On Wednesday 04 May 2016 18:40:01 William O'Malley wrote: > On Wed, May 4, 2016, at 12:25 PM, Ron Leach wrote: > > List, good afternoon, > > > > I'd appreciate some advice about how to fix an SSL error I'm hitting > > while accessing a government website required for online filing. > > Oddly, this error has just occurred, but we've been using the service > > without difficulty for a few years. > > > > The SSL failure is reported by the application as an > > "SSL Certificate Verification Error"; no other information. > > > > Using openssl -showcerts, a "verify error" is reported. Here's the > > dialogue - I've skipped the bulk of the certificate texts. > > > > ron@debians5:~$ openssl s_client -showcerts -connect > > secure.gateway.gov.uk:443 </dev/null > > CONNECTED(00000003) > > depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of > > use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure > > Server CA - G3 > > verify error:num=20:unable to get local issuer certificate > > verify return:0 > > --- > > Certificate chain > > 0 s:/C=GB/ST=London/L=London/O=Department for Work and > > Pensions/OU=Transformational Government/CN=secure.gateway.gov.uk > > i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use > > at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure > > Server CA - G3 > > -----BEGIN CERTIFICATE----- > > MIIFTTCCBDWgAwIBAgIQVvXmnZpU7GpmDQbP2RA+DDANBgkqhkiG9w0BAQUFADCB > > tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL > > [...] > > T5A4onjwNgpfTwlfM0BaqhMjii2rrUrWdz++8gPO1SnJNFM5kKwzq8jjj6ezFfZQ > > iV/THI2bNvQl6In1tHt8rO8= > > -----END CERTIFICATE----- > > 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use > > at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure > > Server CA - G3 > > i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 > > VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public > > Primary Certification Authority - G5 > > -----BEGIN CERTIFICATE----- > > MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB > > yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL > > [...] > > W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4 > > Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y= > > -----END CERTIFICATE----- > > --- > > Server certificate > > subject=/C=GB/ST=London/L=London/O=Department for Work and > > Pensions/OU=Transformational Government/CN=secure.gateway.gov.uk > > issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of > > use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure > > Server CA - G3 > > --- > > No client certificate CA names sent > > --- > > SSL handshake has read 3043 bytes and written 447 bytes > > --- > > New, TLSv1/SSLv3, Cipher is AES256-SHA > > Server public key is 2048 bit > > Secure Renegotiation IS supported > > Compression: NONE > > Expansion: NONE > > SSL-Session: > > Protocol : TLSv1 > > Cipher : AES256-SHA > > Session-ID: 89[...]F6 > > Session-ID-ctx: > > Master-Key: 5A[...]93 > > Key-Arg : None > > Start Time: 1462378147 > > Timeout : 300 (sec) > > Verify return code: 20 (unable to get local issuer certificate) > > --- > > DONE > > ron@debians5:~$ > > > > > > I've updated the machine (using synaptic) with the latest > > ca_certificates, but the error remains (this is the current output, > > after certificate updates). > > > > The system was working fine last month, but seems to fail today. I'm > > not familiar with the 'behind the scenes' workings of openssl and the > > certificate chains, and would appreciate any insight into what might > > be going wrong. > > > > regards, Ron > > Hi, > > Have you tried a different browser? I get the following error in Chrome > when attempting to log in: > > == > Sorry, you cannot register with, or log in to the Government Gateway > using this certificate provider and web browser combination. These > certificates are not currently supported on the Macintosh operating > system and Netscape 6.x version browsers on all platforms. > > Other certificate providers may be added to the Government Gateway > later. Please check this site regularly to find out which certificates > can be used for online services. > == > > The site works fine in IE 11. Looks like it is coded in MS ASP.NET, > which makes sense. No access to a Debian box right now, unfortunately.
I just logged in without a problem using Chromium "Version 37.0.2062.120 Built on Debian 7.6, running on Debian 7.10 (281580) (64-bit)" Lisi
