Unable to get local issuer certificate
Hello, I am receiving the above error when a GitLab webhook tries to call my servlet. The full text of the error states: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate). If I try to access any of the servlets running in the same Tomcat server from a web browser then the certificate is OK and the padlock icon appears as expected. The certificate that is used by Tomcat is a domain wildcard certificate issued by Go-Daddy. Any ideas on what isn’t being correctly sent in response to the GitLab webhook? Thanks, Andy. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: Unable to get local issuer certificate
Hello Andy, > -Ursprüngliche Nachricht- > Von: Andy Pont > Gesendet: Montag, 18. September 2023 19:08 > An: users@tomcat.apache.org > Betreff: Unable to get local issuer certificate > > Hello, > > I am receiving the above error when a GitLab webhook tries to call my > servlet. The full text of the error states: > > SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable > to get local issuer certificate). > > If I try to access any of the servlets running in the same Tomcat server from > a > web browser then the certificate is OK and the padlock icon appears as > expected. The certificate that is used by Tomcat is a domain wildcard > certificate issued by Go-Daddy. > > Any ideas on what isn’t being correctly sent in response to the GitLab > webhook? > > Thanks, > > Andy. > > - This means, the calling program can't verify the certificate. Check whether all the intermediates are delivered by tomcat. Furthermore, the calling program must know the root-certificate of your webserver certificate. Maybe you can post the certificate chain. You might use openssl for this, or https://github.com/rbsec/sslscan for example. Don’t use the browser because it doesn’t show what the server delivers. Greetings, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Unable to get local issuer certificate
Thomas wrote… This means, the calling program can't verify the certificate. Check whether all the intermediates are delivered by tomcat. Furthermore, the calling program must know the root-certificate of your webserver certificate. If I look at a random website using 'openssl s_client -showcerts -connect’ then I get the server certificate plus two others: depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = xxx.mydomain.com If I use the same command with the Tomcat servlet then it gives the following: verify error:num=20:unable to get local issuer certificate verify return:1 verify error:num=21:unable to verify the first certificate verify return:1 The chain should be “Go Daddy Secure Certificate Authority - G2” and “Go Daddy Root Certificate Authority - G2” according to the browser. My guess is that the .pfx file that Tomcat is using doesn’t include them. -Andy. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
