Clovertech

Http Certs

Clovertech Forums Cloverleaf Http Certs

  • Creator
    Topic
  • June 15, 2020 at 5:25 pm #117145
    Michael Sierra
    Participant

      We connect to the CHIRP website with a curl command in a tclscript. We do not use the https-client protocol thread as there were a ton of other issues with it. We recently started getting error when connecting to CHIRP and the vendor confirmed we are using a cert that expired recently. After working with one of our server engineers on this they noticed that there are two versions of curl on the server: one in the root directory and one in the integrator. He noticed that when using curl from the root we can successfully connect to CHIRP, but when we connect using curl from integrator we get the cert expired error. However they are both pointed to /etc/pki/tls/certs/ca-bundle.cr. We believe the expired cert is still cached somewhere in the integrator. Is anyone of where the cert might be stored so we can remove it? I added screenshots comparing a successful and failed curl call and comparison of the curl locations.

       

      Also does anyone know if Infor has documentation on this? I tried to find it with no luck but hoping someone knows of something.

      Attachments:
      You must be logged in to view attached files.
    • Creator
      Topic
    Viewing 1 reply thread
    • Author
      Replies
      • June 15, 2020 at 5:41 pm #117149
        Rob Abbott
        Keymaster

          It’s possible the cURL version that is shipped with Cloverleaf 6.1 is old and uses an old cipher set that CHIRP doesn’t like.

          If you are specifically pointing at a cert I don’t think there’s anything cert-related that is cached in the command-line version of curl.

          Check the curl versions on the o/s and in Cloverleaf and see if they match (curl –version).

          Rob Abbott
          Cloverleaf Emeritus

        • June 16, 2020 at 12:56 pm #117151
          Michael Sierra
          Participant

            It looks like we are actually using TCLCurl in the script itself. I don’t know much about cipher sets but we were able to connect to CHIRP without issue until the cert expired in May so I would think if CHIRP had an issue with that then it wouldn’t have ever worked but I’m not sure.

             

            The curl versions are different. I attached screenshots. But what could be happening differently between the curl versions for one to work and one to fail even if they are pointed to the same ca bundle?

            Attachments:
            You must be logged in to view attached files.
        • Author
          Replies
        Viewing 1 reply thread
        • You must be logged in to reply to this topic.