Intermittent Curl 35 error when using a self-signed certificate on Tomcat

We use a self-signed certificate behind a range of load balancers, endpoints use self-signed certificates.

When testing endpoints directly using CURL, we get intermittent SSL connection errors (Code 35)

Here is an example of exit from a failed attempt:

curl –insecure

  • Try 9773 …
  • TCP_NODELAY defined
  • Connected to the port example73 ( 9773 (# 0)
  • ALPN, offering h2
  • ALPN, offering http / 1.1
  • correctly define the certificate verification locations:
  • CAfile: /etc/ssl/cert.pem CApath: none
  • TLSv1.2 (OUT), TLS contact, hello customer (1):
  • TLSv1.2 (IN), TLS negotiation, hello from the server (2):
  • TLSv1.2 (IN), TLS negotiation, certificate (11):
  • TLSv1.2 (IN), TLS negotiation, server key exchange (12):
  • TLSv1.2 (IN), TLS contact, server finished (14):
  • TLSv1.2 (OUT), TLS negotiation, customer key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS contact, finished (20):
  • LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection with
  • Connection closed 0 curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL connecting to

Is it due to a bad configuration? Server performance problem? Network?

The server is Tomcat 8.

Command used to create the certificate:

openssl req -x509 -newkey rsa:4096 -nodes -keyout private.pem -out public.crt -days 365 -subj '/'

The associated Tomcat SSL configuration:


Outlook 2007 – Macros with self-signed certificate are still disabled

I'm trying to enable macros using a self-signed certificate in Outlook 2007, but Outlook continues to block execution, no matter what.

First of all, I followed – It did not work.

Then I tried which is pretty much the same thing, always to no avail.

I also exported the certificate, re-imported it, added to approved publishers and in the desktop options I can see the certificates (both) in the list of approved publishers. I signed the macros of course, I saved them, restarted, even restarted the PC, but the macro still doesn't run as if it was unsigned. I checked the certificate, it is valid and everything, it is selectable in the tools – digital signature. To me, it sounds like everything it is supposed to be, but Outlook has decided that something is wrong.
Is there anything else I should do?

Self-signed SSL certificates vs CA-signed certificates

While reading about the certificates, I came across this article. It says:

The purpose of a certificate signed by a certification authority is to provide a slightly stronger verification that you are actually using the key that belongs to the server you are trying to connect to.

How exactly does CA guarantee stronger verification?

When trying to find an answer to this, I found that answer. The fifth paragraph mentions:

Once you have obtained the certificate, you will want to verify that it is the correct one. You can see in the certificate that it was issued by a certification authority. If you have the CA key, you can verify the signature.

What does that mean? Anyone who tries to access any site with a certificate signed by a CA will have this universal CA key? If so, isn't it dangerous in any way? If not, how do you verify that it is not a "spoofed" certificate from the certification authority?

(I would appreciate an in-depth explanation of the actual operation of certificates signed by a certification authority.)

x.509 – RDP with self-signed certificate requiring password before launching display

I noticed that the Shodan search engine retrieves screenshots from hosts running an RDP service, even if they offer a certificate.

To my knowledge, the certificate is used to authenticate the server and encrypt the traffic sent and received (exactly as they are used in HTTPS), and therefore should not be relevant for the protection of hosts exposing RDP to the Internet, but when i & # Trying to connect to such a service using xfreerdp, i am asked for a password before i get to the place where the screenshot was taken and then the message 39; error: freerdp_set_last_error ERRCONNECT_LOGON_FAILURE (0x00020014).

I have read that Shodan does not try passwords, it just captures screenshots of accessible targets without credentials
How is Shodan able to capture such screenshots? or what is xfreerdp doing instead of launching RDP display?

sharepoint online – Connect-PnPOnline with the help of ClientId and a self-signed certificate

Does anyone know how Connect-PnPOnline Using Azure AD APP permissions and a self-signed certificate?


  • Generated a self-signed certificate. Registered password
  • Registered an Azure application. Downloaded a certificate on the application
  • Application permissions granted to the application
  • Agreement of the administrator

enter the description of the image here

Now, I'm trying to connect-PnPOnline using the script below:

    $certificatePassword = 'CERTIFICATE_PASSWORD'
    $secureCertificatePass = ConvertTo-SecureString -String $certificatePassword -AsPlainText -Force

    Connect-PnPOnline `
        -CertificatePath "C:...DeploymentApp.pfx" `
        -Tenant `
        -ClientId fff6667e-1141-4bb5-ba3e-eaaf653975c6 `
        -Url `
        -CertificatePassword $secureCertificatePass `

I receive a useless error:

Connect-PnPOnline: an exception was issued by the target of a
invocation. On line: 5 characters: 1
+ Connect-PnPOnline `
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo: NotSpecified: (:) (Connect-PnPOnline), TargetInvocationException
+ FullyQualifiedErrorId: System.Reflection.TargetInvocationException, SharePointPnP.PowerShell.Commands.Base.ConnectOnline

Using the latest PowerShell PnP module: SharePointPnPPowerShellOnline 3.13.1909.0

Can any one recommend anything, please?


Found problem related with no resolution yet.


