rubenskuhl
commented
10 months ago O que o QR-Tester está dizendo é o servidor do Banpará recusou o acesso, com código HTTP de acesso negado... não é o do Banco Central que está negando.
Open kadubezas opened 10 months ago
rubenskuhl
commented
10 months ago O que o QR-Tester está dizendo é o servidor do Banpará recusou o acesso, com código HTTP de acesso negado... não é o do Banco Central que está negando.
leolima77
commented
10 months ago o endpoint da location precisa estar público.
dev-gto
commented
10 months ago Precisa resolver esses erros de certificado ssl:
openssl s_client -connect qrcode-h.banpara.b.br:443
CONNECTED(00000003)
depth=0 serialNumber = 04.913.711/0001-08, jurisdictionC = BR, businessCategory = Government Entity, C = BR, ST = Par\C3\A1, O = BANCO DO ESTADO DO PARA S A, CN = qrcode-h.banpara.b.br
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = 04.913.711/0001-08, jurisdictionC = BR, businessCategory = Government Entity, C = BR, ST = Par\C3\A1, O = BANCO DO ESTADO DO PARA S A, CN = qrcode-h.banpara.b.br
verify error:num=21:unable to verify the first certificate
verify return:1
---
arantesxyz
commented
9 months ago Precisa resolver esses erros de certificado ssl:
openssl s_client -connect qrcode-h.banpara.b.br:443 CONNECTED(00000003) depth=0 serialNumber = 04.913.711/0001-08, jurisdictionC = BR, businessCategory = Government Entity, C = BR, ST = Par\C3\A1, O = BANCO DO ESTADO DO PARA S A, CN = qrcode-h.banpara.b.br verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 serialNumber = 04.913.711/0001-08, jurisdictionC = BR, businessCategory = Government Entity, C = BR, ST = Par\C3\A1, O = BANCO DO ESTADO DO PARA S A, CN = qrcode-h.banpara.b.br verify error:num=21:unable to verify the first certificate verify return:1 ---
Tenho o mesmo erro no qrtester (Acesso negado), ao testar com openssl, não parece ter nenhum erro. Funciona normalmente quando outras instituições tentam pagar.
ga@sandbox % openssl s_client -connect {{URL}}:443
CONNECTED(00000006)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = BR, O = CERTDATA SERVICOS DE INFORMACAO LTDA, CN = CERTDATA SSL EV CA [Run by the Issuer]
verify return:1
depth=0 serialNumber = 31.818.873/0001-30, jurisdictionC = BR, businessCategory = Private Organization, C = BR, ST = Minas Gerais, O = QESH INSTITUICAO DE PAGAMENTO LTDA, CN = {{URL}}
verify return:1
---
Certificate chain
0 s:serialNumber = 31.818.873/0001-30, jurisdictionC = BR, businessCategory = Private Organization, C = BR, ST = Minas Gerais, O = QESH INSTITUICAO DE PAGAMENTO LTDA, CN = {{URL}}
i:C = BR, O = CERTDATA SERVICOS DE INFORMACAO LTDA, CN = CERTDATA SSL EV CA [Run by the Issuer]
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 3 00:00:00 2023 GMT; NotAfter: Aug 2 23:59:59 2024 GMT
1 s:C = BR, O = CERTDATA SERVICOS DE INFORMACAO LTDA, CN = CERTDATA SSL EV CA [Run by the Issuer]
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
v:NotBefore: Mar 5 00:00:00 2020 GMT; NotAfter: Mar 5 23:59:59 2030 GMT
2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
{{ decodificado no próximo bloco }}
subject=serialNumber = 31.818.873/0001-30, jurisdictionC = BR, businessCategory = Private Organization, C = BR, ST = Minas Gerais, O = QESH INSTITUICAO DE PAGAMENTO LTDA, CN = {{URL}}
issuer=C = BR, O = CERTDATA SERVICOS DE INFORMACAO LTDA, CN = CERTDATA SSL EV CA [Run by the Issuer]
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5315 bytes and written 394 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: C4F68D51FC429700940E48C82868EA5DB995A5A499EE8A7A346470605941714B
Session-ID-ctx:
Resumption PSK: 31007118010DE0D39573E0C7E8F75F7B1A1C92C9959415E879579768EADF3953C24EE1FF1F97DCF59A40004FFCD84945
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 604800 (seconds)
TLS session ticket:
0000 - 1c 6b 28 7c 76 19 54 5a-ec c5 0a 57 80 1b f6 37 .k(|v.TZ...W...7
0010 - 7a 16 74 1f 9f b6 61 76-06 5d 29 6b 47 a5 d6 d5 z.t...av.])kG...
0020 - af a2 c5 cf 71 d3 25 a6-76 8d 4d d0 97 3e bc 1d ....q.%.v.M..>..
