The requested active content cannot be displayed due to execution restriction

EdgarCap · September 19, 2022, 7:15am

Hi,

the Oauth is working properly with a localhost CURL but not with the HOST CURL
**Error was: 11:46:00 Failed HTTP listen at HOST:443 code (-6). **
Ex:

curl -I https://localhost/oauth/index.vsp -k -v

Trying ::1…
TCP_NODELAY set
connect to ::1 port 443 failed: Connection refused
Trying 127.0.0.1…
TCP_NODELAY set
Connected to localhost (127.0.0.1) port 443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
successfully set certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Request CERT (13):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS handshake, Finished (20):
SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
ALPN, server did not agree to a protocol
Server certificate:
subject: C=XX; ST=XXXX; O=XXXX; OU=XXXX; CN=localhost; emailAddress=xxx@xxxx.xx
start date: Sep 16 07:41:07 2022 GMT
expire date: Sep 16 07:41:07 2023 GMT
issuer: C=IT; ST=XXX; OXXX; OU=XXXX; CN=XX; emailAddress=xxx@xxxx.xx
SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

HEAD /oauth/index.vsp HTTP/1.1
HEAD /oauth/index.vsp HTTP/1.1
Host: localhost
User-Agent: curl/7.61.1
Accept: /

TLSv1.2 (IN), TLS handshake, Hello request (0):
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Request CERT (13):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS handshake, Finished (20):
< HTTP/1.1 200 OK
HTTP/1.1 200 OK

But:

curl -I https://HOST/oauth/index.vsp -k -v

Trying HOST…
TCP_NODELAY set
Connected to HOST (HOST) port 443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
successfully set certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Request CERT (13):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS handshake, Finished (20):
SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
ALPN, server did not agree to a protocol
Server certificate:
subject: C=XX; ST=XXXX; O=XXXX; OU=XXXX; CN=localhost; emailAddress=xxx@xxxx.xx
start date: Sep 16 07:41:07 2022 GMT
expire date: Sep 16 07:41:07 2023 GMT
issuer: C=IT; ST=XXX; OXXX; OU=XXXX; CN=XX; emailAddress=xxx@xxxx.xx
SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

HEAD /oauth/index.vsp HTTP/1.1
Host: HOST
User-Agent: curl/7.61.1
Accept: /

< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

What is the reason ?

hwilliams · September 19, 2022, 11:56am

Is your SSL certificate you are seeking run the curl command on against your HOST (ie machine external hostname) not generated for use on localhost ie subject: C=XX; ST=XXXX; O=XXXX; OU=XXXX; CN=localhost; emailAddress=xxx@xxxx.xx in which case it will only work on localhost and you need to generate a certificate specifically for use on HOST ie

subject: C=XX; ST=XXXX; O=XXXX; OU=XXXX; CN=HOST; emailAddress=xxx@xxxx.xx

for it to work , as per the following from one of our public servers with OAuth and VAL etc setup:

$ curl -I https://linkeddata.uriburner.com/oauth/index.vsp -k -v
*   Trying 194.109.117.211...
* TCP_NODELAY set
* Connected to linkeddata.uriburner.com (194.109.117.211) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=Massachusetts; L=Burlington; O=OpenLink Software Inc.; CN=linkeddata.uriburner.com
*  start date: Sep  3 00:00:00 2022 GMT
*  expire date: Sep 26 23:59:59 2023 GMT
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
> HEAD /oauth/index.vsp HTTP/1.1
> Host: linkeddata.uriburner.com
> User-Agent: curl/7.58.0
> Accept: */*
> 
* TLSv1.2 (IN), TLS handshake, Hello request (0):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: Virtuoso/08.03.3326 (Linux) x86_64-generic-linux-glibc25  VDB
Server: Virtuoso/08.03.3326 (Linux) x86_64-generic-linux-glibc25  VDB
< Connection: Keep-Alive
Connection: Keep-Alive
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Date: Mon, 19 Sep 2022 11:47:49 GMT
Date: Mon, 19 Sep 2022 11:47:49 GMT
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 2059
Content-Length: 2059

< 
* Connection #0 to host linkeddata.uriburner.com left intact
$

EdgarCap · September 19, 2022, 1:15pm

Ok many thanks, I will try

So @hwilliams , I have still some issue, on RH 8:
With command I found my trust certificate:

[#] trust list
pkcs11:id=%96%ff%7a%44%04%af%45%ae%32%95%06%ca%bb%1c%aa%92%57%5b%24%72;type=cert
type: certificate
label: HOST: Self-signed certificate
trust: anchor
category: other-entry

I put the certificate in CA Root Certificate

But still having the same error.
Thanks.

hwilliams · September 22, 2022, 12:13pm

What is the output of running the curl command with the updated certificate with the HOST name the secure HTTPS connections are to be made on ?

