Facebook - Curl Error SSL_CACERT SSL certificate - facebook

I am getting "Curl Error : SSL_CACERT SSL certificate problem: unable to get local issuer certificate" when asking Facebook to scrape my page over https. How can I fix this so that Facebook can scrape my page without errors?
The page is hosted via Apache 2.4 proxying to IIS 10. Apache handles all certificates and IIS is on the local network. My page is running asp code (so no php) and solutions similar to these: edit the php.ini file or adding curl.pem to php folder will not work fix my problem ... or so I think?!?
IIS has no certificate installed.
I do have extension=php_curl.dll enabled -- and extension_dir = 'C:\64bit\php-7.0.6-Win32-VC14-x64\ext' defined in my php.ini file. I followed these steps to install Curl on Windows. And phpinfo.php confirms that cURL is enabled (cURL Information 7.47.1).
My proxy setup in my Apache config file is:
<IfModule mod_proxy.c>
ProxyRequests Off
ProxyPass / http://192.168.1.101:88/com_ssl/
ProxyPassReverse / http://192.168.1.101:88/com_ssl/
RewriteRule ^(.+)$ https://www.domainname.com/$1 [P,L]
</IfModule>
I have no RequestHeader defined in my Apache proxy config file, such as suggested here in Step 10:
RequestHeader set "X-RP-UNIQUE-ID" "%{UNIQUE_ID}e"
RequestHeader set "X-RP-REMOTE-USER" "%{REMOTE_USER}e"
RequestHeader set "X-RP-SSL-PROTOCOL" "%{SSL_PROTOCOL}s"
RequestHeader set "X-RP-SSL-CIPHER" "%{SSL_CIPHER}s"
Is this what is missing to fix the error?

"unable to get local issuer certificate" is almost always the error message you get when the server doesn't provide an intermediate certificate as it should in the TLS handshake, and as WizKid suggests, running the ssllabs test against the server will indeed tell you if that is the case.

If you are using nodejs server and getting this error 'Curl Error SSL_CACERT SSL certificate' then you need to add your CA along with your SSL CRT.
var fs = require('fs');
var https = require('https');
var options = {
key: fs.readFileSync('server-key.pem'),
cert: fs.readFileSync('server-crt.pem'),
ca: fs.readFileSync('ca-crt.pem'), // <= Add This
};
https.createServer(options, function (req, res) {
console.log(new Date()+' '+
req.connection.remoteAddress+' '+
req.method+' '+req.url);
res.writeHead(200);
res.end("hello world\n");
}).listen(4433);

This may not have been the case at the time but I will add this info in case others encounter the same issue.
If you are using a CDN, like cloudflare, it is important to set up your SSL before adding to cloudflare as it can generate issues.
It is also important to ensure that all domains are correctly annotated in the DNS control of cloudflare, otherwise you may end up serving your main domain via cloudflare and your subdomain(s) directly from your server. Whilst this wont matter much to the user (still shows secure, still have access, still passes SSL tests) it may flag issues with sharing apps onto social media. Basically, I replicated the error by splitting the DNS setup as above and achieved the flagged error as highlighted by the op. Then I added the DNS for the subdomain into cloudflare, tested a few hours later (after resetting the page in debudder: https://developers.facebook.com/tools/debug/sharing/?q=https%3A%2F%2Fus.icalculator.info%2Fterminology%2Fus-tax-tables%2F2019%2Fvirginia.html). and, hey presto, the error goes. So, if you encounter that issue and you use cloudflare, that is something to check you have set up correctly.

Related

SSL error calling Perl web service via https using LWP

I have a Perl script that acts as a web service to other Perl scripts running under the same domain. I recently created a new SSL certificate (AlphaSSL) for this domain and installed it on the server and it shows up fine when accessing the site using https.
However, now when a client script calls the web service using htttps via LWP, an error is issued where previously it was not. The code to call the web service looks like this:
$useragent = LWP::UserAgent->new();
$useragent->agent("someagentid");
$postdata = {
'action' => $apiaction,
'xauth' => $REQUEST_AUTH_KEY,
};
$response = $useragent->post($BILLING_INFO_GATEWAY, $postdata);
The gateway in the post is an https: URL to the web service script running under the same domain.
The error it produces is:
500 Can't connect to xxxxx.com:443 (certificate verify failed)
Content-Type: text/plain
Client-Date: Tue, 25 Nov 2014 01:52:20 GMT Client-Warning: Internal response
Can't connect to xxxxx.com:443 (certificate verify failed)
LWP::Protocol::https::Socket: SSL connect attempt failed with unknown error
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed at /usr/perl/lib/site_perl/5.10.1/LWP/Protocol/http.pm line 49.
If I add:
$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;
then the error goes away, but then the secure connection seems less secure.
I have located the certificate directory on my server which is /ssl/certs/ which has one .crt file in it, so I tried adding:
$ENV{HTTPS_CA_PATH} = '/ssl/certs';
but I still receive the error. I also tried:
$ENV{HTTPS_CA_FILE} = '/ssl/certs/xxxxxxxxxx.cabundle';
after copying a CA bundle file to the same folder (there was no bundle file there previously).
This folder contained a .crt file which already existed there after installing the certificate via WHM/cPanel.)
I also tried specifying just the HTTPS_CA_FILE environment variable without the HTTPS_CA_PATH variable but no luck. Still the error persists.
Any ideas about what I might be missing either in the code or on the server to allow the script to verify the hostname successfully? This is a dedicated web server running Linux and cPanel.
Thanks!
If it works in the browser but not in LWP script it might be because intermediate certificates are missing. Browser often receive these intermediates certificates from earlier SSL connections and cache them, but scripts usually don't do that. You can check this if you check the host with SSLLabs and watch out for "Chain Issues".
If this is not the problem please provide the versions of the modules you are using and preferable also the URL of the host you are trying to reach. To get the versions:
#!/usr/bin/perl
for (qw(LWP::UserAgent LWP::Protocol::https IO::Socket::SSL)) {
eval "require $_; warn '$_: '.$_->VERSION";
}

