search

boyter / searchcode

Official support channel for searchcode.com support issues and the like.
18 stars 3 forks source link

Problem with searchcode.com SSL certificate #28

Closed njsmith closed 9 years ago

njsmith commented 9 years ago

While I seem to be able to access https://searchcode.com with firefox or chromium, other tools like curl and requests bomb out:

$ curl 'https://searchcode.com/api/codesearch_I/?q=PyUFuncObject&per_page=100&p=7'
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
~/src/numpy$ python -c 'import requests; requests.get("https://searchcode.com/api/codesearch_I/?q=PyUFuncObject&per_page=100&p=7")'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/home/njs/.user-python2.7-64bit-3/local/lib/python2.7/site-packages/requests/api.py", line 69, in get
    return request('get', url, params=params, **kwargs)
  File "/home/njs/.user-python2.7-64bit-3/local/lib/python2.7/site-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/home/njs/.user-python2.7-64bit-3/local/lib/python2.7/site-packages/requests/sessions.py", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/njs/.user-python2.7-64bit-3/local/lib/python2.7/site-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/home/njs/.user-python2.7-64bit-3/local/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

I'm not entirely sure what's wrong or whose fault this is, but openssl claims that you have some missing intermediate certificates:

~$ openssl s_client -connect searchcode.com:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = searchcode.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = searchcode.com
verify error:num=21:unable to verify the first certificate
verify return:1

---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=searchcode.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFTjCCBDagAwIBAgIQexB7ksPIWu3CERtBkFbv2DANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNTA3MDEwMDAwMDBaFw0xODA5MzAyMzU5NTlaMFIxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UECxMLUG9zaXRpdmVTU0wxFzAV
BgNVBAMTDnNlYXJjaGNvZGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA+sG/sCRWSTFjo37ayR6D7CcqvcBwk+bSshjmVJEkTnlV+ByzEagKRnuj
mGQHdQ4XRB72d7CsMXk74cu+Y6I/AKI4Rhz1/9QYCiBsPhUiCDHPIHW2F0iQPG0s
V+Zr/x1d9sT8vbnHGow8tRISUGIYkoqZhJMgHwOWTBgs/GxSleWbwpDYkEOPJhnW
QPcfpakaSpFzDVUj7QViQCqWfb2m73BvItCtfPVfSqZHpZIc5vupVaSR5EWeSPTK
MIZDqciusSUiX/D1TjCb3xvngWU37zAoWVs1FrhObZka0fOEzU36GX7NRz2szixA
cXSCDPi+JEH9sfjNiCgRm1w/0nyw4wIDAQABo4IB3zCCAdswHwYDVR0jBBgwFoAU
kK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFF85Xn1Hv7Rp+10ALbbNaxCS
zkUvMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYI
KwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAEC
ATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01P
RE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEF
BQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NP
TU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYB
BQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAtBgNVHREEJjAkgg5zZWFy
Y2hjb2RlLmNvbYISd3d3LnNlYXJjaGNvZGUuY29tMA0GCSqGSIb3DQEBCwUAA4IB
AQCFB5knR9wP+1gH2ziQt3tQTm6Z5oXRK71GtVpc8yqFkUf5svSZXTITrEF126OV
FK5MN3Odx2gELmpATdPAD2S9gJeKV4SVMGq0oj6cPqS2XPJXdn2Kdsh5Vcrkqabq
FAcBQWOho8ON8ykmYAGcF3NiWeY2aynSEP7H5qR93Em9WmGM5Wu+0hobDJZt4BoE
wYf88bu2DpLjn44USdEa/ZOdq+gWShwVUDFT7mVoTDyKotGSAt+xL0qzSnDtbYUi
rT4AsIG2Zx4CkcZlAOOnCSucj0PPDGOKApg4c60r6MyaZh+i6hexZiwkxhtyuDbQ
JFQVDPLXp+xy5Uj3dndf6mUl
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=searchcode.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits

---
SSL handshake has read 4366 bytes and written 441 bytes

---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5F3D90F168899E56292FE97A81E7C954AC1F3B4B8EE42F177361DD4F8A55ECA8
    Session-ID-ctx: 
    Master-Key: 538D959A1BF9550ECF2950BB2FC49C85339D0B6A90A34111473F2D2B4CFE7680AEBC7FFA5DA2341A68F3681DEF46C208
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - ee 78 5c 52 3a b0 12 8c-2a 56 58 f7 d1 81 c1 0c   .x\R:...*VX.....
    0010 - b4 3e ad 37 a1 8b 01 62-18 a2 49 29 37 82 3a 94   .>.7...b..I)7.:.
    0020 - 80 29 81 33 aa a9 fd 57-b5 cf 8f f5 f2 bc 13 d4   .).3...W........
    0030 - b3 0b df c0 2b 6a 10 39-d3 e9 ff 68 c3 7e 80 45   ....+j.9...h.~.E
    0040 - 6a c8 c7 58 04 1e 2c 06-93 58 19 54 15 2d 31 08   j..X..,..X.T.-1.
    0050 - c9 9f c2 2a 36 6e cc 98-05 e2 d5 1f c7 0b 13 ce   ...*6n..........
    0060 - 3c 35 75 df 21 a2 45 d2-c6 56 9d 2b 2a 21 50 00   <5u.!.E..V.+*!P.
    0070 - c5 f7 f2 90 a7 e7 7d 24-41 e9 19 b0 8c ce 1f cd   ......}$A.......
    0080 - 4c 86 5f ff f2 a8 42 94-3a f3 0e b2 3f 46 70 73   L._...B.:...?Fps
    0090 - d5 ed 23 b9 22 65 7a 95-51 19 04 e4 07 d2 c9 e2   ..#."ez.Q.......

    Start Time: 1440890274
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

---
^C

I got that command from the "SSL certificate chains" section of this page of the nginx docs.

boyter commented 9 years ago

This one is totally my fault... DOH!

Its because when I was upgrading the cert since Google decided to throw its weight around I somehow forgot to upgrade the certificate chain.

Thank you so much for adding a way to replicate it. I will attempt to fix it in the next day or so.

boyter commented 9 years ago

Or I will fix it now. Appears to be resolved from my site. I was able to replicate and now my tests show everything to be OK. Checked with a few online SSL checkers just to be sure and all came back OK.

Let me know if its all fine from your end and ill mark this closed.

njsmith commented 9 years ago

Looks good to me!