What are the actual certificate details ie is it self signed or CA signed certificate and how are you invoking it ie via file system or Conductor import of the cert to the database ?

What is the output of the Virtuoso log from time of start to when it is online, which should show if the HTTPS server is online ?

EdgarCap · September 22, 2022, 1:30pm

Hi,

the CURL still have the same reference:

successfully set certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Request CERT (13):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS handshake, Finished (20):
SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
ALPN, server did not agree to a protocol
Server certificate:
subject: C=IT; ST=XXXX; O=XXX; OU=XXX; CN=localhost; emailAddress=xxxx@xxx

Virtuoso conf:

Via conductor IMPORT
10:01:02 HTTPS server online at :443
10:01:02 Server online at 1111 (pid 116121)

Certificate:

Probably found the issue but I dont understand…
For https://linkeddata.uriburner.com:

Attributes	Values
Type	* RSA Public Key
modulus	* d3410cc8fa13c30b5120471fab31cee1217cc09ba9a1692562a39712e5acd3c081906710fab32582bbaa536c2d2b8b3c760401af85683a6dd6cc1bc5df79cf88f88ba8bffbb69a410e79f4cbf520ee1f91890e9a4449fc65f64354017d22e98b6213d0443ff2494add2c411c74178b1a79c5b284934c4cd9cf69dd6c9f58569d9a57ca75a45fb8297ca4513c9fe955e6d9a9d674289992019a3427cef01d3190fd7a8783b51d291fd26b56e82961cc7169acf0497bb7b53cbf8798ce826e53ed838fa1752a103fe7e9e4717f5fac2bac55b842e28479b6b49cd3062071a3cfaba6cb54f581eca3560ab1c5a1e6fa27d5b1ee37ae4f4d3eacb458c636ea8787e1
exponent	* 65537(xsd:int)
is key of	* http://linkeddata.uriburner.com/issuer/key/dba/id_rsa#this
is hasPublicKey of	* /C=US/ST=Massachusetts/O=OpenLink Software/OU=URIBurner Service/CN=linkeddata.uriburner.com/emailAddress=support@openlinksw.com

But for my HOST:

Attributes

Values

rdf:type

* cert:RSAPublicKey

cert:modulus

* e9f2c33efa39d011201ecf09b6cf46e8552589ddaa6eec71151b45e960c533fbd615c7dd5d1b680d18044460c45c108f119442f9f83fc57eee8edae74d6910b74fe71e1a10e1f7aa0fd2da18e3f6a78e37224e31890e423c3c3ae7ee1d89bdd6275db4c63301aec37cd0a3235eaffc62dd27296ec78a3980cd05f9666899a3082bb9dfecc839e5bfab45f0bd55194206c9db68280b50364891d92062fd560fb4d73c2bd4e4faf37d5ae01afd3b337bac9f807c43865b6df6e6f27cd46364c041d72c2ad2e45af93b3df27226cbb7e9a440299fc7ee9251e974903f6cf5c035fd2498fa2ef3cff75eb9b902fc102a2542a342aafc311244dae93cd7f3f9b053c9

