Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 142F1D30C for ; Fri, 1 Mar 2013 09:03:57 +0000 (UTC) Received: (qmail 97541 invoked by uid 500); 1 Mar 2013 09:03:54 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 97256 invoked by uid 500); 1 Mar 2013 09:03:53 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 97228 invoked by uid 99); 1 Mar 2013 09:03:53 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Mar 2013 09:03:53 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of bijayant.mws@gmail.com designates 209.85.223.178 as permitted sender) Received: from [209.85.223.178] (HELO mail-ie0-f178.google.com) (209.85.223.178) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Mar 2013 09:03:46 +0000 Received: by mail-ie0-f178.google.com with SMTP id c13so3216065ieb.37 for ; Fri, 01 Mar 2013 01:03:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=dvm/g7Xwosm1YHEJq6xuam1yQm0FgEHy8ePWw/Y4w88=; b=S3USw/h3hMWb762Jf3lfipwoUtnsw0xXltjprBeeLUK6tCwuPKHp9QuazwYMEph5xq 2uxKkADsMboT3VF8ajtwW1/UOOL3Z5G3Za70wYzrGb9A+YCLJjvF0qHHvzOEF3BfOkA/ WmOljV8G793kOSPfWkyZNkJLclCsTXODuzvogA6EKEnyurf0pcPWbPfRQ37/7wKElpwM Qoj+l3xS7lDZqafna7ABPGHxEGunBhGeMyxCPnKQTmPnlPtBYyDu713qqANNpXuXkc40 rRkLBTVC9KadDW8h4e0nh2yH9RKwMzjuSA9jy4Og4oKFVojzmf1g/ZwePnmGdVSmZgff aitw== MIME-Version: 1.0 X-Received: by 10.50.13.175 with SMTP id i15mr12212128igc.105.1362128605817; Fri, 01 Mar 2013 01:03:25 -0800 (PST) Received: by 10.50.15.197 with HTTP; Fri, 1 Mar 2013 01:03:25 -0800 (PST) Date: Fri, 1 Mar 2013 14:33:25 +0530 Message-ID: From: Kumar Bijayant To: users@httpd.apache.org Content-Type: multipart/alternative; boundary=f46d0447f382b03cf904d6d94726 X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] [Solved]Re: [users@httpd] Certificate mismatch error --f46d0447f382b03cf904d6d94726 Content-Type: text/plain; charset=ISO-8859-1 Hi Edward, The issue is now resolved after importing the correct intermediate certs. Their test steps were having some issue. Now all works fine. Thanks for your help. With Best Regards, Bijayant Kumar On Wed, Feb 27, 2013 at 2:23 AM, Edward Quick wrote: > Ok, I guess your job is to show that apache is set up correctly and the > fault is on the client side, so try these tests: > > Using curl, with your root certificate file (you shouldn't need the > intermediate one if you set apache up right), run this: > > Test 1: > > $ curl --cacert ./root.pem https://abc.com > $ curl --cacert ./root.pem https://xyz.com > > If that returns an error, try: > > Test 2: > $ curl -k --cacert ./root.pem https://abc.com > > That should work (but disables ssl validation). If it doesn't, try curl -v > or read the curl man page :-) > > If that worked try: > > Test 3: > Concatenate the intermediate cert (pem format) to the end of root.crt, and > rerun the curl script: > > $ curl --cacert ./root_and_intermediate.pem https://abc.com > $ curl --cacert ./root_and_intemediate.pem https://xyz.com > > > > ------------------------------ > Date: Tue, 26 Feb 2013 20:49:54 +0530 > > From: bijayant.mws@gmail.com > To: users@httpd.apache.org > Subject: Re: [users@httpd] Certificate mismatch error > > Just got an update from client that after importing the intermediate cert > also, the issue is not resolved !! > > *ORA-06512: at "SYS.UTL_HTTP", line 1029* > *ORA-29024: Certificate validation failure (-29273)* > * > * > *Thanks & Regards,* > *BIjayant Kumar* > > > On Tue, Feb 26, 2013 at 7:49 PM, Kumar Bijayant wrote: > > The certificate is installed by third party (trust center). I think the > same and asked them to check and install if it is not there. Just waiting > for their reply now. > > Thanks for your help so far! > > Thanks & Regards, > Bijayant Kumar > > > On Tue, Feb 26, 2013 at 5:47 PM, Edward Quick wrote: > > Is your certificate issued by an internal CA or someone like > Verisign/Komodo etc? > I wonder if the Oracle DB connecting has the CA root certificate installed > in their truststore. If they do, check the certificate chain for your site > to make sure the intermediate is correctly set up. > > ------------------------------ > Date: Tue, 26 Feb 2013 14:29:29 +0530 > > From: bijayant.mws@gmail.com > To: users@httpd.apache.org > Subject: Re: [users@httpd] Certificate mismatch error > > Hi Edward, > > I just renewed the server certificate on the Apache webserver. Oracle DB > is not in our scope, that was the message from client. > > Thanks, > Bijayant Kumar > > > On Mon, Feb 25, 2013 at 7:31 PM, Edward Quick wrote: > > Could you clarify, when you say : > > The Certificate was installed into a Wallet-Manager of the ORACLE-DB. > I need this Certificate for a communication between ORACLE-DB to the > Webserver. > > Does that mean you are doing client certificate verification? > > Or are you just renewing the server certificate on your web server? > > ------------------------------ > Date: Mon, 25 Feb 2013 18:34:21 +0530 > From: bijayant.mws@gmail.com > To: users@httpd.apache.org > Subject: Re: [users@httpd] Certificate mismatch error > > > Hi Edward, > > Yes, the intermediate certs have been set up on the Apache server. > > By any chance you know what else information can I ask from client to pin > point their/DB problem? > > Thanks & Regards, > Bijayant Kumar > > > On Sun, Feb 24, 2013 at 2:16 PM, Edward Quick wrote: > > Hi Bijayant, > > You don't need another certificate if xyz.com is a subject alternate name > of the primary certificate abc.com, so your understanding there is > correct. > Is the intermediate certificate set up? > > Regards, > Edward. > > ------------------------------ > Date: Sun, 24 Feb 2013 12:49:45 +0530 > From: bijayant.mws@gmail.com > To: users@httpd.apache.org > Subject: [users@httpd] Certificate mismatch error > > > Hello List, > > I have an issue to connect SSL enabled site to Oracle database server. Let > me explain you with an example here. > > My website name is abc.com and it has another name as well say xyz.comand that is listed in additional DNS name field of certificates. Primary > name is abc.com only. > > Now client is saying > > The Certificate was installed into a Wallet-Manager of the ORACLE-DB. > I need this Certificate for a communication between ORACLE-DB to the > Webserver. When the ORACLE DB communicate with the the Webserve, the > following error massage was created: > *ORA-06512: at "SYS.UTL_HTTP", line 1029* > *ORA-29024: Certificate validation failure (-29273)* > Now they are asking me to create a new certificate with the name xyz.comonly. But as far as my knowledge goes, this should not create any issue as > I have used both the name in my certificate and also I am not getting any > error while browsing the website with either name. > Please correct me if I am wrong or any other pointer that will be helpful. > > > > Thanks & Regards, > Bijayant Kumar > > > > > > > > > --f46d0447f382b03cf904d6d94726 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

Hi Edward,

The issue is now reso= lved after importing the correct intermediate certs. Their test steps were = having some issue. Now all works fine.

Thanks for = your help.

With Best Regards,
Bijayant Kumar
<= br>
On Wed, Feb 27, 2013 at 2:23 AM, Edward Quick <edwardquick@hotmail.c= om> wrote:
Ok, I guess your job is to show that apache is set up= correctly and the fault is on the client side, so try these tests:

= Using curl, with your root certificate file (you shouldn't need the int= ermediate one if you set apache up right), run this:

Test 1:

$ curl --cacert ./root.pem https://abc.com
$ curl --cacert ./root.pem https://xyz.com

If that r= eturns an error, try:

Test 2:
$ curl -k --cacert ./root.pem https://abc.com

That should work (but disables s= sl validation). If it doesn't, try curl -v or read the curl man page :-= )

If that worked try:

Test 3:
Concatenate the intermediate cert= (pem format) to the end of root.crt, and rerun the curl script:

$ c= url --cacert ./root_and_intermediate.pem https://abc.com
$ curl --cacert ./root_and_intemediate.pem https://xyz.com



Date: = Tue, 26 Feb 2013 20:49:54 +0530

From: bijayant.mws@gmail.com=
To: users@httpd= .apache.org
Subject: Re: [users@httpd] Certificate mismatch error
Just got an update from client that after importing t= he intermediate cert also, the issue is not resolved !!=A0

ORA-06512: at "SYS.UTL_HTTP", line 1029
ORA-29024: Certificate validation failure (-29273)

Thanks & Regards,
BIjayant Kumar


On Tue, Feb 26, 2013 at 7:49 PM, Kumar Bijaya= nt <bijayant.mws@gmail.com> wrote:
The certificate is installed by third party (trust center). I thin= k the same and asked them to check and install if it is not there. Just wai= ting for their reply now.

Thanks for your help so far!

Thanks & Regards,
Bijayant Kumar


On Tue, Feb 26, 2013 at 5:47 PM, Edwar= d Quick <edwardquick@hotmail.com> wrote:
Is your certificate issued by an internal CA or someo= ne like Verisign/Komodo etc?
I wonder if the Oracle DB connecting has t= he CA root certificate installed in their truststore. If they do, check the= certificate chain for your site to make sure the intermediate is correctly= set up.

Date: Tue, 26 Feb 2013 14:29:29 +0530

= From: bijayant.= mws@gmail.com
To: users@httpd.apache.org
Subject: Re: [users@httpd] Certificate mismatch error

Hi Edward,

I just renewed the server certificate on t= he Apache webserver. Oracle DB is not in our scope, that was the message fr= om client.

Thanks,
Bijayant Kumar


On Mon, Feb 25, 2013 at 7:= 31 PM, Edward Quick <edwardquick@hotmail.com> wrote:
Could you clarify, when you say :

The Certificate was in= stalled into a Wallet-Manager of the ORACLE-DB.
I need this Certificate for a com= munication between ORACLE-DB to the Webserver.=A0

Does that mean you are doing client certificate verification?=A0
Or are you just renewing the server certificate on your web = server?

Date: Mon, 25 Feb 2013 18:34= :21 +0530
From: bijayant.mws@gmail.com
To: users@httpd= .apache.org
Subject: Re: [users@httpd] Certificate mismatch error


Hi Edward,

Yes, the inte= rmediate certs have been set up on the Apache server.

By any chance you know what else information can I ask = from client to pin point their/DB problem?

Thanks & Regards,
Bijayant Kumar


On Sun, Feb 24, 2013 at 2:16 PM, Edward Quick <= edwardquick@hotmail.com> wrote:
Hi=A0Bijayant,

You don't need = another certificate if xyz.com= is a subject alternate name of the primary certificate abc.com, so your understanding there is c= orrect.
Is the intermediate certificate set up?=A0

Re= gards,
Edward.

Date: Sun, 24 Feb 2013 = 12:49:45 +0530
From: bijayant.mws@gmail.com
To: users@httpd= .apache.org
Subject: [users@httpd] Certificate mismatch error


Hello List,

I have an issue = to connect SSL enabled site to Oracle database server. Let me explain you w= ith an example here.=A0

My website name is abc.com and it has another name as well say xyz.com and that is listed in additional DNS= name field of certificates. Primary name is abc.com only.

Now client is saying=A0

= The Certificate was installed into a Wallet-Manager of the ORACLE-DB.
I need this Certificate for a communication between ORACLE-DB to the Webserver. When the ORACLE DB communicate with the the Webserve, the following error massage was created:=
ORA-06512: at "SYS.UTL_HTTP", line 1029
ORA-29024: Certificate validation failure (-29273)
Now they = are asking me to create a new certificate with the name xyz.com only. But as far as my knowledge goes= , this should not create any issue as I have used both the name in my certi= ficate and also I am not getting any error while browsing the website with = either name.
Please correct me if I am wrong or any other pointe= r that will be helpful.


Thanks & Regards,
Bijayant Kumar








--f46d0447f382b03cf904d6d94726--