0030 - 46 ea 49 d2 99 25 0e 13-04 92 6c d9 c8 f5 4a 70 F.I..%....l...Jp
0040 - a9 5c ea 3f 47 0b 7d 47-95 6e 2b b6 4f 39 17 ae .\.?G.}G.n+.O9..
0050 - 8f c4 a5 6d a4 cd 5d 64-92 08 1f 5c ee 95 d5 f5 ...m..]d...\....
0060 - 91 35 1d c7 f5 55 69 ad-d5 16 52 07 66 9d d8 46 .5...Ui...R.f..F
0070 - c5 b8 44 e5 08 88 cd 8b-32 86 ed b3 7e 80 69 94 ..D.....2...~.i.
0080 - 2b +
Start Time: 1706739065
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCKCertificado decodificado do resultado acima:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f2:1b:a1:2e:b7:47:45:60:53:ee:f9:41:3c:2c:78:37
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = BR, O = CERTDATA SERVICOS DE INFORMACAO LTDA, CN = CERTDATA SSL EV CA [Run by the Issuer]
Validity
Not Before: Aug 3 00:00:00 2023 GMT
Not After : Aug 2 23:59:59 2024 GMT
Subject: serialNumber = 31.818.873/0001-30, jurisdictionC = BR, businessCategory = Private Organization, C = BR, ST = Minas Gerais, O = QESH INSTITUICAO DE PAGAMENTO LTDA, CN = {{URL}}
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ae:43:c3:07:26:d4:92:ee:48:f7:f0:8a:0c:68:
57:b2:4b:1b:e3:89:2f:4a:47:cd:64:04:50:34:35:
36:00:e0:64:6e:72:82:3f:9d:70:46:08:5e:b4:87:
7a:45:a4:ee:d3:c0:b7:a4:12:1e:f9:db:17:e7:83:
c4:97:8b:e3:0a:5a:b0:5f:1f:dd:3a:46:bf:77:ba:
54:8f:22:c0:0c:3e:3c:34:33:3d:b3:39:54:5a:7b:
84:c7:8e:e0:1a:2f:e6:d4:4b:b8:ea:56:ac:d7:1d:
a3:14:ac:64:b5:5f:b8:bf:a5:25:ad:da:16:2f:d0:
40:cc:24:db:43:19:ee:c7:90:b4:4e:07:d5:f0:5d:
78:a2:ff:0b:86:a4:4d:b0:cd:cd:15:88:8b:3b:21:
af:86:ec:23:32:e0:c2:47:e4:fc:53:b7:74:e1:8a:
34:3a:41:f8:ac:94:d1:f5:bf:6b:4c:66:22:a4:fb:
f4:c2:1b:a6:c1:4e:7c:fd:80:f0:77:ca:66:04:4f:
31:78:43:77:11:90:87:53:9c:ca:a4:00:50:b3:b8:
5a:43:2d:58:18:67:71:d6:5a:ca:9a:81:da:9c:5a:
71:c4:4e:72:00:8d:96:53:51:b5:fe:2a:03:2e:d0:
c0:57:b1:32:ec:0c:11:d7:9e:b8:2b:b9:fc:69:67:
61:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
39:48:24:86:9F:D3:37:B5:49:71:AA:C8:A8:40:34:F8:6B:87:CC:D9
X509v3 Subject Key Identifier:
B8:16:89:97:91:B0:E1:00:02:ED:13:71:27:64:0E:6E:68:08:A4:53
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.1.5.1
CPS: https://sectigo.com/CPS
Policy: 2.23.140.1.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://certdata.crl.sectigo.com/CERTDATASSLEVCA.crl
Authority Information Access:
CA Issuers - URI:http://certdata.crt.sectigo.com/CERTDATASSLEVCA.crt
OCSP - URI:http://certdata.ocsp.sectigo.com
X509v3 Subject Alternative Name:
DNS:{{URL}}, DNS:www.{{URL}}
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34:
B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74
Timestamp : Aug 3 12:08:21.633 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:1C:10:F7:4A:01:59:E0:7C:85:AB:42:D0:
9F:E3:A5:09:17:BC:F4:05:33:5B:F5:EF:DE:DB:D8:58:
1F:A0:33:A3:02:21:00:81:55:C2:2D:AB:07:16:78:6F:
27:C9:4D:91:14:1C:7A:8B:8A:12:43:E0:6D:2E:82:74:
81:3E:14:71:E0:08:7F
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : DA:B6:BF:6B:3F:B5:B6:22:9F:9B:C2:BB:5C:6B:E8:70:
91:71:6C:BB:51:84:85:34:BD:A4:3D:30:48:D7:FB:AB
Timestamp : Aug 3 12:08:21.722 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:69:49:C7:2C:C4:4A:02:B6:55:A9:E5:34:
62:FE:D5:27:4C:B1:D6:62:30:F6:DE:7E:C9:AD:4D:EE:
92:B2:CB:7B:02:20:6F:7D:D4:EF:80:84:D3:49:7B:29:
02:5C:0D:88:98:C7:73:D3:EC:79:5F:96:39:4A:50:A8:
F5:23:0E:54:77:53
