[Spce-user] Can't connect to 127.0.0.1:1442 (certificate verify failed)
Matthias Hohl
matthias.hohl at telematica.at
Mon Jun 6 06:25:29 EDT 2016
Hello Alex,
yes but i USE a trusted certificate, but still get this error.
My certificate is from Comodo and is a wildcard certificate for
*.telematica.at
Also the Certificate is SHA256 with 2048 bits and valid.
This certificate is still in use for SPCE apache, http admin, hattp csc and
http system, autoprov server, but for REST API it DOESN'T work.
ossbss:
apache:
port: '2443'
proxyluport: '1080'
restapi:
sslcertfile: /etc/ngcp-config/ssl/telematica.crt
sslcertkeyfile: /etc/ngcp-config/ssl/telematica.key
But I still got the same error, after activating the sslverify option:
root at spce:~# /usr/sbin/ngcp-fraud-daily-lock
500 Can't connect to 127.0.0.1:1442 (certificate verify failed) Can't
connect to 127.0.0.1:1442 (certificate verify failed) SSL connect attempt
failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed at /usr/share/perl5/LWP/Protocol/http.pm line 49.
So don't know if I missed anything else or if I need another certificate for
the rest api.
It doesn't work with this trusted wildcard certificate. That’s what I am
talking about.
Do you have any idea about that?
Thanks.
-----Ursprüngliche Nachricht-----
Von: Spce-user [mailto:spce-user-bounces at lists.sipwise.com] Im Auftrag von
Alex Lutay
Gesendet: Montag, 6. Juni 2016 11:44
An: spce-user at lists.sipwise.com
Betreff: Re: [Spce-user] Can't connect to 127.0.0.1:1442 (certificate verify
failed)
Hi all,
On 06/04/2016 04:25 PM, Serge Yuriev wrote:
> Subject:Cron <root at host> if /usr/sbin/ngcp-check_active -q; then
> /usr/sbin/ngcp-fraud-daily-lock; fi
It means you have selfsigned certificate.
As some components were switch to internal REST API the trusted cert is
really mandatory now. Leaving in a world on corporate PRO/Carrier solutions
we missed the fact of spce@ insecure users.
It is HIGHLY recommended to use option
> security > ngcp-panel > scripts > restapi > sslverify
in TEST env ONLY, for any kind of production setup the trusted certificate
is MUST have. They are free nowadays and requires
15 minutes to achieve/install one.
I highly recommend you to use trusted certificate from
https://letsencrypt.org or https://www.startssl.com or other companies. It
is 2016 year nowadays, and all Debian Jessie libraries forces us to use
trusted SSL connections.
Please follow the advice.
P.S. I have added SSL trusted cert requirements on mr4.3.1 release notes I
will improve ngcp-upgrade to check certificates and warn spce@ users about
selfsigned certs before the upgrade. Tnx for understanding!
----
>> 502 Bad Gateway <html>
It means ngcp-panel did not start.
please check ngcp-panel log for more information.
--
Alex Lutay
_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com
https://lists.sipwise.com/listinfo/spce-user
More information about the Spce-user
mailing list