Check SSL certificates

Posted . Visible to the public.

Installing SSL certificates usually implies additionally using intermediate certificates. If one of them is missing, some SSL client implementations might fail with failures such as

curl 

~ curl -v https://host-to-check
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

OpenSSL 

~ openssl s_client -connect host-to-check:443
...
verify error:num=20:unable to get local issuer certificate
...
verify error:num=27:certificate not trusted
...
verify error:num=21:unable to verify the first certificate

Firefox

You will see the "This Connection is Untrusted" error with details such as The certificate is not trusted because no issuer chain was provided.

How to fix it

Use https://www.ssllabs.com/ssltest/analyze.html Show archive.org snapshot to perform an in-depth check of your site.

Use tools of the certificate suppliers, many can tell you which intermediate CA is missing exactly:

Thomas Eisenbarth
makandra.de
Say thanks
Last edit
Pascal Roth
License
Source code in this card is licensed under the MIT License.

Related cards:

Working around OpenSSL::SSL::SSLErrors

If your requests blow up in Ruby or CURL, the server you're connecting to might only support requests with older SSL/TLS versions.

You might get an error like: OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=unknown state

...

Test if a checkbox is checked in jQuery 

jqueryElement.is(':checked')

RestClient / Net::HTTP: How to communicate with self-signed or misconfigured HTTPS endpoints

Occasionally, you have to talk to APIs via HTTPS that use a custom certificate or a misconfigured certificate chain (like missing an intermediate certificate).

Using RestClient will then raise RestClient::SSLCertificateNotVerified errors, or wh...

Issue Checklist Template

This is a checklist I use to work on issues. For this purpose I extracted several cards related to the makandra process and ported them into a check list and ref...

Use SSL for Amazon RDS / MySQL (and your Rails app)

In case you have sensitive data within your RDS instance, you want to use encrypted connections between your application and RDS instances. If you're using MySQL on RDS, here's what to do:

  1. Download the AWS CA file and copy it to the machine yo...

Force net/http to verify SSL certificates

Ruby's net/http is setup to never verify SSL certificates by default. Most ruby libraries do the same. That means that you're not verifying the identity of the server you're communicating with and are therefore exposed to man in the middle attacks...

How to enable SSL in development with Passenger standalone

Here is how to start your Rails application to accept both HTTP and HTTPS in development.

  1. gem install passenger

  2. Create a [self-signed SSL certificate](https://makandracards.com/makandra/15901-howto-create-a-self-signed-certificate...

Unobtrusive jQuery to toggle visibility with selects and checkboxes

Use this if you want to show or hide part of a form if certain options are selected or boxes are checked.

The triggering input gets an data-selects-visibility attribute with a selector for the elements to show or hide, like

<%= form.select...

Missing certificates for rubygems and bundler in Ruby 1.8.7

Using Ruby 1.8.7 you will not be able to use the maximum versions Rubygems 1.8.30 and Bundler 1.17.3 with https://rubygems.org/ anymore. This is a result of a server certificate on December 5th, 2020. The resulting errors will...

Using Thin for development (with SSL)

Note: These instructions are for a quick per-project setup and may require you to change code. If you generally need SSL for development, you probably want to use [Passenger](https://makandracards.com/makandra/549-using-passenger-for-developme...

Posted by Thomas Eisenbarth to makandra dev (2015-10-20 07:54)
This website uses short-lived cookies to improve usability.
or learn more