Redirect with lighttpd

I'm trying to do this:
https://dummiesite.com --> http://dummiesite.com
and
http://dummiesite.com --> http://new.dummiesite.com
and
http://new.dummiesite.com --> https://new.dummiesite.com
So no matter what site the user goes, it will allways be redirected to https://new.dummiesite.com
The problem:
With I have a wildcard certificate for *.site.com. But it is only valid for all the subdomains of site.com, not for site.com itself. With lighttpd I cannot use more than one certificate per IP (I have only one), so when the user goes to https://dummiesite.com, it gets an error because the certificate is not valid.
That is why I'm trying to redirect https://dummiesite.com to http://dummiesite.com. How can I do it without a valid certificate and without showing the user errors?
Thanks for your help
You can't with the current certificate. HTTPS is HTTP inside an SSL tunnel, so before you can do the redirect at the HTTP level the SSL connection has to be established. But this fails because your certificate does not match the hostname. You need to get a certificate which includes both *.dummiesite.com and dummiesite.com (yes, this is possible).

Redirect All SSL Requests to One Domain

Recently, the company I work for changed their name, and therefore is changing its domain name. Previously, we redirected all requests on port 80 of our web server to https : //www .olddomain.com, so that all pages were sent over SSL. Now that we have changed, our SSL certificate for www. olddomain.com has expired, and we want to redirect all requests for https : //www. olddomain.com to https : //www. newdomain.com (in case anyone bookmarked us as https : //.....).
I have tried every redirection method I know, mod_rewrite, DNS forwarding, etc, but I cannot get https : //www.olddomain.com to redirect to https : //www.newdomain.com, it says that the site is untrusted.
We are running Apache 2.2 on linux.
Any help would be appreciated.
Thanks!
Not to dive into unnecessary details - if certificate itself has expired, you won't be able to make trusted connection with it, browser will always warn. To make it transparent, you'd have to renew/buy valid certificate for old domain, or force any possible website user to first download, install and trust your own RootCA certificate (obviously impossible). Theoretically there are some browser-supported HTTPS protocol extensions to deal with original construction of https, but even if they were implemented it still won't "help" for outdated certificate. It is problem with certificate itself, not really with virtual server hostname / certificate common name recognition and matching for which such protocol extensions are conceptually planned/designed.
You should have been performing domain migration during time when old certificate was still valid. Have a look here CNAME SSL certificates as well.

ssl error invalid or self-signed certificate magento image upload

ssl error invalid or self-signed certificate magento image upload
Any have solution for this error.Please rectify my problem
In my case it was because of .htaccess password protected website. Removing temporarily the password protection fixed the problem.
In the Base URL fields you should enter the unsecure (regular) web site URL and the web site URL for the SSL connections. You can leave the other values unchanged, as they will be set automatically by the script after you enter the Base URL.
In my case this only happened on staging magento servers. They had an HTACCESS file that was whitelisted for the IP and both had the HTTP site listed in the "Secure" and "Unsecure" section of the magento web configuration. Using Firefox, it would fail every single time, trying to upload a product image. The only solution that worked reliably each time was to install and use Chrome.
For some reason, that seemed to solve our issue throughout all of our servers. This error never showed up on our production server that had a real SSL installed.

Redirecting https://server.com to https://www.server.com in apache

I am trying to write a redirect in apache for URL of pattern:
https://server.com to https://www.server.com
without much success
Reason for rediect: My SSL certificate is on www.server.com, so I want the users to go on the correct site (and see secure icon).
Problem: The problem is that when I try to open https://server.com the browser gives me incorrect certificate error and none of my RewriteRule gets executed till I ignore the incorrect certificate problem.
How do I redirect in this case?
You can't do this with one certificate. The reason is that the web server needs to do the ssl handshake before it does the redirect, so you'll always have the problem with invalid certificate.
You really have only one option to do this - cover both, www and no www with a certificate and redirect. This can be done several ways, either get a certificate with multiple domain names called a SAN certificate, or get two certificates, one for www and one without. However, in the second case, you would need two web servers with different ip's to accomplish your task.
An alternate approach, one that use myself, is not to worry about it. Instruct users to go to regular http website and do the redirection yourself when SSL Cconnection is needed. This is what amazon.com does actually. They want you to browse http and they redirect you to SSL only when you buy something. Their certificate is also only valid for www, just go to https://amazon.com and you'll see their certificate is invalid without www