The requested active content cannot be displayed due to execution restriction

Hi,

the Oauth is working properly with a localhost CURL but not with the HOST CURL
**Error was: 11:46:00 Failed HTTP listen at HOST:443 code (-6). **
Ex:

curl -I https://localhost/oauth/index.vsp -k -v

  • Trying ::1…
  • TCP_NODELAY set
  • connect to ::1 port 443 failed: Connection refused
  • Trying 127.0.0.1…
  • TCP_NODELAY set
  • Connected to localhost (127.0.0.1) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Request CERT (13):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Certificate (11):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server did not agree to a protocol
  • Server certificate:
  • subject: C=XX; ST=XXXX; O=XXXX; OU=XXXX; CN=localhost; emailAddress=xxx@xxxx.xx
  • start date: Sep 16 07:41:07 2022 GMT
  • expire date: Sep 16 07:41:07 2023 GMT
  • issuer: C=IT; ST=XXX; OXXX; OU=XXXX; CN=XX; emailAddress=xxx@xxxx.xx
  • SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

HEAD /oauth/index.vsp HTTP/1.1
HEAD /oauth/index.vsp HTTP/1.1
Host: localhost
User-Agent: curl/7.61.1
Accept: /

  • TLSv1.2 (IN), TLS handshake, Hello request (0):
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Request CERT (13):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Certificate (11):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
    < HTTP/1.1 200 OK
    HTTP/1.1 200 OK

But:

curl -I https://HOST/oauth/index.vsp -k -v

  • Trying HOST…
  • TCP_NODELAY set
  • Connected to HOST (HOST) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Request CERT (13):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Certificate (11):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server did not agree to a protocol
  • Server certificate:
  • subject: C=XX; ST=XXXX; O=XXXX; OU=XXXX; CN=localhost; emailAddress=xxx@xxxx.xx
  • start date: Sep 16 07:41:07 2022 GMT
  • expire date: Sep 16 07:41:07 2023 GMT
  • issuer: C=IT; ST=XXX; OXXX; OU=XXXX; CN=XX; emailAddress=xxx@xxxx.xx
  • SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

HEAD /oauth/index.vsp HTTP/1.1
Host: HOST
User-Agent: curl/7.61.1
Accept: /

< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

What is the reason ?

Is your SSL certificate you are seeking run the curl command on against your HOST (ie machine external hostname) not generated for use on localhost ie subject: C=XX; ST=XXXX; O=XXXX; OU=XXXX; CN=localhost; emailAddress=xxx@xxxx.xx in which case it will only work on localhost and you need to generate a certificate specifically for use on HOST ie

subject: C=XX; ST=XXXX; O=XXXX; OU=XXXX; CN=HOST; emailAddress=xxx@xxxx.xx

for it to work , as per the following from one of our public servers with OAuth and VAL etc setup:

$ curl -I https://linkeddata.uriburner.com/oauth/index.vsp -k -v
*   Trying 194.109.117.211...
* TCP_NODELAY set
* Connected to linkeddata.uriburner.com (194.109.117.211) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=Massachusetts; L=Burlington; O=OpenLink Software Inc.; CN=linkeddata.uriburner.com
*  start date: Sep  3 00:00:00 2022 GMT
*  expire date: Sep 26 23:59:59 2023 GMT
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
> HEAD /oauth/index.vsp HTTP/1.1
> Host: linkeddata.uriburner.com
> User-Agent: curl/7.58.0
> Accept: */*
> 
* TLSv1.2 (IN), TLS handshake, Hello request (0):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: Virtuoso/08.03.3326 (Linux) x86_64-generic-linux-glibc25  VDB
Server: Virtuoso/08.03.3326 (Linux) x86_64-generic-linux-glibc25  VDB
< Connection: Keep-Alive
Connection: Keep-Alive
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Date: Mon, 19 Sep 2022 11:47:49 GMT
Date: Mon, 19 Sep 2022 11:47:49 GMT
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 2059
Content-Length: 2059

< 
* Connection #0 to host linkeddata.uriburner.com left intact
$

Ok many thanks, I will try :slight_smile:

So @hwilliams , I have still some issue, on RH 8:
With command I found my trust certificate:

[#] trust list
pkcs11:id=%96%ff%7a%44%04%af%45%ae%32%95%06%ca%bb%1c%aa%92%57%5b%24%72;type=cert
type: certificate
label: HOST: Self-signed certificate
trust: anchor
category: other-entry

I put the certificate in CA Root Certificate

But still having the same error.
Thanks.

