About the certificate validate

[boling wang]

Hi there,

I got the latest source code of Chromium and followed the steps of the link:https://www.chromium.org/quic/playing-with-quic. I got quic_server and quic_client succesfully. However, I also got the following ERROR when I tried to connect from client to server.

[0922/075928:ERROR:cert_verify_proc_nss.cc(922)] CERT_PKIXVerifyCert for 127.0.0.1 failed err=-8179

[0922/075928:WARNING:proof_verifier_chromium.cc(286)] Failed to verify certificate chain: net::ERR_CERT_AUTHORITY_INVALID

I believe I had installed CA certificate in the system(Ubuntu 14.04) by the following commands.  

1. cp net/tools/quic/certs/out/2048-sha256-root.pem /usr/local/share/ca-certificates/2048-sha256-root.crt

2. sudo update-ca-certificates  

I also tried to add CA certificate in the default nssdb in the path of "~/.pki/nssdb" by the following command.

1. certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "www.example.com" -i net/tools/quic/certs/out/2048-sha256-root.pem 

Is there any important step that i missed or something is wrong with my operation?

BTW:
Something is wrong with one instruction in the page https://www.chromium.org/quic/playing-with-quic.




./out/Debug/quic_server \
  --quic_in_memory_cache_dir=/tmp/quic-data/www.example.com \
  --certificate_file=net/tools/quic/certs/out/leaf_cert/cert.pem \
  --key_file=net/tools/quic/certs/out/leaf_cert/key.pkcs8

There is no path "net/tools/quic/certs/out/leaf_cert/" which is created by "generate-certs.sh".

Thanks!

Boling

[Ryan Hamilton]

On Tue, Sep 22, 2015 at 1:15 AM, boling wang <wangb...@gmail.com> wrote:

Hi there,

I got the latest source code of Chromium and followed the steps of the link:https://www.chromium.org/quic/playing-with-quic. I got quic_server and quic_client succesfully. However, I also got the following ERROR when I tried to connect from client to server.

[0922/075928:ERROR:cert_verify_proc_nss.cc(922)] CERT_PKIXVerifyCert for 127.0.0.1 failed err=-8179

[0922/075928:WARNING:proof_verifier_chromium.cc(286)] Failed to verify certificate chain: net::ERR_CERT_AUTHORITY_INVALID

I believe I had installed CA certificate in the system(Ubuntu 14.04) by the following commands.  

1. cp net/tools/quic/certs/out/2048-sha256-root.pem /usr/local/share/ca-certificates/2048-sha256-root.crt

2. sudo update-ca-certificates  

I also tried to add CA certificate in the default nssdb in the path of "~/.pki/nssdb" by the following command.

1. certutil -d sql:$HOME/.pki/nssdb -A -t TC -n "www.example.com" -i net/tools/quic/certs/out/2048-sha256-root.pem 

Is there any important step that i missed or something is wrong with my operation?

​That error means that the CA certificate is not trusted​ by your OS, but I confess, I'm not familiar with how to do this on Ubuntu. I'll ask around and see if I can get more information.

 

BTW:
Something is wrong with one instruction in the page https://www.chromium.org/quic/playing-with-quic.




./out/Debug/quic_server \
  --quic_in_memory_cache_dir=/tmp/quic-data/www.example.com \
  --certificate_file=net/tools/quic/certs/out/leaf_cert/cert.pem \
  --key_file=net/tools/quic/certs/out/leaf_cert/key.pkcs8

There is no path "net/tools/quic/certs/out/leaf_cert/" which is created by "generate-certs.sh".

​Whoops! Fixed that, thanks!

[Alexander Domian]

Hi,

if directive OS_CHROMEOS is set, then NSS DB path is set to "/etc/fake_root_ca/nss" - see src/crypto/nss_util.cc:68 .

So simplest way is to create db there.

Dne úterý 22. září 2015 16:28:06 UTC+2 r...@chromium.org napsal(a):

[wangb...@gmail.com]

Hi Alexander，

Hi Alexander,

Thanks for the comments. By using the latest scripts to generate keys and certificate, the QUIC sever and client work with each other without any error.

BR,

Boling

--
You received this message because you are subscribed to the Google Groups "QUIC Prototype Protocol Discussion group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to proto-quic+...@chromium.org.
To post to this group, send email to proto...@chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.