf         - convert LF from terminal into CRLF
 -quiet        - no s_client output
 -ign_eof      - ignore input eof (default when -quiet)
 -ssl2         - just use SSLv2
 -ssl3         - just use SSLv3
 -tls1         - just use TLSv1
 -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol
 -bugs         - Switch on all SSL implementation bug workarounds
 -serverpref   - Use server's cipher preferences (only SSLv2)
 -cipher       - preferred cipher to use, use the 'openssl ciphers'
                 command to see what is available
 -starttls prot - use the STARTTLS command before starting TLS
                 for those protocols that support it, where
                 'prot' defines which one to assume.  Currently,
                 only "smtp" is supported.
 -engine id    - Initialise and use the specified engine
 -rand file:file:...
[root@dvdburner root]# openssl s_client -connect xmlrpc.rhn.redhat.com:443
-CAfile /usr/share/rhn/RHNS-CA-CERT
CONNECTED(00000003)
depth=0 /C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat
Network/CN=xmlrpc.rhn.redhat.com/emailAddress=rhn-noc@redhat.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat
Network/CN=xmlrpc.rhn.redhat.com/emailAddress=rhn-noc@redhat.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat
Network/CN=xmlrpc.rhn.redhat.com/emailAddress=rhn-noc@redhat.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat
Network/CN=xmlrpc.rhn.redhat.com/emailAddress=rhn-noc@redhat.com
   i:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=RHN
Certificate Authority/emailAddress=rhn-noc@redhat.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEVDCCA72gAwIBAgIBKjANBgkqhkiG9w0BAQQFADCBsTELMAkGA1UEBhMCVVMx
FzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHEwdSYWxlaWdoMRYwFAYD
VQQKEw1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLEw9SZWQgSGF0IE5ldHdvcmsxIjAg
BgNVBAMTGVJITiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEW
EnJobi1ub2NAcmVkaGF0LmNvbTAeFw0wMzA4MjkwMjExMTZaFw0wNDA4MjgwMjEx
MTZaMIGtMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExEDAO
BgNVBAcTB1JhbGVpZ2gxFjAUBgNVBAoTDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsT
D1JlZCBIYXQgTmV0d29yazEeMBwGA1UEAxMVeG1scnBjLnJobi5yZWRoYXQuY29t
MSEwHwYJKoZIhvcNAQkBFhJyaG4tbm9jQHJlZGhhdC5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBALKJsiTOxPKwmmOTmHPpMtebNUKri1hxd9zBuU1GjDvh
tvWKna4N7U5M+xqQ1bUPHVnbqarJyKpQ82lEfZYxE8K6tNzaDDDEYvmAYRL9OtMW
GgzFJ+4xonTgS/sEc0Hbd21ZHdsiu2ivhu0Ic1+Olmg5YJR++4hxEmyA2NupCEm7
AgMBAAGjggF8MIIBeDAJBgNVHRMEAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgWgMCwGCWCGSAGG
+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
0ljGgxRdA3KP7VNjIts7tbio2egwgd4GA1UdIwSB1jCB04AUaUQnBdwu7aX0gcTX
eEXnRF34h0ehgbekgbQwgbExCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBD
YXJvbGluYTEQMA4GA1UEBxMHUmFsZWlnaDEWMBQGA1UEChMNUmVkIEhhdCwgSW5j
LjEYMBYGA1UECxMPUmVkIEhhdCBOZXR3b3JrMSIwIAYDVQQDExlSSE4gQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJyaG4tbm9jQHJlZGhhdC5j
b22CAQAwDQYJKoZIhvcNAQEEBQADgYEAP1eRyrvEh3HZsVkg/rZ/9hciJTvWCSVH
dens6hbrgSlIBZNk6PODMOmeMxug87C5/CLw3SVcT4la/q8IWnnkCcgGdqOfuu3R
vO1d/Vt3ekU6M38fDusr0JdQ5WdlAqZauP6TvAxXp59o4v5hQZGc9oWEbshIHI6c
3AnGEer8+9s=
-----END CERTIFICATE-----
subject=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat
Network/CN=xmlrpc.rhn.redhat.com/emailAddress=rhn-noc@redhat.com
issuer=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat
Network/CN=RHN Certificate Authority/emailAddress=rhn-noc@redhat.com
---
No client certificate CA names sent
---
SSL handshake has read 1266 bytes and written 332 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID: 81CE0A187CC60F69415841820ED14D72A1048422877280786A8ADB00F9C231F1
   Session-ID-ctx:
    Master-Key:
67857733F9C940CC875F3B1168CB5C5236407457348BB62E0529C5BC60BFAAC01558E7430942783DF1C58FEA2623C269
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1063012493
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
 
