Git Product home page Git Product logo

Comments (4)

pphaneuf avatar pphaneuf commented on May 3, 2024

To reproduce:
src/client/upload_server_cert.sh www.idnet.net

The output from the 1st command in the script is not valid PEM:
openssl s_client -connect $SERVER:443 -showcerts < /dev/null | tee $TMP

Attached example output. Even after cleaning the non-PEM lines, CertChain still fails to load this chain.

from certificate-transparency.

pphaneuf avatar pphaneuf commented on May 3, 2024

Full output:
[.../certificate-transparency/src/client,0]$ env GLOG_logtostderr=1 ./upload_server_cert.sh www.google.com
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
DONE

CONNECTED(00000003)

Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
-----BEGIN CERTIFICATE-----
MIIDgDCCAumgAwIBAgIKfoc8PQABAACPFjANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMzA2MTkxMjQ0MDRaFw0xMzEwMzEyMzU5NTla
MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw53d3cu
Z29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmG6NTsviPcKy
EY52/eNlfNaPk5xOp82AAU44ciesM+3dbVC2IgLweur3vFucUrdkXiXGgv4VQ8Hw
gFhKm3XZBkgSb6Rv8nf4bo/7pYzH8kiS81nmLZ5aQJv9hVBMt7sV6SYqDODn+nNR
6xVUssCNyTrQkeKZZPL8Yjg0L6/fXgECAwEAAaOCAVEwggFNMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU+VIcTn3LWcYokJCZEkoa21Bx
Q3QwHwYDVR0jBBgwFoAUv8Aw6/VDET5nup6R+/xq2uNrEiQwWwYDVR0fBFQwUjBQ
oE6gTIZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhv
cml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcmwwZgYIKwYBBQUHAQEEWjBY
MFYGCCsGAQUFBzAChkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVy
bmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNydDAMBgNVHRMB
Af8EAjAAMBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMA0GCSqGSIb3DQEBBQUA
A4GBAHQoAr0zsHAD0wW53D4YcE1LG4RuxdDmv33r44PlstwZ98hVQN3dALYNrLlh
V500nSw/rQ+OtMDdZcH4as4blw5zPl4xvs/VdWiUQAKm3r3rTtnYAz9UtMOOmByo
n4yutuiiPxdWxBIyJza9CRowpvGVgqVmNdrTo+Egj3d5BUYy
-----END CERTIFICATE-----
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIDFXfhMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIxMjEyMTU1ODUwWhcNMTMxMjMxMTU1ODUw
WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZ
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNf
NFlOCnowzdDXxFdF7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrb
qeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC7wFQeeT9adGnwKziV28CAwEAAaOBozCB
oDAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUv8Aw
6/VDET5nup6R+/xq2uNrEiQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAQYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v
Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAvprjecFG+iJsxzEF
ZUNgujFQodUovxOWZshcnDW7fZ7mTlk3zpeVJrGPZzhaDhvuJjIfKqHweFB7gwB+
ARlIjNvrPq86fpVg0NOTawALkSqOUMl3MynBQO+spR7EHcRbADQ/JemfTEh2Ycfl
vZqhEFBfurZkX0eTANq98ZvVfpg=

-----END CERTIFICATE-----

Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com

issuer=/C=US/O=Google Inc/CN=Google Internet Authority

No client certificate CA names sent

SSL handshake has read 2108 bytes and written 348 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : ECDHE-RSA-RC4-SHA
Session-ID: 31053D39E3F4AA445B9DA89F88FFDD510B76D7F3C2F72434FEC5DB98EED3F518
Session-ID-ctx:
Master-Key: BE8C9AEFCAFD8E588BA5773F817358F360DFF87247939AD2AF8452A88F7317946A23CBEEDE80511DD31A9E870A650A63
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 9f d8 a0 f4 9b 2e 96 32-84 4d 30 83 52 ca 4d 88 .......2.M0.R.M.
0010 - 79 5a 94 39 7d 89 36 a3-4f c8 f1 5b 5e d9 e8 7c yZ.9}.6.O..[^..|
0020 - f0 09 3d 8e 83 74 6c a4-d6 f9 66 63 de 1c 07 94 ..=..tl...fc....
0030 - a5 5c 02 22 ca 34 c7 33-b6 c3 af 39 01 a4 c5 90 ..".4.3...9....
0040 - 7a 2e 22 6c eb c2 80 1e-be 7e 31 d0 42 5c 93 07 z."l.....1.B..
0050 - 63 ee 29 8d 97 30 08 b8-f5 19 42 52 4b 9b 32 7e c.)..0....BRK.2
0060 - 4f 40 d3 fc 92 31 8f 3a-de 9d 0a 9a e5 8f 8f 5b [email protected].:.......[
0070 - 9b 57 e1 cc c8 aa 66 17-da d4 6d 84 ee 0d 30 f0 .W....f...m...0.
0080 - 25 2e 15 ef 57 11 b8 2e-95 f3 03 77 4d de 34 ab %...W......wM.4.
0090 - fd 38 3d de .8=.

Start Time: 1372410013
Timeout   : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)

ERROR: unknown command line flag 'logtostderr'
Try fixing the chain
Traceback (most recent call last):
File "./fix-chain.py", line 9, in
from pyasn1 import debug
ImportError: No module named pyasn1
ERROR: unknown command line flag 'logtostderr'

from certificate-transparency.

pphaneuf avatar pphaneuf commented on May 3, 2024

The problem is not that openssl does not produce valid PEM. It does.

The issue is that ct doesn't like the logtostderr option, which is odd - I believe glog should provide that.

Also, you appear not to have installed pyasn1.

from certificate-transparency.

pphaneuf avatar pphaneuf commented on May 3, 2024

As Ben pointed out, it's the logtostderr option which was the problem. Without it, the ct client reads the file without any problems.

from certificate-transparency.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.