Monday, April 20, 2015

[Solved] cannot verify raw.github.com's certificate, issued by

0)
First Delete/rename /etc/ssl/certs

1)
Try to download github file using wget.

ERROR: cannot verify github.com's certificate, issued by ‘/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA’: Unable to locally verify the issuer's authority.

$wget https://raw.githubusercontent.com/sajuptpm/mytools/master/.gitignore
--2015-04-20 17:16:53--  https://raw.githubusercontent.com/sajuptpm/mytools/master/.gitignore
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.27.74.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.27.74.133|:443... connected.
ERROR: cannot verify raw.githubusercontent.com's certificate, issued by ‘/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA’:
  Unable to locally verify the issuer's authority.
To connect to raw.githubusercontent.com insecurely, use `--no-check-certificate'.

2)
Download DigiCert Root Certificate "DigiCert High Assurance EV Root CA" from following site.
https://www.digicert.com/digicert-root-certificates.htm

#cd /ets/ssl
#mkdir certs
#cd /etc/ssl/certs
#sudo wget https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt --no-check-certificate

* At this point, Try "Step-1" again and you will get same error.

2)
Unfortunately these are encoded and need to be converted into text.

#cd /etc/ssl/certs
#sudo openssl x509 -inform DES -in DigiCertHighAssuranceEVRootCA.crt -out DigiCertHighAssuranceEVRootCA.crt -text

* At this point, Try "Step-1" again and you will get same error.

3)
Check
#ls -a
.  ..  .0 DigiCertHighAssuranceEVRootCA.crt

* You can see a hidden file named ".0", you can open it in vim editor, that contains a certificate key.
* At this point, Try "Step-1" again and you will get same error.

4)
The final step is running c_rehash within "/etc/ssl/certs" to scan directories and take a hash value of each '.pem' and '.crt' file in the directory. It then creates symbolic links for each of the files named by the hash value. Programs on the system (like curl or wget) expect to find the certificates they require in this c_rehash'ed format.

#sudo c_rehash /etc/ssl/certs
OR
#cd /etc/ssl/certs
#sudo c_rehash .

* At this point, Try "Step-1" again and you will not get any error.

5)
Check
#ls -a
.  ..  .0  244b5494.0  81b9768f.0  DigiCertHighAssuranceEVRootCA.crt

* Now you can see two new files named "244b5494.0" and "81b9768f.0",  you can open it in vim editor, that contains a certificate key.


6)
$ wget https://raw.githubusercontent.com/sajuptpm/mytools/master/.gitignore
--2015-04-20 17:24:47--  https://raw.githubusercontent.com/sajuptpm/mytools/master/.gitignore
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.27.75.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.27.75.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15 [text/plain]
Saving to: ‘.gitignore.1’

100%[==========================================================================================================>] 15          --.-K/s   in 0s     

2015-04-20 17:24:48 (294 KB/s) - ‘.gitignore.1’ saved [15/15]


7)
Complete script
#!/bin/bash

cd /etc/ssl/certs
sudo wget https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt --no-check-certificate
sudo openssl x509 -inform DES -in DigiCertHighAssuranceEVRootCA.crt -out DigiCertHighAssuranceEVRootCA.crt -text
sudo c_rehash .





1 comment:

  1. https://github.com/sajuptpm/mytools/blob/master/ubuntu/ssl_certificate.sh

    ReplyDelete