Certificate verification failed


#1

Hello, I am trying to create new Poco HTTPSClientSession as follows:

const Poco::Net::Context::Ptr context(new Poco::Net::Context(Poco::Net::Context::CLIENT_USE, "", "/etc/ssl/certs/LetsEncryptCertificate.crt", "", Poco::Net::Context::VERIFY_RELAXED));
m_pSession = new Poco::Net::HTTPSClientSession(host, port, context);

and when I send GET request to server I get:

WARNING: Certificate verification failed
Issuer Name: /O=Digital Signature Trust Co./CN=DST ROOT CA X3
Subject Name: /C=US /O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
The certificate yielded the error: unable to get local issuer certificate
The error occurred in the certificate chain at position 1
Accept the certificate (y,n)?

I am reading this from syslog so I can’t press Y to accept the certificate. When I use context with

Poco::Net::Context::VERIFY_NONE I am able to send the request and get the response because there is no certificate verification. I was trying to add these certificates to my /etc/ssl/certs folder with .pem and .crt extensions still got the same error. So my question is how do I install these certificates on my mangOH Red board? I am using Legato 18.09 with wp76xx chip. Also my app is sandboxed and my adef looks like this requires:

requires:
 {   dir:
    {
     /etc/ssl/certs /etc/ssl/certs
    }
}

#2

Hiya @MilanVidic

How old is the LetsEncrypt certificate? They only have a valid life of 3 months from the date of creation before you have to renew them.

Additionally, until very recently, for some services you had to also import a particular root trust certificate to finish the ‘trust chain’ for LetsEncrypt certificates.

Can you use a LetsEncrypt certificate on a desktop linux PC OK?

To check whether the certificates have been ‘required’ into the correct directory on your 'Red, have a look in the directories underneath /opt/legato for your application and see that the certs are in the appropriate directory.

ciao, Dave


#3

Hello @davidc,
I managed to establish connection with ca-certificates.crt.
Thank you


#4

Hiya @MilanVidic

Good to hear.

Good luck with the rest of your project.

ciao, Dave