I had to use oracle UTL_HTTP to access HTTPS site.
The site uses diacritical letters (öäüõ) in certificate organization name.This site was https://ariregister.rik.ee/ where subject was
CN = *.rik.ee O = Registrite ja infosüsteemide Keskus L = Tallinn C = EETypically I have added all certificates in path as trusted root certs into oracle wallet.
In this case, there were three certificates on path:
- *.rik.ee to arireg1.cer
- DigiCert SHA2 High Assurance Server CA to arireg2.cer
- DigiCert High Assurance EV Root CA to arireg3.cer
And imported them to oracle wallet:
orapki wallet add -wallet /u01/app/oracle/admin/MYSID/xdb_wallet/ -trusted_cert -cert "/tmp/arireg1.cer" -pwd XXXXXX orapki wallet add -wallet /u01/app/oracle/admin/MYSID/xdb_wallet/ -trusted_cert -cert "/tmp/arireg2.cer" -pwd XXXXXX orapki wallet add -wallet /u01/app/oracle/admin/MYSID/xdb_wallet/ -trusted_cert -cert "/tmp/arireg3.cer" -pwd XXXXXX
Using it this way, it has worked for me before. But, not this time!
With UTL_HTTP I got certificate validation error:
ORA-29024: Certificate validation failure
orapki displays:
orapki wallet display -wallet /u01/app/oracle/admin/MYSID/xdb_wallet/ -detailed
Requested Certificates: User Certificates: Trusted Certificates: Subject: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US Issuer: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US Serial Number: 04:E1:E7:A4:DC:5C:F2:F3:6D:C0:2B:42:B8:5D:15:9F Key Length 2048 MD5 digest: AA:EE:5C:F8:B0:D8:59:6D:2E:0C:BE:67:42:1C:F7:DB SHA digest: A0:31:C4:67:82:E6:E6:C6:62:C2:C8:7C:76:DA:9A:A6:2C:CA:BD:8E Subject: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US Issuer: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US Serial Number: 02:AC:5C:26:6A:0B:40:9B:8F:0B:79:F2:AE:46:25:77 Key Length 2048 MD5 digest: D4:74:DE:57:5C:39:B2:D3:9C:85:83:C5:C0:65:49:8A SHA digest: 5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25 Subject: CN=*.rik.ee,O=Registrite ja infosĆ¼steemide Keskus,L=Tallinn,C=EE Issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US Serial Number: 09:2B:5F:E2:CC:EB:C5:26:81:99:91:3F:9B:55:1F:8F Key Length 2048 MD5 digest: 5B:2E:D6:67:DD:C8:46:20:F6:6E:6C:3E:52:0F:F6:1D SHA digest: E8:DA:53:57:C5:6F:3D:5D:EB:4E:EA:49:71:C3:72:A5:94:97:D6:67
Struggled a whole day.
With no solution. The bad thing is that Oracle does not give any additional trace information, what is wrong with the cert. As other sites were working OK this way, the diacritical letters became suspects.Also tested with
openssl s_client -connect ariregister.rik.ee:443 -tls1 -showcerts
Finally I learned
Because site certificate don't have to be in wallet (only root certificates must be). I decided to remove the site certificate (with diacritical letters) from wallet.Cleared the wallet:
orapki wallet remove -wallet /u01/app/oracle/admin/MYSID/xdb_wallet/ -trusted_cert_all -pwd XXXXXAdded only 2 upper level certificates (and not leaf cert "arireg1.cer"):
orapki wallet add -wallet /u01/app/oracle/admin/MYSID/xdb_wallet/ -trusted_cert -cert "/tmp/arireg2.cer" -pwd XXXXXX orapki wallet add -wallet /u01/app/oracle/admin/MYSID/xdb_wallet/ -trusted_cert -cert "/tmp/arireg3.cer" -pwd XXXXXXAfter that, it started working!
Conclusions
- I am not entirely sure that the diacritical letters were the reason. But other sites (without diacritical letters on O name) were working OK.
- I wonder what would happen if some trusted root certificate issuer had diagritical letters in its name?
- Got problem solved as site certificate itself does not have to be in wallet.
Comments
Post a Comment