Comments (4)
To reproduce:
src/client/upload_server_cert.sh www.idnet.net
The output from the 1st command in the script is not valid PEM:
openssl s_client -connect $SERVER:443 -showcerts < /dev/null | tee $TMP
Attached example output. Even after cleaning the non-PEM lines, CertChain still fails to load this chain.
from certificate-transparency.
Full output:
[.../certificate-transparency/src/client,0]$ env GLOG_logtostderr=1 ./upload_server_cert.sh www.google.com
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
DONE
CONNECTED(00000003)
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
-----BEGIN CERTIFICATE-----
MIIDgDCCAumgAwIBAgIKfoc8PQABAACPFjANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMzA2MTkxMjQ0MDRaFw0xMzEwMzEyMzU5NTla
MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw53d3cu
Z29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmG6NTsviPcKy
EY52/eNlfNaPk5xOp82AAU44ciesM+3dbVC2IgLweur3vFucUrdkXiXGgv4VQ8Hw
gFhKm3XZBkgSb6Rv8nf4bo/7pYzH8kiS81nmLZ5aQJv9hVBMt7sV6SYqDODn+nNR
6xVUssCNyTrQkeKZZPL8Yjg0L6/fXgECAwEAAaOCAVEwggFNMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU+VIcTn3LWcYokJCZEkoa21Bx
Q3QwHwYDVR0jBBgwFoAUv8Aw6/VDET5nup6R+/xq2uNrEiQwWwYDVR0fBFQwUjBQ
oE6gTIZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhv
cml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcmwwZgYIKwYBBQUHAQEEWjBY
MFYGCCsGAQUFBzAChkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVy
bmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNydDAMBgNVHRMB
Af8EAjAAMBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMA0GCSqGSIb3DQEBBQUA
A4GBAHQoAr0zsHAD0wW53D4YcE1LG4RuxdDmv33r44PlstwZ98hVQN3dALYNrLlh
V500nSw/rQ+OtMDdZcH4as4blw5zPl4xvs/VdWiUQAKm3r3rTtnYAz9UtMOOmByo
n4yutuiiPxdWxBIyJza9CRowpvGVgqVmNdrTo+Egj3d5BUYy
-----END CERTIFICATE-----
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIDFXfhMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIxMjEyMTU1ODUwWhcNMTMxMjMxMTU1ODUw
WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZ
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNf
NFlOCnowzdDXxFdF7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrb
qeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC7wFQeeT9adGnwKziV28CAwEAAaOBozCB
oDAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUv8Aw
6/VDET5nup6R+/xq2uNrEiQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAQYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v
Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAvprjecFG+iJsxzEF
ZUNgujFQodUovxOWZshcnDW7fZ7mTlk3zpeVJrGPZzhaDhvuJjIfKqHweFB7gwB+
ARlIjNvrPq86fpVg0NOTawALkSqOUMl3MynBQO+spR7EHcRbADQ/JemfTEh2Ycfl
vZqhEFBfurZkX0eTANq98ZvVfpg=
-----END CERTIFICATE-----
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
No client certificate CA names sent
SSL handshake has read 2108 bytes and written 348 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : ECDHE-RSA-RC4-SHA
Session-ID: 31053D39E3F4AA445B9DA89F88FFDD510B76D7F3C2F72434FEC5DB98EED3F518
Session-ID-ctx:
Master-Key: BE8C9AEFCAFD8E588BA5773F817358F360DFF87247939AD2AF8452A88F7317946A23CBEEDE80511DD31A9E870A650A63
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 9f d8 a0 f4 9b 2e 96 32-84 4d 30 83 52 ca 4d 88 .......2.M0.R.M.
0010 - 79 5a 94 39 7d 89 36 a3-4f c8 f1 5b 5e d9 e8 7c yZ.9}.6.O..[^..|
0020 - f0 09 3d 8e 83 74 6c a4-d6 f9 66 63 de 1c 07 94 ..=..tl...fc....
0030 - a5 5c 02 22 ca 34 c7 33-b6 c3 af 39 01 a4 c5 90 ..".4.3...9....
0040 - 7a 2e 22 6c eb c2 80 1e-be 7e 31 d0 42 5c 93 07 z."l.....1.B..
0050 - 63 ee 29 8d 97 30 08 b8-f5 19 42 52 4b 9b 32 7e c.)..0....BRK.2
0060 - 4f 40 d3 fc 92 31 8f 3a-de 9d 0a 9a e5 8f 8f 5b [email protected].:.......[
0070 - 9b 57 e1 cc c8 aa 66 17-da d4 6d 84 ee 0d 30 f0 .W....f...m...0.
0080 - 25 2e 15 ef 57 11 b8 2e-95 f3 03 77 4d de 34 ab %...W......wM.4.
0090 - fd 38 3d de .8=.
Start Time: 1372410013
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
ERROR: unknown command line flag 'logtostderr'
Try fixing the chain
Traceback (most recent call last):
File "./fix-chain.py", line 9, in
from pyasn1 import debug
ImportError: No module named pyasn1
ERROR: unknown command line flag 'logtostderr'
from certificate-transparency.
The problem is not that openssl does not produce valid PEM. It does.
The issue is that ct doesn't like the logtostderr option, which is odd - I believe glog should provide that.
Also, you appear not to have installed pyasn1.
from certificate-transparency.
As Ben pointed out, it's the logtostderr option which was the problem. Without it, the ct client reads the file without any problems.
from certificate-transparency.
Related Issues (20)
- Add Python client to PyPI HOT 1
- how to create or develop load balancer ct HOT 1
- "Failed to determine suitable serving STH." when starting new mirror HOT 2
- Can anyone help me step by step to manage certificate transparency
- certificate-transparency does not build with protobuf 3.7.0
- Using instructions in README fails to build HOT 2
- Requirements for installing with python3 can't be fullfilled HOT 2
- Integrating with OSS-Fuzz
- Invalid schema expectation in print_log_list HOT 1
- Google should provide log_list.json in it's various derived formats HOT 1
- Request: Google OSS contributions to CT enable Wget and libCurl
- Wrong certificate transparency log log_list.json was served from cache HOT 8
- A Error when i am try build. HOT 3
- [email protected]
- https://bugs.chromium.org/p/chromium/issues/entry?template=Security%20Bug
- Certificate HOT 1
- Certificate HOT 1
- Python for Data Science
- Automated suggesting for certicate
- Sex
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from certificate-transparency.