[root@dvdburner root]# rpm
[root@dvdburner root]# vim /etc/sysconfig/rhn/
rhn-applet           up2date              up2date-uuid
rhnsd                up2date-keyring.gpg
[root@dvdburner root]# vim /etc/sysconfig/rhn/rhn-applet
[root@dvdburner root]# openssl s_client -connect www.rhns.redhat.com:443 -CAfile
/usr/share/rhn/RHNS-CA-CERT
CONNECTED(00000003)
depth=0 /C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat
Network/CN=xmlrpc.rhn.redhat.com/emailAddress=rhn-noc@redhat.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat
Network/CN=xmlrpc.rhn.redhat.com/emailAddress=rhn-noc@redhat.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat
Network/CN=xmlrpc.rhn.redhat.com/emailAddress=rhn-noc@redhat.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat
Network/CN=xmlrpc.rhn.redhat.com/emailAddress=rhn-noc@redhat.com
   i:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=RHN
Certificate Authority/emailAddress=rhn-noc@redhat.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEVDCCA72gAwIBAgIBKjANBgkqhkiG9w0BAQQFADCBsTELMAkGA1UEBhMCVVMx
FzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHEwdSYWxlaWdoMRYwFAYD
VQQKEw1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLEw9SZWQgSGF0IE5ldHdvcmsxIjAg
BgNVBAMTGVJITiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEW
EnJobi1ub2NAcmVkaGF0LmNvbTAeFw0wMzA4MjkwMjExMTZaFw0wNDA4MjgwMjEx
MTZaMIGtMQswCQYDVQQGEwJVUzEXMBUGA1UECBMOTm9ydGggQ2Fyb2xpbmExEDAO
BgNVBAcTB1JhbGVpZ2gxFjAUBgNVBAoTDVJlZCBIYXQsIEluYy4xGDAWBgNVBAsT
D1JlZCBIYXQgTmV0d29yazEeMBwGA1UEAxMVeG1scnBjLnJobi5yZWRoYXQuY29t
MSEwHwYJKoZIhvcNAQkBFhJyaG4tbm9jQHJlZGhhdC5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBALKJsiTOxPKwmmOTmHPpMtebNUKri1hxd9zBuU1GjDvh
tvWKna4N7U5M+xqQ1bUPHVnbqarJyKpQ82lEfZYxE8K6tNzaDDDEYvmAYRL9OtMW
GgzFJ+4xonTgS/sEc0Hbd21ZHdsiu2ivhu0Ic1+Olmg5YJR++4hxEmyA2NupCEm7
AgMBAAGjggF8MIIBeDAJBgNVHRMEAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgWgMCwGCWCGSAGG
+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
0ljGgxRdA3KP7VNjIts7tbio2egwgd4GA1UdIwSB1jCB04AUaUQnBdwu7aX0gcTX
eEXnRF34h0ehgbekgbQwgbExCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBD
YXJvbGluYTEQMA4GA1UEBxMHUmFsZWlnaDEWMBQGA1UEChMNUmVkIEhhdCwgSW5j
LjEYMBYGA1UECxMPUmVkIEhhdCBOZXR3b3JrMSIwIAYDVQQDExlSSE4gQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJyaG4tbm9jQHJlZGhhdC5j
b22CAQAwDQYJKoZIhvcNAQEEBQADgYEAP1eRyrvEh3HZsVkg/rZ/9hciJTvWCSVH
dens6hbrgSlIBZNk6PODMOmeMxug87C5/CLw3SVcT4la/q8IWnnkCcgGdqOfuu3R
vO1d/Vt3ekU6M38fDusr0JdQ5WdlAqZauP6TvAxXp59o4v5hQZGc9oWEbshIHI6c
3AnGEer8+9s=
-----END CERTIFICATE-----
subject=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat
Network/CN=xmlrpc.rhn.redhat.com/emailAddress=rhn-noc@redhat.com
issuer=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat
Network/CN=RHN Certificate Authority/emailAddress=rhn-noc@redhat.com
---
No client certificate CA names sent
---
SSL handshake has read 1266 bytes and written 332 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID: 9F6CE84A500E7139A06971CDC17C9CDB02BE94C1E1986CE3B6A8DE26C04BEDE2
   Session-ID-ctx:
    Master-Key:
DA5F87A20E8188BA9BBAF2A34E186A9B9D2870D7117A416166386111593118CC5774B28D5E5C2A3EE1FABD7B77F970AF
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1063012771
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
Comment 5 Alex Schuilenburg 2003-09-22 09:02:15 EDT
I also get the same error.  No more updates for me then :-(

bash% up2date-nox -v --nosig -f -u
There was an SSL error: [('SSL 
routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]
A common cause of this error is the system time being incorrect. Verify that 
the time on this system is correct.
Comment 6 Hernan Del Negro 2007-09-05 15:43:24 EDT
I had that same error, in a server which doesn't use a DNS.

Since the SSL verify is not made by IP address but by hostname, you could
specify the following line in the /etc/hosts:

209.132.177.100       xmlrpc.rhn.redhat.com

it has worked for me, why don't you try?

Hernán

Note You need to log in before you can comment on or make changes to this bug.