You can try to easily reproduce my case:

  • Get these scripts on your local folder.
  • Install Azure CLI on Windows.
  • Right-click Register_AD_App.bat and "Run As Administrator".
  • You will be prompted to enter an administrator account for your Azure AD / Office 365.
  • In the end, the application will be saved, consent being granted to the permissions of the SharePoint API.
  • The o365AppDetails.json file containing an automatically generated certificate password will be created. You can use this password for the script of the -CertificatePassword param of the Connect-PnPOnline commandlet.

enter the description of the image here

ubuntu – Certificate failure for self-signed certificate: / when creating a new mail in Rukovoditel 2.5.1

I installed a new Rukovoditel 2.5.1 and after setting up the email account, I found the error in the subject.
Below the configuration details for e-mail:
Receipt of mail
Mail server: mail.domain: 993 / imap / ssl
Password: The password

Mail sending
Use SMTP: No
SMTP server:
SMTP Port: 465
SMTP Encryption: ssl (next to the field, an index "tcp / udp / unix / udg / ssl / tls / tlsv1.0 / tlsv1.1 / tlsv1.2")
SMTP connection:
SMTP password: the password

And this is the output for> dpkg -l | grep -i openssl

root @ server: / home / name # dpkg -l | grep -i openssl
ii libcurl3: amd64 7.47.0-1ubuntu2.13 amd64, easy-to-use client-side URL transfer library (OpenSSL style)
ii libgnutls-openssl27: GNU TLS Library amd64 3.4.10-4ubuntu1.5 – OpenSSL wrapper
ii libxmlsec1-openssl 1.2.20-2ubuntu4 amd64 Openssl Engine for the XML Security Library
ii openssl 1.0.2g-1ubuntu4.15 toolkit Secure Sockets Layer amd64 – encryption utility
ii python-openssl 17.3.0-1 ~ 0 + ubuntu16.04.1 + certbot + 1 all the Python 2 wrapper around the OpenSSL library
ii python3-ndg-httpsclient 0.4.2-1 + certbot ~ xenial + 1 improved HTTPS support for httplib and urllib2 using PyOpenSSL for Python3
ii python3-openssl 17.3.0-1 ~ 0 + ubuntu16.04.1 + certbot + 1 all the Python 3 wrapper around the OpenSSL library
ii ssl-cert 1.0.37 any simple debconf wrapper for OpenSSL
You have a new mail in / var / mail / root

1- Is OpenSL installed or not?
2- Do I have to install openSSL on my server to use the mail server certificate?

linux – Failed to inject git into a self-signed instance of gitlab with the following message: "Unable to load PEM client certificate …. no such file or directory"

I am aware of the existence of this answer, but the answers are not correct. did not work for me.

My configuration

I have a local PFsense firewall in which I created a self-signed root CA, a certification sub-CA signed by the root CA, and a signed gitlab certificate by a sub-certification authority.

On the local gitlab host, a nginx server acting as a reverse proxy is responsible for terminating the ssl connection with clients. It is configured with the certificate and key and works as expected when I https: // to the gitlab instance with my browser.

Again on the gitlab host, I have a repository with commits that I have to push on the gitlab instance on the same host. In the repository The current status of the settings and the current error are as follows:

git config http.sslCAInfo /home/volt/volt-root-ca.crt

ls -al /home/volt/volt-root-ca.crt
-rw-r--r-- 1 volt volt 1428 Jul 25 07:22 /home/volt/volt-root-ca.crt

git push --set-upstream origin master
fatal: unable to access 'https://gitlab.homenetwork/volt/voltT.git/': could not load PEM client certificate, OpenSSL error error:02001002:system library:fopen:No such file or directory, (no key found, wrong pass phrase, or wrong file format?)


I can not post my attempts, it is constantly reported as spam.

Do you have any ideas on how I could continue to debug this?

How to trust a self-signed certificate

According to Why are self-signed certificates not reliable and is there a way to trust them ?, To approve a self-signed certificate, we need to import the root certificate into the trusted browser datastore . Does this mean that I have to distribute to my clients a file, and is it the * .crt file, the * .csr file or the * .key file? What instructions should they follow to import this certificate correctly?

ssl – How to use a self-signed certificate for Visual Studio and IIS Express

I have a site that needs to be accessible via SSL. I use Visual Studio and everything is automatically configured to access the site during development with the help of https: // localhost: port.

Now I have to access the site using the local IP address (, but it does not work. I've used several guides to do it. I have spent several hours, but every time I try to access the site using, a security error is displayed.

Is it possible or not? After many attempts, I wonder if this is really possible in IIS Express.

I love

Authentication – Cross-Signature of Two Self-Signed Root Certification Authorities

I have two self-signed root certification authorities that have been used for separate clusters (say clusters A and B). Both certification authorities are used to sign application certificates in their respective cluster.

However, one of the cluster A applications must access another cluster B application that requires client certificate authentication. The Cluster B application can be configured to trust a certificate authority certificate, which by default is a cluster B root CA.

My initial idea is to have an intermediate cross-certificate authority that will be trusted by the application inside cluster B. This intermediate certification authority will be signed using the root CA of cluster A and the Cluster Root Certification Authority B. Is there a way to do this? he ? Will the application accept the cluster A certificate that is signed only by the cluster A root CA?