DevSecOps

Erori Certificate SSL: Ghid Complet de Depanare

Nicu Constantin
--6 min lectura
#ssl#tls#certificates#https#troubleshooting

Erorile de certificate SSL/TLS pot defecta aplicatiile si bloca deploy-urile. Acest ghid acopera toate problemele comune de certificate si solutiile lor.

Eroare: Certificatul a Expirat

Simptom:

curl: (60) SSL certificate problem: certificate has expired
javax.net.ssl.SSLHandshakeException: Certificate expired
NET::ERR_CERT_DATE_INVALID

Solutia 1 - Verifica expirarea:

# Verifica expirarea certificatului
openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
 
# Sau folosind curl
curl -vI https://example.com 2>&1 | grep -i "expire"
 
# Verifica fisierul de certificat local
openssl x509 -enddate -noout -in /path/to/cert.pem

Solutia 2 - Reinnoieste cu Let's Encrypt:

# Folosind certbot
sudo certbot renew
 
# Forteaza reinnoirea
sudo certbot renew --force-renewal
 
# Test fara executie reala
sudo certbot renew --dry-run
 
# Dupa reinnoire, restarteaza serviciile
sudo systemctl reload nginx

Solutia 3 - Configurare auto-reinnoire:

# Job cron pentru auto-reinnoire
echo "0 0,12 * * * root certbot renew --quiet" | sudo tee /etc/cron.d/certbot
 
# Timer systemd (preferat)
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer

Eroare: Certificat Auto-Semnat Neincrezator

Simptom:

SSL certificate problem: self-signed certificate
unable to verify the first certificate
DEPTH_ZERO_SELF_SIGNED_CERT

Solutia 1 - Adauga CA in trust store:

# Linux (Ubuntu/Debian)
sudo cp custom-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
 
# Linux (CentOS/RHEL)
sudo cp custom-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
 
# macOS
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain custom-ca.crt

Solutia 2 - Configureaza aplicatia:

# curl - specifica bundle-ul CA
curl --cacert /path/to/ca-bundle.crt https://internal-server.local
 
# Node.js
export NODE_EXTRA_CA_CERTS=/path/to/ca.pem
 
# Python requests
export REQUESTS_CA_BUNDLE=/path/to/ca-bundle.crt
# Python cu CA custom
import requests
response = requests.get('https://internal.local', verify='/path/to/ca.crt')
 
# Sau dezactiveaza verificarea (NU pentru productie!)
response = requests.get('https://internal.local', verify=False)

Solutia 3 - Docker cu CA custom:

FROM python:3.12
 
# Adauga certificat CA custom
COPY custom-ca.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates
 
# Node.js necesita cale explicita
ENV NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/custom-ca.crt

Eroare: Nepotrivire Hostname

Simptom:

SSL: CERTIFICATE_VERIFY_FAILED certificate verify failed: Hostname mismatch
The certificate is not valid for the requested host
NET::ERR_CERT_COMMON_NAME_INVALID

Cauza: Certificat emis pentru un domeniu diferit.

Solutia 1 - Verifica domeniile certificatului:

# Vizualizeaza SAN-urile certificatului (Subject Alternative Names)
openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -noout -text | grep -A1 "Subject Alternative Name"
 
# Detalii complete certificat
echo | openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -noout -text

Solutia 2 - Emite certificat cu numele corecte:

# Let's Encrypt cu domenii multiple
sudo certbot certonly --nginx \
  -d example.com \
  -d www.example.com \
  -d api.example.com
 
# Auto-semnat cu SAN
openssl req -x509 -newkey rsa:4096 -sha256 -days 365 \
  -nodes -keyout server.key -out server.crt \
  -subj "/CN=example.com" \
  -addext "subjectAltName=DNS:example.com,DNS:www.example.com,DNS:*.example.com"

Eroare: Lant de Certificate Incomplet

Simptom:

unable to get local issuer certificate
SSL certificate problem: unable to get issuer certificate
The certificate chain is incomplete

Solutia 1 - Include certificatele intermediare:

# Descarca certificatul intermediar de la CA
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem
 
# Concateneaza in ordinea corecta
cat server.crt intermediate.crt > fullchain.crt
 
# Verifica lantul
openssl verify -CAfile ca-bundle.crt fullchain.crt

Solutia 2 - Verifica completitudinea lantului:

# Tool online
# https://www.ssllabs.com/ssltest/
 
# Verificare CLI
openssl s_client -connect example.com:443 -showcerts
 
# Ar trebui sa vezi certificate multiple in output

Solutia 3 - Configurare Nginx:

server {
    listen 443 ssl;
    server_name example.com;
 
    # Lantul complet, nu doar certificatul server
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
}

Eroare: Versiune TLS Nesuportata

Simptom:

SSL routines:ssl3_get_record:wrong version number
tlsv1 alert protocol version
sslv3 alert handshake failure

Solutia 1 - Verifica versiunile TLS suportate:

# Testeaza TLS 1.2
openssl s_client -connect example.com:443 -tls1_2
 
# Testeaza TLS 1.3
openssl s_client -connect example.com:443 -tls1_3
 
# Vizualizeaza protocolul negociat
curl -v https://example.com 2>&1 | grep "SSL connection"

Solutia 2 - Configureaza serverul pentru TLS modern:

# Nginx - doar TLS 1.2 si 1.3
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;

Solutia 3 - Configurare client:

# Python - forteaza TLS 1.2+
import ssl
import urllib.request
 
ctx = ssl.create_default_context()
ctx.minimum_version = ssl.TLSVersion.TLSv1_2
 
response = urllib.request.urlopen('https://example.com', context=ctx)
// Node.js
const https = require('https');
const agent = new https.Agent({
  minVersion: 'TLSv1.2'
});

Eroare: Certificat Revocat

Simptom:

certificate revoked
NET::ERR_CERT_REVOKED
SSL_ERROR_REVOKED_CERT_ALERT

Solutia 1 - Verifica statusul revocarii:

# Obtine URL-ul responder-ului OCSP
openssl x509 -in cert.pem -noout -ocsp_uri
 
# Verifica statusul OCSP
openssl ocsp -issuer chain.pem -cert cert.pem \
  -url http://ocsp.example.com -resp_text

Solutia 2 - Emite un certificat nou:

# Certificatele revocate nu pot fi de-revocate
# Genereaza CSR nou si solicita certificat nou
openssl req -new -key server.key -out new-server.csr
 
# Solicita de la CA sau Let's Encrypt
sudo certbot certonly --nginx -d example.com

Eroare: Nepotrivire Cheie Privata

Simptom:

SSL_CTX_use_PrivateKey_file failed
key values mismatch
(SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

Solutie - Verifica potrivirea cheie-certificat:

# Obtine modulul din certificat
openssl x509 -noout -modulus -in cert.pem | openssl md5
 
# Obtine modulul din cheia privata
openssl rsa -noout -modulus -in key.pem | openssl md5
 
# Aceste hash-uri MD5 trebuie sa coincida!

Regenereaza perechea potrivita daca este necesar:

# Genereaza cheie privata noua
openssl genrsa -out new-server.key 4096
 
# Creeaza CSR
openssl req -new -key new-server.key -out new-server.csr
 
# Auto-semneaza sau trimite CSR-ul la CA
openssl x509 -req -days 365 -in new-server.csr \
  -signkey new-server.key -out new-server.crt

Configurari Comune de Servicii

Nginx:

server {
    listen 443 ssl http2;
    server_name example.com;
 
    ssl_certificate /etc/ssl/certs/fullchain.pem;
    ssl_certificate_key /etc/ssl/private/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
 
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;
 
    # HSTS
    add_header Strict-Transport-Security "max-age=63072000" always;
}

Apache:

<VirtualHost *:443>
    ServerName example.com
 
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/private/server.key
    SSLCertificateChainFile /etc/ssl/certs/chain.crt
 
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
    SSLHonorCipherOrder off
</VirtualHost>

Referinta Rapida: Comenzi de Depanare

| Actiune | Comanda | |---------|---------| | Verifica expirare | openssl x509 -enddate -noout -in cert.pem | | Vizualizeaza certificat | openssl x509 -text -noout -in cert.pem | | Testeaza conexiune | openssl s_client -connect host:443 | | Verifica lant | openssl verify -CAfile ca.crt cert.pem | | Verifica potrivire cheie | openssl x509 -modulus -noout -in cert.pem \| md5 | | Descarca certificat | echo \| openssl s_client -connect host:443 2>/dev/null \| openssl x509 > cert.pem |

Consultanta Securitate SSL/TLS?

Managementul certificatelor la scara larga necesita automatizare si expertiza. Echipa noastra ofera:

  • Automatizarea ciclului de viata al certificatelor
  • Proiectarea infrastructurii PKI
  • Implementarea arhitecturii zero-trust
  • Auditare de conformitate (PCI-DSS, HIPAA)

Obtine ajutor pentru securitatea SSL

Sistemul tau AI e conform cu EU AI Act? Evaluare gratuita de risc - afla in 2 minute →

Ai nevoie de ajutor cu conformitatea EU AI Act sau securitatea AI?

Programeaza o consultatie gratuita de 30 de minute. Fara obligatii.

Programeaza un Apel

Weekly AI Security & Automation Digest

Get the latest on AI Security, workflow automation, secure integrations, and custom platform development delivered weekly.

No spam. Unsubscribe anytime.

Related Articles

DevSecOps

GitHub Actions: Erori Frecvente in CI/CD si Cum sa le Rezolvi

Rezolva erorile din GitHub Actions inclusiv permission denied, esecuri la checkout, expunerea secretelor, probleme cu artefacte si timeout-uri cu solutii.

6 min read
DevSecOps

Kubernetes CrashLoopBackOff: Ghid Complet de Depanare

Rezolva erorile Kubernetes CrashLoopBackOff inclusiv OOMKilled, verificari de sanatate esuate, secrete lipsa, erori de descarcare imagine si probleme de.

7 min read
DevSecOps

Erori de State Lock in Terraform: Cum sa le Rezolvi si Previi

Rezolva erorile de state lock Terraform inclusiv achizitie lock esuata, fisier state blocat, erori DynamoDB si probleme de backend S3 cu proceduri sigure.

6 min read
← Inapoi la Blog