Topic on Extension talk:VisualEditor/Flow

Error contacting the Parsoid/RESTBase server: (curl error: 60) SSL peer certificate or SSH remote key was not OK

5
Mrpaul1234 (talkcontribs)
MediaWiki 1.37.1
PHP 7.4.28 (cgi-fcgi)
SQLite 3.37.2
ICU 70.1


When using MediaWikis VisualEditor, I get this error:

Error contacting the Parsoid/RESTBase server: (curl error: 60) SSL peer certificate or SSH remote key was not OK


When setting up lighttpd to use https I did the following:

- created a private key and a private CA certificate, so my private server can sign certificates (ca.key, ca.pem)

- created a key and a certificate signing request for lighttpd and signed it with my CA certificate (key.pem, server.pem)

- added my own CA certificate to trusted certificates (trust anchor --store=/.../ca.pem)


When I now run

openssl verifiy /.../ca.pem

I get OK as answer - this makes sense, because I added the CA certificate.

When I run

openssl verifiy /.../server.pem

I also get OK, because the request was signed with the CA certificate.


But I don't understand, why now curl print this error?

Shouldn't also curl trust my both certificates as openssl shows?

Ciencia Al Poder (talkcontribs)

openssl validates the certificate is valid as per expiration dates and signature, but it doesn't validate it's trusted.

curl validates against the list of trusted CA, and your CA is not trusted according to curl, probably because you're using a self-signed certificate or signed by a CA you created.

You'll have to add that CA to the trusted CA store of the server.

Mrpaul1234 (talkcontribs)

I think, I've done exactly this by executing

trust anchor --store=/.../ca.pem

So my self-signed CA certificate should belong to the trusted CA store, or doesn't it?


I was checking this in the following way:

- created ca.pem (CA certificate) and server.pem (certificate for lighttpd)

- verified ca.pem with openssl verifiy /.../ca.pem -> Result: verification failed

- verified server.pem with openssl verifiy /.../server.pem -> Result: verification failed

- executed trust anchor --store=/.../ca.pem

- verified ca.pem with openssl verifiy /.../ca.pem -> Result: OK

- verified server.pem with openssl verifiy /.../server.pem -> Result: OK


So everything behaved as expected: the verification of my self-signed CA certificate and my CA-signed server certificate failed until I added the CA certificate to the trusted certificates of the server

Ciencia Al Poder (talkcontribs)

I guess php-curl uses a different ca trust store than the curl binary

https://stackoverflow.com/questions/41772340/how-do-i-add-a-certificate-authority-to-php-so-the-file-function-trusts-certif

Another solution would be an option to ignore cert errors, but this doesn't seem to be supported right now. Another question would be why would you use https in the first place? One of the suggested solutions is to allow unencrypted connections between MediaWiki and parsoid (which is MediaWiki itself), although it may have other complications as well...

Mrpaul1234 (talkcontribs)

I've found the reason:

There have been two problems:

1: The certificate-file required for using https under lighttpd (ssl.pemfile in lighttpd.conf) did only contain the server certificate but not the whole bundle. So I only needed to put the server and the CA certificate into one file and use this

cat /.../server.pem /.../ca.pem > /.../lighttpd/certs/bundle.pem


in /.../lighttpd.conf

...

ssl.pemfile = /.../lighttpd/certs/bundle.pem

...


2: The encrpytion I used for my CA certificate was not TLS v1.3 compatible. After creating all keys and certificates again, signing the server certificate request with the CA certificate and adding the CA certificate to the trusted on my server everything went well.