ce98408b034d588569dc48b7c6f52ab4da6a03fc8602bd6b133348ebaf2b9335c4490540da0edf349fc737fbbf322e36f627d37aebd1770f22f492e86a66d6addf5c6744295b234bdec774c036e3ff279d5611faa37c249d2343ae4a2ab400fdf1af9fb3ffb53c0a29050ac6a48a7d22689b2d6935a0724e539936ac211efac662c6a4f24d2c8d73b4cbccd75f0d9d9daae4aced23fba8a82977efd0dadd5e03b8a8ba64461f95f67df2906b2b1d6c5b9dd75c2f905b71ad6831e5dcb90c14a56b246edd39a6dad9a3e12308b69d02b6d99387ed757e4803e7ff8c17f57980074d2fbe5e453ead57be28c89664998ed4905f9a3e2b33669393247a55395dd8f3
edac6e64f732f9691b54e494e7c17df221bdd6f55e79261c21be05103916ebd0bb82829c13012db5516084dcd3f2b23e4b28be9a2cbad4824b4300d7c8f6442d448de54895decf299c5583c7d926f936e0ff34388e2db498fba6ec1f1c9bd19b6dbc75c5f0fa6472b8185096adcffd854288f0091fa0924aaf83f011d5a2560edc253b2fb78abf28277c9873fb840139fb7f2e29eaa9d4a854b340d3a026f8654cbfb6369a521b74b5cbc0b150358f19b40be19761e6bb5db3e83ab47697900f546d3248a08a72d1f731c89ba60005455d6bf359d1e73ae9b9caebf0d70ab61a2f0246e820291b57716e5c5b02a54ec56cc2088923bdb22b51630f60ed65e48f
a23f0194b7a410a1260c679fad35b5fee41d0e9c9fa725066690d90d64813e2a383dfa523e20624e127b8244a0861a57e7affeb9193b8d95de488cfa4e28299a96e3ac890789f86c84e9f84726dfbca54f7336a0c096785de9ce4b9e930b30def74df259b68347423cb1dc73c3d9299069ffade5fe338af552afe8b7cace7e695485b0781b54b40b3bfdb4384d118272a916fa2b5acd6f5c6312de5be69654fef772b72a58c4c986acc3a5b62e5036af410bdb7029ea3ec51616c727f99de6aa5166af065c55b416d7caac3e8a817e9866ac6cf655a6340304479da1d2a3098c5f89c8c8f24ab482f027c13c4f9e140d0eba7e81786195af006ba39daafded5f
edbbc47067ce896da018a7e247a23082dc19df1b77b8e306c731f5d053468d5ad8a889be9add0359f168b9d038fc592123894028c45f62be92c38998725b34ca17eb7959a8d4db811ce481c596ccc0ad28849fe46c8436c5245eb1c6167853a39525cef5e56edee3532428435f02ba48c2287bfd23dd50ba367f23d725f83df83a79356914acf572dc3269556c9f083498e12af6b4e4f772a96cd9f1acee8e131a48b3824d53b0d2a0059683f9eedc124c0a33267b52e97cf41dbedf5f4ab3e44da030113fc41bad70c78c8d5cdc6efe742cdea2bcf67e7a895d5bfd6be95931c44b315860bce5e697da9bb2cf8a7c728077a8e9237a554f27774ea364a36f47
[»more»](javascript:expand_ul(0);)|
|cert:exponent|* 65537(xsd:int)|
|is cert:key of|* http://HOST:8890/issuer/key/dba/id_rsa#this|
|is http://www.openlin…cert#hasPublicKey of|* /C=IT/ST=Lazio/O=SOGEI/OU=SOGEI/CN=SE/emailAddress=test@xxx.xx
/C=US/ST=US/O=US/OU=US/CN=http://HOST//emailAddress=test@xxx.xx
/C=IT/ST=Lazio/O=SOGEI/OU=SOGEI/CN=SE/emailAddress=test@xxx.xx
/C=IT/ST=Lazio/O=SOGEI/OU=SOGEI/CN=HOST/emailAddress=test@xxx.xx
/C=IT/ST=IT/O=SOGEI/OU=SOGEI/CN=SE/emailAddress=test@xxx.xx
/C=IT/ST=IT/O=SOGEI/OU=SOGEI/CN=localhost/emailAddress=test@xxx.xx
/C=IT/ST=IT/O=SOGEI/OU=SOGEI/CN=HOSTemailAddress=test@xxx.xx|

Why some many keys ??? Also delete test keys ??

hwilliams · September 23, 2022, 8:34pm

Why in you curl output the CN still localhost ie subject: C=IT; ST=XXXX; O=XXX; OU=XXX; CN=localhost; emailAddress=xxxx@xxx, as I would expect it to be theHOST` name you are seeking to access it on.

I don’t understand what are these Attributes and Values for you key above, which is apparently a self signed certificate, which I would not expect to have so many attribute values, how are you generating that output ?

EdgarCap · September 26, 2022, 7:18am

Hi @hwilliams,

this values are related to the SAN(URI) field of the Public Key Infrastructure Virtuoso TAB, from thi URI:
http://HOST:8890/describe/?url=http://HOST:8890/issuer/key/dba/id_rsa#this

This the screen

EdgarCap · October 11, 2022, 10:10am

Hi @hwilliams ,

finally I solved the problem making a new istance of Virtuoso…, now is working but I think there is something that must be verified under Virtuoso.