[nmglug] Acroread ssl certificate failure
BrianO'Keefe
okeefe at cybermesa.com
Wed Apr 14 17:19:05 PDT 2010
I used to be able to log into my bank from Acroread (sorry, but no OSS
can do this and my bank sends pdf notices).
I now get an error and am requested to install the certificate with this
command. Any help would be appreciated as this sort of thing is beyond me:
acroread -installCertificate es.somewebsite.com 443
which returns a lot of output:
"~$ acroread -installCertificate es.somewebsite.com 443Fetching
certificate from website....
depth=0 /C=US/ST=Missouri/L=Monett/O=Jack Henry and Associates/OU=Terms
of use at www.verisign.com/rpa (c)05/CN=es.somewebsite.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Missouri/L=Monett/O=Jack Henry and Associates/OU=Terms
of use at www.verisign.com/rpa (c)05/CN=es.somewebsite.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=Missouri/L=Monett/O=Jack Henry and Associates/OU=Terms
of use at www.verisign.com/rpa (c)05/CN=es.somewebsite.com
verify error:num=21:unable to verify the first certificate
verify return:1
DONE
Processing ....
The website presented the following Certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
51:5b:3b:ba:6f:30:83:d9:20:e0:02:d3:81:64:b6:22
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network,
OU=Terms of u
se at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Secure
Server CA -
G2
Validity
Not Before: Apr 7 00:00:00 2010 GMT
Not After : May 7 23:59:59 2011 GMT
Subject: C=US, ST=Missouri, L=Monett, O=Jack Henry and
Associates, OU=Te
rms of use at www.verisign.com/rpa (c)05, CN=es.somewebsite.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b5:b8:b7:40:a1:a2:09:b3:0f:ed:96:7c:12:0a:
cb:c2:ad:c0:a7:6c:98:b0:de:95:a1:90:6c:5a:9a:
f1:48:05:29:db:d4:14:8b:57:d4:5b:15:67:e3:a9:
38:24:69:ce:5d:ec:97:de:9d:80:d0:72:91:8c:cc:
e9:33:e5:15:04:85:a0:43:cc:9d:25:d3:fc:3e:3f:
9d:1d:f8:30:88:b9:ed:09:9e:0f:bf:5a:7d:54:89:
d9:c1:13:da:aa:eb:f5:1a:55:99:93:90:b3:a6:83:
81:59:59:28:b0:ae:5f:d1:9a:7f:58:84:8b:53:2b:
25:57:24:3c:ba:3c:38:f3:a3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
URI:http://SVRSecure-G2-crl.verisign.com/SVRSecureG2.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://www.verisign.com/rpa
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
X509v3 Authority Key Identifier:
keyid:A5:EF:0B:11:CE:C0:41:03:A3:4A:65:90:48:B2:1C:E0:57:2D:7D:4
7
Authority Information Access:
OCSP - URI:http://ocsp.verisign.com
CA Issuers -
URI:http://SVRSecure-G2-aia.verisign.com/SVRSecureG
2.cer
1.3.6.1.5.5.7.1.12:
0`.^.\0Z0X0V..image/gif0!0.0...+......Kk.(.....R8.).K..!..0&.$ht
tp://logo.verisign.com/vslogo1.gif
Signature Algorithm: sha1WithRSAEncryption
09:7c:1f:1a:ca:f4:50:d2:78:80:86:53:53:aa:65:d1:27:2b:
e9:17:b8:2b:d1:41:b2:f8:3e:70:7b:9e:94:61:29:df:6d:6a:
d1:1c:99:f5:0a:c1:58:a3:87:4e:f9:b9:14:0d:98:f1:fc:93:
5d:06:66:63:9e:c3:0e:1f:4d:91:4e:89:41:4a:7d:8a:6e:77:
4a:c7:88:29:9b:2e:a2:23:94:e5:c1:43:d5:02:98:64:3a:64:
f2:4c:ab:07:10:a8:35:44:d7:d5:7a:58:a3:f4:ac:bf:36:d6:
94:f3:97:c7:33:51:e6:7d:54:94:6d:3c:40:4a:94:9f:86:d0:
91:b1:11:19:de:34:3e:15:87:b5:57:6b:99:a4:2f:53:96:a3:
f4:62:fb:b5:c2:db:67:a2:00:1b:40:c1:32:d4:88:fc:ee:5e:
88:ec:9b:bb:89:1c:ac:10:01:93:47:6f:80:b3:95:37:98:48:
6c:da:b7:fa:32:b5:3e:ec:22:94:ad:92:d9:11:01:b6:af:ac:
1e:78:6c:5a:06:b4:f0:3d:bf:a2:f7:90:86:1f:2e:b8:35:4e:
96:01:09:98:c1:21:92:a6:3b:2a:ac:d8:04:10:28:94:b5:8e:
ca:2a:5a:7c:9f:65:7a:f1:65:f3:3f:62:d3:2c:81:98:57:d6:
38:d7:59:cf
-----BEGIN CERTIFICATE-----
MIIFNTCCBB2gAwIBAgIQUVs7um8wg9kg4ALTgWS2IjANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwHhcNMTAwNDA3
MDAwMDAwWhcNMTEwNTA3MjM1OTU5WjCBpTELMAkGA1UEBhMCVVMxETAPBgNVBAgT
CE1pc3NvdXJpMQ8wDQYDVQQHFAZNb25ldHQxIjAgBgNVBAoUGUphY2sgSGVucnkg
YW5kIEFzc29jaWF0ZXMxMzAxBgNVBAsUKlRlcm1zIG9mIHVzZSBhdCB3d3cudmVy
aXNpZ24uY29tL3JwYSAoYykwNTEZMBcGA1UEAxQQZXMubmV0dGVsbGVyLmNvbTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtbi3QKGiCbMP7ZZ8EgrLwq3Ap2yY
sN6VoZBsWprxSAUp29QUi1fUWxVn46k4JGnOXeyX3p2A0HKRjMzpM+UVBIWgQ8yd
JdP8Pj+dHfgwiLntCZ4Pv1p9VInZwRPaquv1GlWZk5CzpoOBWVkosK5f0Zp/WISL
UyslVyQ8ujw486MCAwEAAaOCAdEwggHNMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWg
MEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzItY3JsLnZlcmlz
aWduLmNvbS9TVlJTZWN1cmVHMi5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcX
AzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBSl7wsRzsBB
A6NKZZBIshzgVy19RzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6
Ly9vY3NwLnZlcmlzaWduLmNvbTBABggrBgEFBQcwAoY0aHR0cDovL1NWUlNlY3Vy
ZS1HMi1haWEudmVyaXNpZ24uY29tL1NWUlNlY3VyZUcyLmNlcjBuBggrBgEFBQcB
DARiMGChXqBcMFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYM
u9BSOJsprEsHiyEFGDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dv
MS5naWYwDQYJKoZIhvcNAQEFBQADggEBAAl8HxrK9FDSeICGU1OqZdEnK+kXuCvR
QbL4PnB7npRhKd9tatEcmfUKwVijh075uRQNmPH8k10GZmOeww4fTZFOiUFKfYpu
d0rHiCmbLqIjlOXBQ9UCmGQ6ZPJMqwcQqDVE19V6WKP0rL821pTzl8czUeZ9VJRt
PEBKlJ+G0JGxERneND4Vh7VXa5mkL1OWo/Ri+7XC22eiABtAwTLUiPzuXojsm7uJ
HKwQAZNHb4CzlTeYSGzat/oytT7sIpStktkRAbavrB54bFoGtPA9v6L3kIYfLrg1
TpYBCZjBIZKmOyqs2AQQKJS1jsoqWnyfZXrxZfM/YtMsgZhX1jjXWc8=
-----END CERTIFICATE-----
Do you want to accept and install it (y|n)? [n] y
Certificate successfully installed."
When I try to log in from acroread I get the same error as before. I ran
openssl this way to see if I could get some useful info:
~$ openssl s_client -connect es.somewebsite.com:443 -showcerts
CONNECTED(00000003)
depth=0 /C=US/ST=Missouri/L=Monett/O=Jack Henry and Associates/OU=Terms
of use at www.verisign.com/rpa (c)05/CN=es.somewebsite.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Missouri/L=Monett/O=Jack Henry and Associates/OU=Terms
of use at www.verisign.com/rpa (c)05/CN=es.somewebsite.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=Missouri/L=Monett/O=Jack Henry and Associates/OU=Terms
of use at www.verisign.com/rpa (c)05/CN=es.somewebsite.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=Missouri/L=Monett/O=Jack Henry and Associates/OU=Terms of
use at www.verisign.com/rpa (c)05/CN=es.somewebsite.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server
CA - G2
-----BEGIN CERTIFICATE-----
MIIFNTCCBB2gAwIBAgIQUVs7um8wg9kg4ALTgWS2IjANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwHhcNMTAwNDA3
MDAwMDAwWhcNMTEwNTA3MjM1OTU5WjCBpTELMAkGA1UEBhMCVVMxETAPBgNVBAgT
CE1pc3NvdXJpMQ8wDQYDVQQHFAZNb25ldHQxIjAgBgNVBAoUGUphY2sgSGVucnkg
YW5kIEFzc29jaWF0ZXMxMzAxBgNVBAsUKlRlcm1zIG9mIHVzZSBhdCB3d3cudmVy
aXNpZ24uY29tL3JwYSAoYykwNTEZMBcGA1UEAxQQZXMubmV0dGVsbGVyLmNvbTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtbi3QKGiCbMP7ZZ8EgrLwq3Ap2yY
sN6VoZBsWprxSAUp29QUi1fUWxVn46k4JGnOXeyX3p2A0HKRjMzpM+UVBIWgQ8yd
JdP8Pj+dHfgwiLntCZ4Pv1p9VInZwRPaquv1GlWZk5CzpoOBWVkosK5f0Zp/WISL
UyslVyQ8ujw486MCAwEAAaOCAdEwggHNMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWg
MEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzItY3JsLnZlcmlz
aWduLmNvbS9TVlJTZWN1cmVHMi5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcX
AzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBSl7wsRzsBB
A6NKZZBIshzgVy19RzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6
Ly9vY3NwLnZlcmlzaWduLmNvbTBABggrBgEFBQcwAoY0aHR0cDovL1NWUlNlY3Vy
ZS1HMi1haWEudmVyaXNpZ24uY29tL1NWUlNlY3VyZUcyLmNlcjBuBggrBgEFBQcB
DARiMGChXqBcMFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYM
u9BSOJsprEsHiyEFGDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dv
MS5naWYwDQYJKoZIhvcNAQEFBQADggEBAAl8HxrK9FDSeICGU1OqZdEnK+kXuCvR
QbL4PnB7npRhKd9tatEcmfUKwVijh075uRQNmPH8k10GZmOeww4fTZFOiUFKfYpu
d0rHiCmbLqIjlOXBQ9UCmGQ6ZPJMqwcQqDVE19V6WKP0rL821pTzl8czUeZ9VJRt
PEBKlJ+G0JGxERneND4Vh7VXa5mkL1OWo/Ri+7XC22eiABtAwTLUiPzuXojsm7uJ
HKwQAZNHb4CzlTeYSGzat/oytT7sIpStktkRAbavrB54bFoGtPA9v6L3kIYfLrg1
TpYBCZjBIZKmOyqs2AQQKJS1jsoqWnyfZXrxZfM/YtMsgZhX1jjXWc8=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Missouri/L=Monett/O=Jack Henry and Associates/OU=Terms
of use at www.verisign.com/rpa (c)05/CN=es.somewebsite.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server
CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 1473 bytes and written 300 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
9B240000E0BC78AD94AFE84221788E7AC509F2D9EFB87585A7F950457FDE7490
Session-ID-ctx:
Master-Key:
9F4DCBFCEF46D7B65CD586A1BE2B34E9EEFBE2B293A4C660937BC472F0B8982F3D1EBCDBCF505391D711ABACCB74D0B8
Key-Arg : None
Start Time: 1271290540
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
read:errno=0
More information about the nmglug
mailing list