Log in / Register

Forum How do I...?

... teach Prince that my CA is valid

tharkun
Hi

We're getting a couple of errors on our live site (over https) which we don't get in our staging environment (http). 

Wed Sep 11 10:23:56 2013: ---- begin
Wed Sep 11 10:23:56 2013: Loading document...
Wed Sep 11 10:23:56 2013: Applying style sheets...
Wed Sep 11 10:23:56 2013: https://some-site/css/pdf-survey.css: warning: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Sep 11 10:23:56 2013: Preparing document...
Wed Sep 11 10:23:56 2013: https://some-site/img/klemon-large-transparent.png: warning: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Sep 11 10:23:56 2013: https://some-site/img/akjch-large-transparent.png: warning: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Sep 11 10:23:56 2013: https://tool.klemon.ch/img/gfch-large-transparent.png: warning: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Sep 11 10:23:56 2013: Converting document...
Wed Sep 11 10:23:56 2013: internal error: no available fonts


Surfing directly to the URL doesn't lead to any problem. Using curl in the console shows the same error. I don't understand why, our cert provider seems to be listed in the curl ca bundle. What practical things are there we can try to do to solve this problem?

Thanks
Markus
mikeday
Does curl give more informative errors with --verbose?
tharkun
Not much more info... I also tried to add the CA we are using to the ca-bundle.crt but to no avail....

* About to connect() to tool.klemon.ch port 443
*   Trying 69.195.223.66... connected
* Connected to tool.klemon.ch (69.195.223.66) port 443
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS alert, Server hello (2):
SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Edited by tharkun

mikeday
Perhaps it is related to this Apache server configuration issue:
https://forum.startcom.org/viewtopic.php?f=15&t=2604
mikeday
Although arguably this is an OpenSSL bug, which is why it affects curl:
https://bugzilla.redhat.com/show_bug.cgi?id=956863
mikeday
By the way, you can run Prince with the --insecure option as a quick workaround for this, which is safe if you are running Prince on your own machine and connecting to a server on your own network. :)
tharkun
Hi Mike, thanks for your quick help... now I've got loads of things to try and check. Since we're using certs from startcom, it might that the first link you posted will help.

About --insecure. We are doing that atm. We're running prince on a server and web applications are using prince via php wrapper. I'm thinking since http calls are made, those calls are sniffable and can be used as a basis for MITM. Am I wrong?
mikeday
It depends, are both machines communicating via your own private network, or on the public internet?