Soap perl and ssl certificate changed

Question

I have a perl code that sends SOAP request through SOAP::Lite like this:

eval 
{
  $sresp = SOAP::Lite
    ->uri('http://machine/key')
    ->proxy('https://usr:pwd@website.com/addr/addr/remotescript.pl')
    ->remotescript_pl_function(@parms, $gmtime);
};
if ($@)
{
  print $@;
}

After existing certificate for *.website.com has been replaced I am not getting valid responses anymore, I am getting

500 Can\'t connect to website.com:443 at localscript.pl line 123.

If I enable

$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;

everything works. But I would like to verify the SSL hostname, how can I do that, or track down the problem? (I am a little lost in this proxying).

I have c++ code with libcurl that goes along the same lines and works well. Entering https://website.com into browser works fine. Entering http://machine (machine is on local network) works.

edit 1:

Both perl -MIO::Socket::SSL=debug4 yourscript.pl and analyze-ssl.pl from p5-ssl-tools show error message 1416F086 which lead me to information that SSL certificate has "Chain issues" that have to be fixed in certificate installation.

edit 2:

After fix of the certificate is the error gone! Perfect, solved!

Have you checked that [Mozilla::CA](https://metacpan.org/pod/Mozilla::CA) is up-to-date on your machine? Have you verified that the certificate on the remote end is actually a valid certificate (for example by using a web browser to connect to the remote endpoint)? — Corion, Jan 29 '19 at 13:20
Updated Mozilla::CA to latest 20180117 and result is the same. Please how to form web browser url to connect to remote endpoint? If I enter https://usr:pwd@website.com into browser browser shows that certificate there is valid. — MiroJanosik, Jan 29 '19 at 13:36
I would check what Perl thinks about the certificate using the [p5-ssl-tools](https://github.com/noxxi/p5-ssl-tools), especially `analyze-ssl.pl`. — Corion, Jan 29 '19 at 13:45
Please run your script with `perl -MIO::Socket::SSL=debug4 yourscript.pl` so that it shows you the problems it faces with SSL in more detail. Add the output of it to your question. — Steffen Ullrich, Jan 29 '19 at 20:56
Thank you both, both approaches return the same error: SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed This points me to: https://stackoverflow.com/questions/49308744/telegram-bot-ssl-error-ssl-error-error1416f086ssl-routinestls-process-serve where I found that I too have "Chain issues Incomplete". So we have to fix certificate on our server. — MiroJanosik, Jan 30 '19 at 08:30

score 0 · Accepted Answer · answered Feb 01 '19 at 08:25

Here is solution mentioned in comments by Corion and Steffen Ullrich:

Running either:

https://github.com/noxxi/p5-ssl-tools script analyze-ssl.pl
perl -MIO::Socket::SSL=debug4 yourscript.pl

displayed same error: SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed. This pointed me to: telegram bot SSL error: SSL error {error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed} where I found that I too have "Chain issues Incomplete".

After fixing certificate the error is gone.

Soap perl and ssl certificate changed

1 Answers1