Solve ssl error : 500 SSL upgrade failed: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

[ihebski]

Taranis collector failed to pull feeds indicating the following issue (Taranis 3.7.4):

Run collector

taranis collector scan-sources --debug Cisco

ERROR

500 SSL upgrade failed: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Could not retrieve url http://tools.cisco.com/security/center/psirtrss20/CiscoSecurityAdvisory.xml 500 SSL upgrade failed: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Solve the Issue

export PERL_LWP_SSL_VERIFY_HOSTNAME seems to solve this issue with the taranis collector (on CLI), however the behavior is not solved with the web interface Test source button.

export PERL_LWP_SSL_VERIFY_HOSTNAME=0

Add environment variable permanently .bashrc and .bash_profile, solves the issue

Please let me know if there is a better way to solve it. Thanks!

[markov2]

The error is a correct error: it complains that the validity of the remote host certificate cannot be verified. When I encounter it, it always is an issue of out-date root certificate list...

I have three ways to solve this error:

1. totally disable certificate validation for all urls, as your suggestion is doing. I use this sometime when there is only 1 remote server, but would not suggest that for Taranis,
2. install the root certificate which signed that domain on your system by hand, because apparently it is missing. See browser info which certificates are involved. The browsers knows it, but not the OpenSSL library.
3. upgrade the root-certificate package for openssl on your system.

I hope you are able to solve the issue by performing the third step.

[ihebski]

Thanks a lot for your reply @markov2 .

I can confirm now that the issue has been resolved. reference https://gist.github.com/kekru/deabd57f0605ed95d5c8246d18483687

Best Regards.