Closed bkcsfi closed 7 years ago
@bkcsfi we need to replicate this issue by trying to verify the certificate using openssl commands. Can you run the below command and paste the results here:
openssl verify -verbose -CAfile <(cat Intermediate.pem RootCert.pem) UserCert.pem
Hi, Thanks for this suggestion.
It's strange, but the verify command works even if I do not provide intermediate certs
$ openssl verify -verbose schleich_public.cer.pem
schleich_public.cer.pem: OK
And concating the intermediate and root cert
$ cat gd_intermediate.pem gd-class2-root.crt.pem > gd-cert-chain-cat.pem $ openssl verify -verbose -CAfile gd-cert-chain-cat.pem schleich_public.cer.pem
schleich_public.cer.pem: OK
In PyAS2, I've only tried either using the cert by itself, or the cert plus the intermediate as the CAFile.
I did not try intermediate + root as the CAFile. Do you think that will make a difference?
Yeah please go ahead and try that and lets see what happens.
Hi, I have concat'd the intermediate + root certificate .pem files together and loaded that into PyAS2 as the Local CA Store, plus their regular web certificate as the Certificate.
I have 'Verify Certificate' checked
Unfortunately we're still getting the same error
An error occurred during the AS2 message processing: Signature Verification Failed, exception message is certificate verify error
Should I try disabling the 'verify certificate' option or something else?
Since PyAS2 throws away the original message, there doesn't seem to be any way for me to try manually decrypting from the command line .. I'm not sure what to do now.
Thanks
Yes, disabling the verify certificate
will resolve this issue but this is not recommended.
If you set the LOGLEVEL
to DEBUG
then the message will show up in the logs. If possible can you email the log files and certificates to abhishek8816@gmail.com so that I can take a look at it?
I believe this issue can be closed. Disabling the option to 'verify certificate' does allow encrypted messages to be decoded correctly for this trading partner.
Sorry this isn't really a bug but I do not know where else to ask the question
I have a trading partner using their Go Daddy web certificate to sign messages in thier MS Biztalk server
When I load just their certificate in pem format, decode fails with this error:
I see that their certificate uses a chain file. When I try loading the 'gd_intermediate' certificate into "Local CA Store", decoding still fails.
This is a huge company, an M$ only shop, I doubt I can get them to change their certificate. Do you have any idea how I can get PyAS2 to work with their existing Go Daddy certificate?
Thanks for any suggestions..