SSL Certificate installation

Posted by oedev on 19-Jul-2018 07:21

Openedge 11.6, Windows 32 bit

I'm trying to integrate with Google's Firebase Cloud Messaging service using the Openedge HTTP client library.

When doing a simple test, I'm receiving the error;

---------------------------
Error (Press HELP to view stack trace)
---------------------------
Secure Socket Layer (SSL) failure. error code -54: unable to get local issuer certificate: for 4a6481c9.0 in C:\OE116\certs (9318)
---------------------------
OK Help
---------------------------

The URL being called is "fcm.googleapis.com/.../send"

I've tried to get the certificates for googleapis.com using Openssl as follows;

 .\openssl s_client -connect googleapis.com:443 -prexit -showcerts

This shows 2 certificates, which I've copied to separate .pem files and loaded into Openedge using (after copying the pem files to $DLC\keys\requests;

certutil -import C:\OE116\keys\requests\fcm5.pem

The certificates are loaded successfully and I can see 2 new files in the cert directory representing the loaded pem files.

However, I don't see a file with the ID in the error above 4a6481c9.0 

Any pointers to what I'm missing? 

Thanks!

All Replies

Posted by Brian K. Maher on 19-Jul-2018 07:30

You need to put them into $DLC/certs not $DLC/keys/requests.
 
 
Brian Maher
Principal Engineer, Technical Support
Progress
Progress
14 Oak Park | Bedford, MA 01730 | USA
phone
+1 781 280 3075
 
 
Twitter
Facebook
LinkedIn
Google+
 
 

Posted by Brian K. Maher on 19-Jul-2018 07:32

Also, once you copy the .pem files into $DLC/certs, open a Proenv command shell, cd to $DLC/certs dir then run this for each .pem you copied into the directory:
 
certutil -import some_file_name.pem -format PEM
 
This command will output the .0 file.  Make sure you end up with a .0 file which matches the name you are looking for.
 
 
Brian Maher
Principal Engineer, Technical Support
Progress
Progress
14 Oak Park | Bedford, MA 01730 | USA
phone
+1 781 280 3075
 
 
Twitter
Facebook
LinkedIn
Google+
 
 

Posted by oedev on 19-Jul-2018 07:44

Thanks Brian.

Copied to certs directory and re-ran the command as suggested.

I do get the .0 files in the certs directory, but none match the ID presented in the error message.

openssl returns 2 certificates, I've tried importing as seperate .pem files and a combined .pem file. They are all loaded sucessfully, but, none with the ID I require.

Posted by oedev on 19-Jul-2018 07:51

So I googled "4a6481c9.0" and found a link to a PEM file for that ID;

github.com/.../GlobalSign_Root_CA_-_R2.pem

Create a PEM file with the details from the link, and loaded. My code now works :-)

For some reason, openssl was not including that certificate, not sure why ?

Posted by Brian K. Maher on 19-Jul-2018 07:52

That means you are still missing some certificate.  Go to the vendor that you are trying to connect to and ask them for all the certificates that are needed.
 
 
Brian Maher
Principal Engineer, Technical Support
Progress
Progress
14 Oak Park | Bedford, MA 01730 | USA
phone
+1 781 280 3075
 
 
Twitter
Facebook
LinkedIn
Google+
 
 

This thread is closed