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : EE:CD:D0:64:D5:DB:1A:CE:C5:5C:B7:9D:B4:CD:13:A2:
32:87:46:7C:BC:EC:DE:C3:51:48:59:46:71:1F:B5:9B
Timestamp : Aug 3 12:08:21.675 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:7C:40:7A:8A:1A:AD:75:F8:6E:8E:3D:CF:
7E:26:86:D7:68:C4:DA:AB:F5:BB:98:5B:CC:6D:0C:04:
34:AC:B9:D6:02:21:00:A6:B8:95:4E:DE:E0:BC:0F:F5:
8B:56:C6:5A:3D:72:8C:5B:C4:C8:18:EB:40:86:41:A9:
6C:33:D4:24:67:99:5D
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
c4:32:c9:38:25:5f:c9:78:01:f9:a7:38:63:62:2c:01:5e:6b:
73:99:e3:d4:43:b9:0b:a8:b9:42:92:c4:20:58:12:0c:35:b4:
c0:88:99:ee:d1:53:e9:c4:87:cf:81:cf:ce:82:ab:20:48:41:
ef:2a:5d:78:cd:80:7b:10:12:f3:4e:e6:31:d4:53:5f:75:f2:
cf:9c:6b:ce:c2:9a:a6:05:3f:79:8e:8a:65:cf:02:f4:d3:87:
85:eb:d5:ef:0d:45:38:ce:04:46:36:df:f1:e5:7e:3b:f0:cd:
56:ab:21:94:04:e9:e1:48:51:17:9f:08:1b:70:f3:99:58:15:
05:7b:45:66:1b:09:72:f8:18:00:dd:37:44:14:eb:50:15:cc:
f8:ab:3b:34:03:5f:5d:e6:e0:39:c3:a4:6a:a7:7f:20:f8:e1:
7e:97:67:da:72:43:11:4c:15:96:18:d6:84:67:ce:31:7e:32:
9c:22:18:3d:4d:71:6c:6b:b8:e3:12:e1:37:e3:3d:08:e9:3f:
7c:68:4e:e7:a7:ac:bf:52:7f:87:4c:79:ee:2f:66:a5:cf:f8:
68:e0:80:b6:56:f2:25:68:0d:17:b4:6d:89:44:30:df:3a:68:
3a:50:e5:17:0f:9b:92:a4:60:d7:71:ef:57:14:91:50:ff:3e:
c6:ca:26:39Precisa resolver esses erros de certificado ssl:
openssl s_client -connect qrcode-h.banpara.b.br:443 CONNECTED(00000003) depth=0 serialNumber = 04.913.711/0001-08, jurisdictionC = BR, businessCategory = Government Entity, C = BR, ST = Par\C3\A1, O = BANCO DO ESTADO DO PARA S A, CN = qrcode-h.banpara.b.br verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 serialNumber = 04.913.711/0001-08, jurisdictionC = BR, businessCategory = Government Entity, C = BR, ST = Par\C3\A1, O = BANCO DO ESTADO DO PARA S A, CN = qrcode-h.banpara.b.br verify error:num=21:unable to verify the first certificate verify return:1 ---Tenho o mesmo erro no qrtester (Acesso negado), ao testar com openssl, não parece ter nenhum erro. Funciona normalmente quando outras instituições tentam pagar.
O que diz o relatório completo de https://www.ssllabs.com/ssltest/ ?
arantesxyz
commented
9 months ago Precisa resolver esses erros de certificado ssl:
openssl s_client -connect qrcode-h.banpara.b.br:443 CONNECTED(00000003) depth=0 serialNumber = 04.913.711/0001-08, jurisdictionC = BR, businessCategory = Government Entity, C = BR, ST = Par\C3\A1, O = BANCO DO ESTADO DO PARA S A, CN = qrcode-h.banpara.b.br verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 serialNumber = 04.913.711/0001-08, jurisdictionC = BR, businessCategory = Government Entity, C = BR, ST = Par\C3\A1, O = BANCO DO ESTADO DO PARA S A, CN = qrcode-h.banpara.b.br verify error:num=21:unable to verify the first certificate verify return:1 ---Tenho o mesmo erro no qrtester (Acesso negado), ao testar com openssl, não parece ter nenhum erro. Funciona normalmente quando outras instituições tentam pagar.
O que diz o relatório completo de https://www.ssllabs.com/ssltest/ ?
Mas o QRTester nem faz a chamada no meu servidor.
rubenskuhl
commented
9 months ago Esse é só o sumário.. no relatório completo que dá para ver potenciais problemas.
arantesxyz
commented
9 months ago Obrigado pelo auxílio, vou aguardar a resposta do BCB no email.
Ao tentar testar um QrCode gerado no ambiente de homologação foi encontrado um erro de acesso negado. segue a imagem.