Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Andrey Ratushny2019-03-27 08:57:31
Digital certificates
Andrey Ratushny, 2019-03-27 08:57:31

Broken certificates in ESIA?

This morning, on all sites that are integrated with ESIA (OAuth), requests to get a token began to fail with the error "cURL error 60: SSL certificate problem: unable to get local issuer certificate".
Checking the certificates of the esia.gosuslugi.ru node showed that the certificate could not be verified:

$ openssl s_client -connect esia.gosuslugi.ru:443 -CAfile cacert.pem 
CONNECTED(00000003)
depth=0 C = RU, postalCode = 125375, ST = Moscow, L = Moscow, street = 7 ul. Tverskaya, O = "MINKOMSVYAZ ROSSII, FKU", OU = IT, OU = PremiumSSL Wildcard, CN = *.gosuslugi.ru
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = RU, postalCode = 125375, ST = Moscow, L = Moscow, street = 7 ul. Tverskaya, O = "MINKOMSVYAZ ROSSII, FKU", OU = IT, OU = PremiumSSL Wildcard, CN = *.gosuslugi.ru
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = RU, postalCode = 125375, ST = Moscow, L = Moscow, street = 7 ul. Tverskaya, O = "MINKOMSVYAZ ROSSII, FKU", OU = IT, OU = PremiumSSL Wildcard, CN = *.gosuslugi.ru
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=RU/postalCode=125375/ST=Moscow/L=Moscow/street=7 ul. Tverskaya/O=MINKOMSVYAZ ROSSII, FKU/OU=IT/OU=PremiumSSL Wildcard/CN=*.gosuslugi.ru
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFyzCCBLOgAwIBAgIRALuG3INBIlMDFsTKJ2B9nG4wDQYJKoZIhvcNAQELBQAw
gZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTwwOgYD
VQQDEzNDT01PRE8gUlNBIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIFNlY3VyZSBT
ZXJ2ZXIgQ0EwHhcNMTcxMTI4MDAwMDAwWhcNMjEwMTI5MjM1OTU5WjCBwDELMAkG
A1UEBhMCUlUxDzANBgNVBBETBjEyNTM3NTEPMA0GA1UECBMGTW9zY293MQ8wDQYD
VQQHEwZNb3Njb3cxGDAWBgNVBAkTDzcgdWwuIFR2ZXJza2F5YTEgMB4GA1UEChMX
TUlOS09NU1ZZQVogUk9TU0lJLCBGS1UxCzAJBgNVBAsTAklUMRwwGgYDVQQLExNQ
cmVtaXVtU1NMIFdpbGRjYXJkMRcwFQYDVQQDDA4qLmdvc3VzbHVnaS5ydTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALc1QoiKfMP2hthJfmhltOy2sWyq
9K1haKqX9g7I3nIHr+E50zL3dYHmUi5XLUiOSWzlC6yehmAS1BWY6npGOsuio7Zx
QcE34AhHu7QroHeWsjfFTlCR+H2LoRvh9pKhY4PdbVXQ1SiVYxLO6pYUD7wtG2oN
PUJJTYsqLWEzC0UYFD2kYctf/mTmQZb5eMtY090T8tAZXNi0pJDTyizYCJo6B9qI
7zJH7jVML2Zi2Skx4Dg5NOwibP+9SLeBJmk+fYugw2dR+WznHah+pkZn/GTHnDMm
69a6ytpniu2iv1liWBNdfZbKg4GBPkSfjKHvRZ6FDRMddIoZbqq1OXV2jekCAwEA
AaOCAeYwggHiMB8GA1UdIwQYMBaAFJrzK9rPrU+2L7sqSEgqErcbQsEkMB0GA1Ud
DgQWBBTUpPM2CbO+3Hrzz+jfRw4jARAM8TAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0T
AQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwUAYDVR0gBEkw
RzA7BgwrBgEEAbIxAQIBAwQwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUu
Y29tb2RvLmNvbS9DUFMwCAYGZ4EMAQICMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6
Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQU9yZ2FuaXphdGlvblZhbGlkYXRp
b25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYsGCCsGAQUFBwEBBH8wfTBVBggrBgEFBQcw
AoZJaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPUlNBT3JnYW5pemF0aW9u
VmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AuY29tb2RvY2EuY29tMCcGA1UdEQQgMB6CDiouZ29zdXNsdWdpLnJ1ggxn
b3N1c2x1Z2kucnUwDQYJKoZIhvcNAQELBQADggEBAJ8JrnH6MTKozJQ1blPPoCJW
NYsZaCs/rm5H2W2fhiB2Nh5CgaMS8pZUXq94yPdYsf+2LIqmH+zFI2i1G5fDXzrW
Xd3ZyE1lmVE9sM+1H9srmIJVCFwO/H4jq1z8yjHkggWdAzDEF7d8eURUM2++hYiL
LguSZa6gQ61pmjOueoas6ewC7YP1QSx/lhBltuGD922qhYGnWc+nKP4PnZHCYqMb
IBBLtkXqrnOUcdqGnLefGPkkeuvmpZbE8zi5JBggq1GusTdgRGzLyjxMDUS/+WS1
raiwZKD75R5pfwWzaVyUFnN81ZBhuGnPyaLUuheKcs6e4eDElmlyGtGh4LY3+8Q=
-----END CERTIFICATE-----
subject=/C=RU/postalCode=125375/ST=Moscow/L=Moscow/street=7 ul. Tverskaya/O=MINKOMSVYAZ ROSSII, FKU/OU=IT/OU=PremiumSSL Wildcard/CN=*.gosuslugi.ru
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 1672 bytes and written 589 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-SHA
    Session-ID: DB90250B5E95AFAC7AEFF02B7EA71014A0EA42BBB266BC7764AFF2E2B0BDD218
    Session-ID-ctx: 
    Master-Key: 9197568D1B0D7136771D1788C6737F01EC9C3A194F2523C995E9C5BC0E6978C4845B85D933ADE7CFCA29CD4C091C3000
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1553665575
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

As far as I understand, there are two solutions:
  1. Disable validation of ssl certificates in curl - very bad
  2. Installing the "necessary" certificate for each hosting for each site is not suitable, because. some sites are hosted on shared sites

Who has already encountered this problem, how to solve it?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
C
CityCat4, 2019-03-27
@agr_ugraweb

The issuer's root certificate was not found among the trusted ones. I really can't believe that Komodo can have problems, and the team
does not reveal problems. Maybe fixed already?

Similar questions
M
Maxim Grishin2017-05-03 11:57:55
Authentication with certificates in a foreign domain is attempted with an explicit domain\username. User hint doesn't help. How to get around? 1Reply
V
Vadim2017-05-05 14:58:53
Do I need to use HTTPS to activate the software? 2Reply
E
einhorn2021-04-17 03:55:41
How to set up https on a Python server accessed by IP? 1Reply
I
icetinte2015-05-29 17:58:46
How to understand why https is crossed out? 2Reply
U
Urukhayy2015-06-06 11:30:22
Why is the SSL certificate not working (connection is not secure)? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question