Newer versions of OpenSSL reject the certificate returned from https://newhippo.auth0.com/.well-known/jwks.json .
curl -s https://newhippo.auth0.com/.well-known/jwks.json | jq -r .keys[0].x5c[0] | base64 --decode | openssl x509 -inform der -noout -text -in /dev/stdin
unable to load certificate
140174787252288:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal padding:../crypto/asn1/a_int.c:187:
140174787252288:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:626:Field=serialNumber, Type=X509_CINF
140174787252288:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:626:Field=cert_info, Type=X509
Older versions of OpenSSL correct show the certificate information:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9096867982294606615 (0x7e3e913b8d4b6317)
It looks like the serial number has the high bit set, as in these other reports:
opened 11:08PM - 15 Jan 18 UTC
closed 11:37PM - 15 Jan 18 UTC
I'm getting a `ValueError: Unable to load certificate` when trying to read a PEM… cert. However, after reading and searching in vain I'm unable to determine why I'm getting the error or how to debug. The certificate appears valid, but I don't know how to check that. Any guidance would be appreciated.
On MacOS High Sierra 10.13.2, Python 3.6.4, cryptography 2.1.4 and everything else up-to-date.
```
>>> from cryptography import x509
>>> from cryptography.hazmat.backends import default_backend
cert = x509.load_pem_x509_certificate(open('barberscore.pem', 'rb').read(), default_backend())
>>> cert = x509.load_pem_x509_certificate(open('barberscore.pem', 'rb').read(), default_backend())
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/Users/dbinetti/Repos/pycryptography-test-load-x509/.venv/lib/python3.6/site-packages/cryptography/x509/base.py", line 43, in load_pem_x509_certificate
return backend.load_pem_x509_certificate(data)
File "/Users/dbinetti/Repos/pycryptography-test-load-x509/.venv/lib/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1139, in load_pem_x509_certificate
raise ValueError("Unable to load certificate")
ValueError: Unable to load certificate
```
opened 08:23PM - 01 Sep 17 UTC
closed 08:22PM - 03 Sep 17 UTC
OpenSSL 1.1.0f is unable to decode a certificate:
```
$ openssl x509 -inform p… em -in '1914312.crt' -noout -text
unable to load certificate
140735234723840:error:0D0E20DD:asn1 encoding routines:c2i_ibuf:illegal padding:crypto/asn1/a_int.c:187:
140735234723840:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:609:Field=serialNumber, Type=X509_CINF
140735234723840:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:609:Field=cert_info, Type=X509
140735234723840:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:crypto/pem/pem_oth.c:33:
```
Older versions of OpenSSL were able to handle this certificate correctly:
```
$ /usr/bin/openssl version
OpenSSL 0.9.8zh 14 Jan 2016
$ /usr/bin/openssl x509 -inform pem -in '1914312.crt' -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
(Negative)2a:2a:ba:c2:cd:b1:6a:74:80:3a:2f:b8:88:24:42
Signature Algorithm: sha1WithRSAEncryption
[...]
```
For reference, the certificate in question can be found online: https://crt.sh/?id=1914312.
Could a new certificate be added to our tenant?
1 Like
Hey there @neil.gentleman , I wanted to let you know I am looking into this and will relay what I find. Thank you.
After talking with the team it sounds like you worked with Tim on this and had a ticket open in regards to getting this resolved. As not to duplicate effort I will let our support team handle this but will share the resolution here for historical sake. Thanks!
To follow up on this front, it appears the support case was resolved after the tenant signing key had now been rotated.
Please let us know if we can be of any help in the future!
system
Closed
November 2, 2019, 2:35pm
8
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.