Dear Alejandro, Our FIWARE LAB colleagues have worked to solve this. Could you verify it is ok now? Many thanks, Santiago De: Alejandro Rodriguez [mailto:alex.mognom at gmail.com] Enviado el: martes, 8 de noviembre de 2016 10:02 Para: fiware-tech-help at lists.fiware.org Asunto: Re: [Fiware-tech-help] CA chain not included in data portal Dear tech support, Regarding the CA chain problem, it can be reproduced using curl: $ curl -v https://data.lab.fiware.org/api/3/action/package_search\?rows\=20\&start\=0<https://data.lab.fiware.org/api/3/action/package_search/?rows\=20\&start\=0> * Trying 130.206.84.9... * Connected to data.lab.fiware.org<http://data.lab.fiware.org> (130.206.84.9) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /usr/local/etc/openssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS alert, Server hello (2): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 * TLSv1.2 (OUT), TLS alert, Client hello (1): curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Also you can see that quality assurance tools like the one provided by ssllabs https://www.ssllabs.com/ssltest/analyze.html?d=data.lab.fiware.org&s=2001%3a720%3a1514%3a5400%3a0%3a0%3a0%3a9&latest<https://www.google.com/url?q=https%3A%2F%2Fwww.ssllabs.com%2Fssltest%2Fanalyze.html%3Fd%3Ddata.lab.fiware.org%26s%3D2001%253a720%253a1514%253a5400%253a0%253a0%253a0%253a9%26latest&sa=D&sntz=1&usg=AFQjCNHEXRsMD9OhZQ8oyYtnUky8UlqzXQ> also complains about the CA chain: "This server's certificate chain is incomplete. Grade capped to B." Best regards, Alejandro. On Mon, Nov 7, 2016 at 1:24 PM, Alejandro Rodriguez <alex.mognom at gmail.com<mailto:alex.mognom at gmail.com>> wrote: Dear Sir/Madam. The CA chain is not included on the SSL configuration, so when making queries using python the certificate is not validated, throwing an SSL validation error. Best regards, Alejandro. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/fiware-tech-help/attachments/20161108/9c44c8ea/attachment.html>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy