how to fix https openid error

Question

I am using local https protocol and a fake certificate.

When using django-openid-auth, it gives me this error:

OpenID failed

OpenID discovery error: Error fetching XRDS document: (60, 'server certificate         verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none')

How can I fix this?

Answer 1

In my experience, in most cases the validators are picky on self-signed certificates.

In general, when using "fake" certificates you should always take the extra step and create a fake CA and sign the fake cert with the CA. If nothing else, this makes your testing be more like a real life scenario.

Here are brief instructions on how to do this with OpenSSL:

1. Create a CA (self signed) openssl req -x509 -new -out ca.crt -keyout ca.key -days 3650
2. Create a server key and csr openssl req -out server.csr -pubkey -new -keyout server.secure.key
3. Take off the passphrase openssl rsa -in server.secure.key -out server.key
4. Sign the server certificate with the CA openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1825
5. (For futher certificates, use the existing serial number openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl -out server.crt -days 1825)

Whenever you have problems with any SSL (not just HTTPS) - use raw openssl to debug by doing

openssl s_verify -connect <hostname>:<portnumber> <options>

e.g.

openssl s_verify -connect localhost:443 -CAfile myfakeca.pem

This usually saves you a lot of trouble figuring out problems with your actual certificates that actually have nothing to do with your code.