[Spce-user] Can't connect to 127.0.0.1:1442 (certificate verify failed)

Alexander Griesser AGriesser at anexia-it.com
Mon Jun 6 06:28:05 EDT 2016


@Matthias: The intermediate certificate is missing here.
@Alex: As you said, we have 2016, please stop using SSLv3 :)

Best,

Alexander Griesser
Head of Systems Operations

ANEXIA Internetdienstleistungs GmbH

E-Mail: AGriesser at anexia-it.com 
Web: http://www.anexia-it.com 

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
Geschäftsführer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601


-----Ursprüngliche Nachricht-----
Von: Spce-user [mailto:spce-user-bounces at lists.sipwise.com] Im Auftrag von Matthias Hohl
Gesendet: Montag, 6. Juni 2016 12:25
An: 'Alex Lutay' <alutay at sipwise.com>; spce-user at lists.sipwise.com
Betreff: Re: [Spce-user] Can't connect to 127.0.0.1:1442 (certificate verify failed)

Hello Alex,

yes but i USE a trusted certificate, but still get this error.
My certificate is from Comodo and is a wildcard certificate for *.telematica.at Also the Certificate is SHA256 with 2048 bits and valid.

This certificate is still in use for SPCE apache, http admin, hattp csc and http system, autoprov server, but for REST API it DOESN'T work.

ossbss:
  apache:
    port: '2443'
    proxyluport: '1080'
    restapi:
      sslcertfile: /etc/ngcp-config/ssl/telematica.crt
      sslcertkeyfile: /etc/ngcp-config/ssl/telematica.key

But I still got the same error, after activating the sslverify option:

root at spce:~# /usr/sbin/ngcp-fraud-daily-lock
500 Can't connect to 127.0.0.1:1442 (certificate verify failed) Can't connect to 127.0.0.1:1442 (certificate verify failed) SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed at /usr/share/perl5/LWP/Protocol/http.pm line 49.

So don't know if I missed anything else or if I need another certificate for the rest api.
It doesn't work with this trusted wildcard certificate. That's what I am talking about.

Do you have any idea about that?

Thanks.


-----Ursprüngliche Nachricht-----
Von: Spce-user [mailto:spce-user-bounces at lists.sipwise.com] Im Auftrag von Alex Lutay
Gesendet: Montag, 6. Juni 2016 11:44
An: spce-user at lists.sipwise.com
Betreff: Re: [Spce-user] Can't connect to 127.0.0.1:1442 (certificate verify
failed)

Hi all,

On 06/04/2016 04:25 PM, Serge Yuriev wrote:
> Subject:Cron <root at host>  if /usr/sbin/ngcp-check_active -q; then 
> /usr/sbin/ngcp-fraud-daily-lock; fi

It means you have selfsigned certificate.
As some components were switch to internal REST API the trusted cert is really mandatory now. Leaving in a world on corporate PRO/Carrier solutions we missed the fact of spce@ insecure users.

It is HIGHLY recommended to use option
> security > ngcp-panel > scripts > restapi > sslverify
in TEST env ONLY, for any kind of production setup the trusted certificate is MUST have. They are free nowadays and requires
15 minutes to achieve/install one.

I highly recommend you to use trusted certificate from https://letsencrypt.org or https://www.startssl.com or other companies. It is 2016 year nowadays, and all Debian Jessie libraries forces us to use trusted SSL connections.

Please follow the advice.


P.S. I have added SSL trusted cert requirements on mr4.3.1 release notes I will improve ngcp-upgrade to check certificates and warn spce@ users about selfsigned certs before the upgrade. Tnx for understanding!

----

>> 502 Bad Gateway <html>

It means ngcp-panel did not start.
please check ngcp-panel log for more information.

--
Alex Lutay
_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com
https://lists.sipwise.com/listinfo/spce-user
_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com
https://lists.sipwise.com/listinfo/spce-user



More information about the Spce-user mailing list