What is the output of running the curl command with the updated certificate with the HOST name the secure HTTPS connections are to be made on ?

What are the actual certificate details ie is it self signed or CA signed certificate and how are you invoking it ie via file system or Conductor import of the cert to the database ?

What is the output of the Virtuoso log from time of start to when it is online, which should show if the HTTPS server is online ?

Hi,

the CURL still have the same reference:

  • successfully set certificate verify locations:
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Request CERT (13):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Certificate (11):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server did not agree to a protocol
  • Server certificate:
  • subject: C=IT; ST=XXXX; O=XXX; OU=XXX; CN=localhost; emailAddress=xxxx@xxx

Virtuoso conf:

Via conductor IMPORT
10:01:02 HTTPS server online at :443
10:01:02 Server online at 1111 (pid 116121)

Certificate:

Probably found the issue but I dont understand…
For https://linkeddata.uriburner.com:

Attributes Values
Type * RSA Public Key
modulus * d3410cc8fa13c30b5120471fab31cee1217cc09ba9a1692562a39712e5acd3c081906710fab32582bbaa536c2d2b8b3c760401af85683a6dd6cc1bc5df79cf88f88ba8bffbb69a410e79f4cbf520ee1f91890e9a4449fc65f64354017d22e98b6213d0443ff2494add2c411c74178b1a79c5b284934c4cd9cf69dd6c9f58569d9a57ca75a45fb8297ca4513c9fe955e6d9a9d674289992019a3427cef01d3190fd7a8783b51d291fd26b56e82961cc7169acf0497bb7b53cbf8798ce826e53ed838fa1752a103fe7e9e4717f5fac2bac55b842e28479b6b49cd3062071a3cfaba6cb54f581eca3560ab1c5a1e6fa27d5b1ee37ae4f4d3eacb458c636ea8787e1
exponent * 65537(xsd:int)
is key of * http://linkeddata.uriburner.com/issuer/key/dba/id_rsa#this
is hasPublicKey of * /C=US/ST=Massachusetts/O=OpenLink Software/OU=URIBurner Service/CN=linkeddata.uriburner.com/emailAddress=support@openlinksw.com

But for my HOST:

Attributes Values
rdf:type * cert:RSAPublicKey
cert:modulus * e9f2c33efa39d011201ecf09b6cf46e8552589ddaa6eec71151b45e960c533fbd615c7dd5d1b680d18044460c45c108f119442f9f83fc57eee8edae74d6910b74fe71e1a10e1f7aa0fd2da18e3f6a78e37224e31890e423c3c3ae7ee1d89bdd6275db4c63301aec37cd0a3235eaffc62dd27296ec78a3980cd05f9666899a3082bb9dfecc839e5bfab45f0bd55194206c9db68280b50364891d92062fd560fb4d73c2bd4e4faf37d5ae01afd3b337bac9f807c43865b6df6e6f27cd46364c041d72c2ad2e45af93b3df27226cbb7e9a440299fc7ee9251e974903f6cf5c035fd2498fa2ef3cff75eb9b902fc102a2542a342aafc311244dae93cd7f3f9b053c9

Why some many keys ??? Also delete test keys ??

Why in you curl output the CN still localhost ie subject: C=IT; ST=XXXX; O=XXX; OU=XXX; CN=localhost; emailAddress=xxxx@xxx, as I would expect it to be theHOST` name you are seeking to access it on.

I don’t understand what are these Attributes and Values for you key above, which is apparently a self signed certificate, which I would not expect to have so many attribute values, how are you generating that output ?

Hi @hwilliams,

this values are related to the SAN(URI) field of the Public Key Infrastructure Virtuoso TAB, from thi URI:
http://HOST:8890/describe/?url=http://HOST:8890/issuer/key/dba/id_rsa#this

This the screen :slight_smile: